Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uo9m.exe

Overview

General Information

Sample name:uo9m.exe
Analysis ID:1590280
MD5:a83802ca265a8d7d66f7307bf4f16367
SHA1:0d4d784f97301527064dc66420cc136132df3337
SHA256:cfab22760406b5b89f3f810702fd736306caa091dba036b8b9ffe206f415e794
Infos:

Detection

LummaC
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
LummaC encrypted strings found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • uo9m.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\uo9m.exe" MD5: A83802CA265A8D7D66F7307BF4F16367)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-13T21:42:49.369157+010020283713Unknown Traffic192.168.2.74980923.50.98.133443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-13T21:42:49.930983+010028586661Domain Observed Used for C2 Detected192.168.2.74980923.50.98.133443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0020AE60 BCryptGenRandom,SystemFunction036,0_2_0020AE60
Source: uo9m.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: unknownHTTPS traffic detected: 23.50.98.133:443 -> 192.168.2.7:49809 version: TLS 1.2
Source: uo9m.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0024E620 CloseHandle,memset,FindFirstFileExW,FindClose,0_2_0024E620
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0024CEA0 memcpy,memcpy,memset,FindFirstFileExW,memcpy,GetLastError,FindClose,DeleteFileW,GetLastError,0_2_0024CEA0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then push ebp0_2_00204018
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then push ebp0_2_00204112
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-66B4894Dh]0_2_00BCFB02
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov edx, ecx0_2_00B9AF9D
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then push ebp0_2_00BCC0A0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov byte ptr [edx], al0_2_00BBF0F0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov ecx, eax0_2_00BAA0E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov ebx, eax0_2_00BAA0E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov byte ptr [edx], al0_2_00BBF0C4
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+3ED853ECh]0_2_00BA700A
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_00BA9000
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then cmp al, 2Eh0_2_00BB818F
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov byte ptr [edx], al0_2_00BBF1D9
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov byte ptr [edx], al0_2_00BBF139
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+232F41D2h]0_2_00BD011F
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov byte ptr [edx], al0_2_00BBF165
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+00000170h]0_2_00BBD2E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov byte ptr [ebx], dl0_2_00BBD2E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then jmp eax0_2_00BBA2CF
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx ebx, byte ptr [esp+esi+12A137B5h]0_2_00BCB210
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov byte ptr [esi], al0_2_00BBE25A
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-384D2D2Eh]0_2_00BA6258
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx esi, byte ptr [esp+edi+66218682h]0_2_00B99390
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_00BB938A
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]0_2_00BBB3D0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+08h]0_2_00BD2320
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx ecx, word ptr [esi]0_2_00BD1348
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+20h]0_2_00BA84B7
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00BA5497
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then test esi, esi0_2_00BCC480
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov edx, eax0_2_00B9A416
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 3F2C504Eh0_2_00BA4592
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]0_2_00B975F0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]0_2_00B975F0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+43A84140h]0_2_00BBF5CA
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edx+46h]0_2_00BCB500
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi-2C9D65B2h]0_2_00BCB500
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+0Ch]0_2_00BCE560
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then lea ecx, dword ptr [eax-4BEC4700h]0_2_00BB1550
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov eax, ebx0_2_00BAC620
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_00BC8600
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx+5BCA793Fh]0_2_00B997E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov ecx, eax0_2_00B997E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov word ptr [edi], ax0_2_00B997E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-180897B1h]0_2_00BCE7C0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+28h]0_2_00BAA7C6
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov dword ptr [esp], CF132E6Eh0_2_00BD171A
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx ebp, byte ptr [esp+eax-02h]0_2_00BD171A
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]0_2_00BAE750
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov ecx, ebx0_2_00BB98A0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov ecx, eax0_2_00BBD890
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+67497F4Bh]0_2_00BBD8F5
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov ecx, eax0_2_00BBD8F5
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then jmp ecx0_2_00BD18E9
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov byte ptr [esi], bl0_2_00BBE815
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov esi, edx0_2_00BB5990
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov byte ptr [esi], bl0_2_00BBE96A
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov byte ptr [esi], bl0_2_00BBE961
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov ecx, eax0_2_00BBD859
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movsx eax, byte ptr [ebx+ebp]0_2_00BD1940
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+7998D126h]0_2_00BB1A80
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h0_2_00BB1A80
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h0_2_00BBCAD0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h0_2_00BCEAD0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-13425C5Bh]0_2_00B9BA1B
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov esi, ecx0_2_00BCCA50
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then lea ecx, dword ptr [ebx+61h]0_2_00BB7B30
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00BB0B20
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+51047AABh]0_2_00BA4B1C
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 03D746FEh0_2_00BCEB40
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov word ptr [eax], cx0_2_00BA3C90
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov word ptr [edi], cx0_2_00BB9CD0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx ecx, word ptr [ebx+eax+02h]0_2_00BCCCC9
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx]0_2_00BB4C50
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h0_2_00BAADE2
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov word ptr [edi], cx0_2_00BAADE2
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov dword ptr [esp+3Ch], F6F1F033h0_2_00BCFDE4
Source: C:\Users\user\Desktop\uo9m.exeCode function: 4x nop then mov esi, eax0_2_00BCFDE4

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49809 -> 23.50.98.133:443
Source: Joe Sandbox ViewIP Address: 23.50.98.133 23.50.98.133
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49809 -> 23.50.98.133:443
Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002507B0 recv,WSAGetLastError,0_2_002507B0
Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=3f713095140489aea305f2c9; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 13 Jan 2025 20:42:49 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: truculengisau.biz
Source: global trafficDNS traffic detected: DNS query: fraggielek.biz
Source: global trafficDNS traffic detected: DNS query: grandiouseziu.biz
Source: global trafficDNS traffic detected: DNS query: littlenotii.biz
Source: global trafficDNS traffic detected: DNS query: marketlumpe.biz
Source: global trafficDNS traffic detected: DNS query: nuttyshopr.biz
Source: global trafficDNS traffic detected: DNS query: punishzement.biz
Source: global trafficDNS traffic detected: DNS query: spookycappy.biz
Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1534840086.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1534840086.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1534840086.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533819792.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: uo9m.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533819792.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
Source: uo9m.exe, 00000000.00000002.1535591368.0000000003650000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/-
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1534840086.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1535022371.0000000000C85000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533819792.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533939952.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533819792.0000000000CA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: uo9m.exe, 00000000.00000002.1535022371.0000000000C85000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533819792.0000000000C83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900%
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
Source: uo9m.exe, 00000000.00000003.1533819792.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
Source: uo9m.exe, 00000000.00000003.1533819792.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1534840086.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shopM
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
Source: uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533819792.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
Source: uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
Source: unknownHTTPS traffic detected: 23.50.98.133:443 -> 192.168.2.7:49809 version: TLS 1.2
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BC6170 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,0_2_00BC6170
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BC6170 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,0_2_00BC6170
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F7F50 memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,RtlAddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,NtGetContextThread,NtSetContextThread,NtClose,0_2_001F7F50
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0024C080 NtOpenFile,RtlNtStatusToDosError,NtOpenFile,RtlNtStatusToDosError,0_2_0024C080
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0023C2AE NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_0023C2AE
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0023C80E NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_0023C80E
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0024F651 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,ReadFile,GetLastError,0_2_0024F651
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0024D750 GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,NtOpenFile,SetFileInformationByHandle,CloseHandle,GetLastError,SetFileInformationByHandle,GetLastError,CloseHandle,SwitchToThread,RtlNtStatusToDosError,NtOpenFile,RtlNtStatusToDosError,CloseHandle,SwitchToThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeviceIoControl,GetLastError,CloseHandle,memcpy,CloseHandle,CloseHandle,0_2_0024D750
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0024FD90 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_0024FD90
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0024FEA0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,GetConsoleMode,GetFileType,memset,GetFileInformationByHandleEx,memcpy,0_2_0024FEA0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0024EE00: memmove,DeviceIoControl,CloseHandle,GetLastError,0_2_0024EE00
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F21E00_2_001F21E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002A21100_2_002A2110
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F41600_2_001F4160
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0028C1A00_2_0028C1A0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002801900_2_00280190
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002A42600_2_002A4260
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0025C2B00_2_0025C2B0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FC2BB0_2_001FC2BB
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002102900_2_00210290
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FC2E00_2_001FC2E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002823700_2_00282370
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0029A3700_2_0029A370
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0021E3F00_2_0021E3F0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002065400_2_00206540
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002405A00_2_002405A0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0027C5E00_2_0027C5E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002826100_2_00282610
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F66400_2_001F6640
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002706840_2_00270684
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0022E6C90_2_0022E6C9
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002887E00_2_002887E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002047F00_2_002047F0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002928700_2_00292870
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002468400_2_00246840
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0028C8500_2_0028C850
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002908D00_2_002908D0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002689640_2_00268964
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002109400_2_00210940
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0027E9800_2_0027E980
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002829800_2_00282980
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0029AA700_2_0029AA70
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00296A400_2_00296A40
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00288AB00_2_00288AB0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FEB000_2_001FEB00
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0029EB010_2_0029EB01
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00258B100_2_00258B10
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00280C000_2_00280C00
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00282C500_2_00282C50
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00296C900_2_00296C90
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00248CFE0_2_00248CFE
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FEDB00_2_001FEDB0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00240DC10_2_00240DC1
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00278F200_2_00278F20
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FEF200_2_001FEF20
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0026EFBC0_2_0026EFBC
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0025F02E0_2_0025F02E
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002830400_2_00283040
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002090B00_2_002090B0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002110800_2_00211080
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002210E00_2_002210E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0027719E0_2_0027719E
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002852600_2_00285260
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002533740_2_00253374
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002653B00_2_002653B0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002953800_2_00295380
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FB3D00_2_001FB3D0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FB3E90_2_001FB3E9
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FB4020_2_001FB402
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FB4210_2_001FB421
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FB45F0_2_001FB45F
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FB4400_2_001FB440
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FB47E0_2_001FB47E
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FB49D0_2_001FB49D
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002874A10_2_002874A1
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002215400_2_00221540
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0029F5800_2_0029F580
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0028B5E00_2_0028B5E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002916100_2_00291610
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F56800_2_001F5680
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002117200_2_00211720
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002838400_2_00283840
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0022B8500_2_0022B850
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FD8800_2_001FD880
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002079B00_2_002079B0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FB9C70_2_001FB9C7
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FB9FF0_2_001FB9FF
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FB9E30_2_001FB9E3
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBA1B0_2_001FBA1B
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBA370_2_001FBA37
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBA530_2_001FBA53
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00221A740_2_00221A74
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBA6F0_2_001FBA6F
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBA8B0_2_001FBA8B
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00283AB00_2_00283AB0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBAA70_2_001FBAA7
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBADF0_2_001FBADF
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0024BAF00_2_0024BAF0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBAC30_2_001FBAC3
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBAFB0_2_001FBAFB
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBB170_2_001FBB17
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00295B000_2_00295B00
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBB330_2_001FBB33
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBB4C0_2_001FBB4C
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBB680_2_001FBB68
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBB840_2_001FBB84
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBBBC0_2_001FBBBC
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBBA00_2_001FBBA0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBBD80_2_001FBBD8
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0028BBC00_2_0028BBC0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBBF40_2_001FBBF4
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00211C200_2_00211C20
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBC100_2_001FBC10
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00279C000_2_00279C00
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBC2C0_2_001FBC2C
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00297C600_2_00297C60
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBC480_2_001FBC48
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBC720_2_001FBC72
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBC6B0_2_001FBC6B
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0029FC5C0_2_0029FC5C
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00293C500_2_00293C50
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBC980_2_001FBC98
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBC910_2_001FBC91
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBCB10_2_001FBCB1
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBCD00_2_001FBCD0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBCEC0_2_001FBCEC
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBD150_2_001FBD15
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBD320_2_001FBD32
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FBD470_2_001FBD47
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00299DE00_2_00299DE0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00251DF00_2_00251DF0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00215DC00_2_00215DC0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00285E300_2_00285E30
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0025BE100_2_0025BE10
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0022BE190_2_0022BE19
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0024FEA00_2_0024FEA0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0029DF640_2_0029DF64
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00287FA00_2_00287FA0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B988600_2_00B98860
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B9BB500_2_00B9BB50
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BCC0A00_2_00BCC0A0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BBF0F00_2_00BBF0F0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BBF0C40_2_00BBF0C4
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BB003A0_2_00BB003A
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BA80320_2_00BA8032
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BA90000_2_00BA9000
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BBF1D90_2_00BBF1D9
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BBF1390_2_00BBF139
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BBF1650_2_00BBF165
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BBD2E00_2_00BBD2E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BC52680_2_00BC5268
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B963900_2_00B96390
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BC93F60_2_00BC93F6
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BC33200_2_00BC3320
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BD23200_2_00BD2320
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B943100_2_00B94310
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BBE3700_2_00BBE370
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BA84B70_2_00BA84B7
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BAD4C00_2_00BAD4C0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BA04090_2_00BA0409
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B975F00_2_00B975F0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BCC5E00_2_00BCC5E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BBE5CA0_2_00BBE5CA
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BCB5000_2_00BCB500
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BB15500_2_00BB1550
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BC36B00_2_00BC36B0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BAB6AC0_2_00BAB6AC
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BA16850_2_00BA1685
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B9F6C00_2_00B9F6C0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BAC6200_2_00BAC620
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BD26100_2_00BD2610
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B997E00_2_00B997E0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BD171A0_2_00BD171A
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B968200_2_00B96820
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BA19B00_2_00BA19B0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BB99B50_2_00BB99B5
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B9A9F00_2_00B9A9F0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BD29000_2_00BD2900
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BC997F0_2_00BC997F
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B939600_2_00B93960
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BAC9600_2_00BAC960
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BA8ABC0_2_00BA8ABC
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BB1A800_2_00BB1A80
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BD0A810_2_00BD0A81
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BAEAD00_2_00BAEAD0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BBCAD00_2_00BBCAD0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BABA0E0_2_00BABA0E
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B9EA600_2_00B9EA60
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BBEA610_2_00BBEA61
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B95B300_2_00B95B30
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BA9B300_2_00BA9B30
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BB7B300_2_00BB7B30
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BA4B1C0_2_00BA4B1C
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BC2B7F0_2_00BC2B7F
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B92B700_2_00B92B70
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BCAB700_2_00BCAB70
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B9CB500_2_00B9CB50
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BBAB510_2_00BBAB51
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BCEB400_2_00BCEB40
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BD1CB00_2_00BD1CB0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00B98CA00_2_00B98CA0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BC5C900_2_00BC5C90
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BBFC100_2_00BBFC10
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BB0DF00_2_00BB0DF0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BAADE20_2_00BAADE2
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BCADD00_2_00BCADD0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BA5D660_2_00BA5D66
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BACEE00_2_00BACEE0
Source: C:\Users\user\Desktop\uo9m.exeCode function: String function: 0028E1A0 appears 38 times
Source: C:\Users\user\Desktop\uo9m.exeCode function: String function: 0028A790 appears 51 times
Source: C:\Users\user\Desktop\uo9m.exeCode function: String function: 0028A430 appears 55 times
Source: C:\Users\user\Desktop\uo9m.exeCode function: String function: 00B98180 appears 73 times
Source: C:\Users\user\Desktop\uo9m.exeCode function: String function: 00BA3C80 appears 108 times
Source: C:\Users\user\Desktop\uo9m.exeCode function: String function: 0028A050 appears 114 times
Source: uo9m.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engineClassification label: mal56.evad.winEXE@1/0@9/1
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002511A0 memset,GetModuleHandleW,FormatMessageW,GetLastError,0_2_002511A0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F9790 CreateToolhelp32Snapshot,memset,Process32FirstW,memcpy,memcpy,Process32NextW,CloseHandle,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,CloseHandle,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,0_2_001F9790
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BCB500 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,0_2_00BCB500
Source: C:\Users\user\Desktop\uo9m.exeMutant created: \Sessions\1\BaseNamedObjects\TestyFlamingo
Source: uo9m.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\uo9m.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeFile read: C:\Users\user\Desktop\uo9m.exeJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeSection loaded: dpapi.dllJump to behavior
Source: uo9m.exeStatic file information: File size 799014912 > 1048576
Source: uo9m.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F7A40 CreateTimerQueue,CreateEventW,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,SetEvent,DeleteTimerQueue,0_2_001F7A40
Source: uo9m.exeStatic PE information: section name: .eh_fram
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_002A6D50 push eax; mov dword ptr [esp], esi0_2_002A6DF1
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BD12A0 push eax; mov dword ptr [esp], 1C1F1E71h0_2_00BD12A1

Malware Analysis System Evasion

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: uo9m.exe, 00000000.00000002.1534840086.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDAG.EXE
Source: uo9m.exe, 00000000.00000002.1534840086.0000000000BF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSANALYZER.EXE
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F9790 CreateToolhelp32Snapshot,memset,Process32FirstW,memcpy,memcpy,Process32NextW,CloseHandle,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,CloseHandle,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,0_2_001F9790
Source: C:\Users\user\Desktop\uo9m.exeAPI coverage: 3.2 %
Source: C:\Users\user\Desktop\uo9m.exe TID: 7812Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0024E620 CloseHandle,memset,FindFirstFileExW,FindClose,0_2_0024E620
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0024CEA0 memcpy,memcpy,memset,FindFirstFileExW,memcpy,GetLastError,FindClose,DeleteFileW,GetLastError,0_2_0024CEA0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00231750 GetSystemInfo,0_2_00231750
Source: uo9m.exe, 00000000.00000003.1533819792.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: uo9m.exe, 00000000.00000002.1534840086.0000000000C78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWps
Source: C:\Users\user\Desktop\uo9m.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00BCFCF0 LdrInitializeThunk,0_2_00BCFCF0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F9790 CreateToolhelp32Snapshot,memset,Process32FirstW,memcpy,memcpy,Process32NextW,CloseHandle,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,CloseHandle,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,DebugActiveProcess,GetCurrentProcess,TerminateProcess,0_2_001F9790
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F7A40 CreateTimerQueue,CreateEventW,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,SetEvent,DeleteTimerQueue,0_2_001F7A40
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FE250 GetProcessHeap,HeapFree,RtlFreeHeap,0_2_001FE250
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F116A Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,_cexit,_initterm,0_2_001F116A
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0022FE60 AddVectoredExceptionHandler,RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetCurrentThread,SetThreadDescription,SetThreadDescription,0_2_0022FE60
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F7F50 memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,RtlAddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,NtGetContextThread,NtSetContextThread,NtClose,0_2_001F7F50
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F1160 Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,__initenv,0_2_001F1160
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F1187 Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,__initenv,0_2_001F1187
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001F1319 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,0_2_001F1319
Source: C:\Users\user\Desktop\uo9m.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
LummaC encrypted strings found
Source: uo9m.exeString found in binary or memory: spookycappy.biz
Source: uo9m.exeString found in binary or memory: punishzement.biz
Source: uo9m.exeString found in binary or memory: truculengisau.biz
Source: uo9m.exeString found in binary or memory: littlenotii.biz
Source: uo9m.exeString found in binary or memory: grandiouseziu.biz
Source: uo9m.exeString found in binary or memory: nuttyshopr.biz
Source: uo9m.exeString found in binary or memory: marketlumpe.biz
Source: uo9m.exeString found in binary or memory: fraggielek.biz
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_001FE4A0 cpuid 0_2_001FE4A0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00251DF0 ExitProcess,GetCurrentProcessId,ProcessPrng,ProcessPrng,CreateNamedPipeW,GetLastError,CloseHandle,CloseHandle,0_2_00251DF0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_00246F90 GetSystemTimePreciseAsFileTime,0_2_00246F90
Source: C:\Users\user\Desktop\uo9m.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0025E0F0 bind,listen,WSAGetLastError,closesocket,0_2_0025E0F0
Source: C:\Users\user\Desktop\uo9m.exeCode function: 0_2_0025E4A0 bind,WSAGetLastError,closesocket,0_2_0025E4A0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		21
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory121
Security Software Discovery		Remote Desktop Protocol2
Clipboard Data		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Deobfuscate/Decode Files or Information		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials14
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
steamcommunity.com
23.50.98.133
truefalse
    		high
    s-part-0017.t-0009.t-msedge.net
    		13.107.246.45
    		truefalse
      		high
      littlenotii.biz
      		unknown
      		unknowntrue
        		unknown
        fraggielek.biz
        		unknown
        		unknowntrue
          		unknown
          nuttyshopr.biz
          		unknown
          		unknowntrue
            		unknown
            grandiouseziu.biz
            		unknown
            		unknowntrue
              		unknown
              marketlumpe.biz
              		unknown
              		unknowntrue
                		unknown
                spookycappy.biz
                		unknown
                		unknowntrue
                  		unknown
                  truculengisau.biz
                  		unknown
                  		unknowntrue
                    		unknown
                    punishzement.biz
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://steamcommunity.com/profiles/76561199724331900false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://steamcommunity.com/my/wishlist/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pnguo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://player.vimeo.comuo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://steamcommunity.com/-uo9m.exe, 00000000.00000002.1535591368.0000000003650000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://steamcommunity.com/?subsection=broadcastsuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://help.steampowered.com/en/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://steamcommunity.com/market/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://steamcommunity.com/profiles/76561199724331900%uo9m.exe, 00000000.00000002.1535022371.0000000000C85000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533819792.0000000000C83000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://store.steampowered.com/news/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://docs.rs/getrandom#nodejs-es-module-supportuo9m.exefalse
                                              		high
                                              https://store.steampowered.com/subscriber_agreement/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.gstatic.cn/recaptcha/uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://store.steampowered.com/subscriber_agreement/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1534840086.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orguo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1534840086.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://recaptcha.net/recaptcha/;uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=enuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.valvesoftware.com/legal.htmuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://steamcommunity.com/discussions/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.youtube.comuo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.google.comuo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://store.steampowered.com/points/shopMuo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://store.steampowered.com/stats/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&amuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://medal.tvuo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://broadcast.st.dl.eccdnx.comuo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pnguo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&auo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://store.steampowered.com/steam_refunds/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533819792.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engluo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbCuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://s.ytimg.com;uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://steamcommunity.com/workshop/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://login.steampowered.com/uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbbuo9m.exe, 00000000.00000003.1533819792.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_cuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533819792.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://store.steampowered.com/legal/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1534840086.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviEuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://community.fastly.steamstatic.com/uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engliuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://steam.tv/uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=enuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=enguo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://store.steampowered.com/privacy_agreement/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1534840086.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://store.steampowered.com/points/shop/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://recaptcha.netuo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://store.steampowered.com/uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://steamcommunity.comuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533819792.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://sketchfab.comuo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://lv.queniujq.cnuo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.pnguo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://www.youtube.com/uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://127.0.0.1:27060uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://store.steampowered.com/privacy_agreement/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_Auo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&amuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://www.google.com/recaptcha/uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://checkout.steampowered.com/uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&ampuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://help.steampowered.com/uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://api.steampowered.com/uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://store.steampowered.com/account/cookiepreferences/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1534840086.0000000000C80000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://store.steampowered.com/mobileuo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://steamcommunity.com/uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://store.steampowered.com/;uo9m.exe, 00000000.00000003.1533819792.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000002.1535106837.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://store.steampowered.com/about/uo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&luo9m.exe, 00000000.00000003.1533778468.0000000003669000.00000004.00000800.00020000.00000000.sdmp, uo9m.exe, 00000000.00000003.1533778468.0000000003663000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high

                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                              Public IPs

                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                              23.50.98.133
                                                                                                                                                                              		steamcommunity.comUnited States
                                                                                                                                                                              		16625AKAMAI-ASUSfalse

                                                                                                                                                                              General Information

                                                                                                                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                              Analysis ID:1590280
                                                                                                                                                                              Start date and time:2025-01-13 21:41:27 +01:00
                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                              Overall analysis duration:0h 6m 18s
                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                              Report type:full
                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                              Number of analysed new started processes analysed:5
                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                              Technologies:
                                                                                                                                                                              • HCA enabled
                                                                                                                                                                              • EGA enabled
                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                              Sample name:uo9m.exe
                                                                                                                                                                              Detection:MAL
                                                                                                                                                                              Classification:mal56.evad.winEXE@1/0@9/1
                                                                                                                                                                              EGA Information:
                                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                                              HCA Information:
                                                                                                                                                                              • Successful, ratio: 98%
                                                                                                                                                                              • Number of executed functions: 24
                                                                                                                                                                              • Number of non-executed functions: 122
                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                              • Found application associated with file extension: .exe
                                                                                                                                                                              • Stop behavior analysis, all processes terminated

                                                                                                                                                                              Warnings

                                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
                                                                                                                                                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                              Simulations

                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                              15:42:47API Interceptor2x Sleep call for process: uo9m.exe modified

                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                              IPs

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              23.50.98.133file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                      file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                            https://u.to/UKDgIAGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              SecuriteInfo.com.Win32.PWSX-gen.1070.11757.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                                                SecuriteInfo.com.Trojan.PWS.Steam.37477.6298.10622.exeGet hashmaliciousVidarBrowse

                                                                                                                                                                                                  Domains

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  steamcommunity.comL7GNkeVm5e.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  NDWffRLk7z.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  g3toRYa6JE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  lBb4XI4eGD.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  UWYXurYZ2x.exeGet hashmaliciousLummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty StealerBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  TBI87y49f9.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  H5JVfa61AV.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  2EG0jAmtY6.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  rii2.mp3.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  176.113.115.170.ps1Get hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  s-part-0017.t-0009.t-msedge.netRoYAd85faz.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 13.107.246.45
                                                                                                                                                                                                  KymUijfvKi.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 13.107.246.45
                                                                                                                                                                                                  EFT_Payment_Notification_Warriorsheart.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                  • 13.107.246.45
                                                                                                                                                                                                  B317.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 13.107.246.45
                                                                                                                                                                                                  https://timecusa-my.sharepoint.com/:f:/p/stephensw/Erq5TMDIJBVBvh6vbWmpurEB4UwHKTW8nzSkPE2Ckmvugg?e=SepTcTGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                  • 13.107.246.45
                                                                                                                                                                                                  B317.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 13.107.246.45
                                                                                                                                                                                                  https://docusign.legalcloudfiles.com/S06ga?e=clopez@autopistacentral.clGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                  • 13.107.246.45
                                                                                                                                                                                                  https://maya-lopez.filemail.com/t/XhcWEjoRGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 13.107.246.45
                                                                                                                                                                                                  Handler.exeGet hashmaliciousDanaBot, VidarBrowse
                                                                                                                                                                                                  • 13.107.246.45
                                                                                                                                                                                                  Scan.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                  • 13.107.246.45

                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  AKAMAI-ASUShttps://timecusa-my.sharepoint.com/:f:/p/stephensw/Erq5TMDIJBVBvh6vbWmpurEB4UwHKTW8nzSkPE2Ckmvugg?e=SepTcTGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                  • 2.19.126.84
                                                                                                                                                                                                  Handler.exeGet hashmaliciousDanaBot, VidarBrowse
                                                                                                                                                                                                  • 23.40.179.46
                                                                                                                                                                                                  phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 2.19.126.75
                                                                                                                                                                                                  Cardfactory Executed Agreement DocsID- Sign & Review..emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                  • 23.56.162.204
                                                                                                                                                                                                  https://shortener.kountryboyzbailbonds.com/orVbdaZDUTFihPy?https://go.microsoft.com/ref=?ONSKE6784f8047cd90___store=ot&url=ONSKE6784f8047cd90&utm_source=follow-up-email&utm_medium=email&utm_campaign=abandoned%20helpful%20linkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 23.212.88.20
                                                                                                                                                                                                  elitebotnet.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                  • 104.114.132.152
                                                                                                                                                                                                  elitebotnet.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                  • 23.67.87.233
                                                                                                                                                                                                  6.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 23.204.223.224
                                                                                                                                                                                                  L7GNkeVm5e.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 104.102.49.254
                                                                                                                                                                                                  3bSDIpSIdF.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 23.57.90.146

                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1YYYY-NNN AUDIT DETAIL REPORT .docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 23.50.98.133
                                                                                                                                                                                                  msit.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                  • 23.50.98.133
                                                                                                                                                                                                  tesr.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                  • 23.50.98.133
                                                                                                                                                                                                  WSLRT.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                  • 23.50.98.133
                                                                                                                                                                                                  msit.msiGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                  • 23.50.98.133
                                                                                                                                                                                                  PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSMGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 23.50.98.133
                                                                                                                                                                                                  PCB - Lyell Highway Upgrades Queenstown to Strahan - March 2021.XLSMGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 23.50.98.133
                                                                                                                                                                                                  L7GNkeVm5e.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                  • 23.50.98.133
                                                                                                                                                                                                  sE5IdDeTp2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 23.50.98.133

                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                  No context

                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                  No created / dropped files found

                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                  Entropy (8bit):0.029844611142384448
                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                                                                                                                                  • InstallShield setup (43055/19) 0.43%
                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                  File name:uo9m.exe
                                                                                                                                                                                                  File size:799'014'912 bytes
                                                                                                                                                                                                  MD5:a83802ca265a8d7d66f7307bf4f16367
                                                                                                                                                                                                  SHA1:0d4d784f97301527064dc66420cc136132df3337
                                                                                                                                                                                                  SHA256:cfab22760406b5b89f3f810702fd736306caa091dba036b8b9ffe206f415e794
                                                                                                                                                                                                  SHA512:840aa02c0bac4ef8436dfbd36f1d5d384efa3ff1eaa5012f92b9337eade110ac526163935df7d7e8326e6b5b51b06718e7642b79d5ed6c66bf8cdb6e1f609479
                                                                                                                                                                                                  SSDEEP:
                                                                                                                                                                                                  TLSH:
                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.;.h..[.....&....*..........................@..........................0......:.....@... ............................

                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                  Icon Hash:29226ee6b692c62f

                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Entrypoint:0x4013e0
                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                                                  Time Stamp:0x3BE130B9 [Thu Nov 1 11:23:37 2001 UTC]
                                                                                                                                                                                                  TLS Callbacks:0x46d530, 0x4ba960, 0x4ba910, 0x4b5f40
                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                  File Version Major:4
                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                  Import Hash:870017c0621e77ae427bc42242f26bc8

                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                  mov dword ptr [00560234h], 00000001h
                                                                                                                                                                                                  jmp 00007F4B7D0818F6h
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  mov dword ptr [00560234h], 00000000h
                                                                                                                                                                                                  jmp 00007F4B7D0818E6h
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  sub esp, 1Ch
                                                                                                                                                                                                  mov eax, dword ptr [esp+20h]
                                                                                                                                                                                                  mov dword ptr [esp], eax
                                                                                                                                                                                                  call 00007F4B7D13AEC6h
                                                                                                                                                                                                  cmp eax, 01h
                                                                                                                                                                                                  sbb eax, eax
                                                                                                                                                                                                  add esp, 1Ch
                                                                                                                                                                                                  ret
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                  sub esp, 08h
                                                                                                                                                                                                  lea ecx, dword ptr [00546104h]
                                                                                                                                                                                                  lea eax, dword ptr [00560020h]
                                                                                                                                                                                                  mov dword ptr [esp], ecx
                                                                                                                                                                                                  mov dword ptr [esp+04h], eax
                                                                                                                                                                                                  call 00007F4B7D134F37h
                                                                                                                                                                                                  add esp, 08h
                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                  ret
                                                                                                                                                                                                  nop word ptr [eax+eax+00000000h]
                                                                                                                                                                                                  nop dword ptr [eax]
                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                  sub esp, 08h
                                                                                                                                                                                                  lea ecx, dword ptr [00546104h]
                                                                                                                                                                                                  lea eax, dword ptr [00560020h]
                                                                                                                                                                                                  mov dword ptr [esp], ecx
                                                                                                                                                                                                  mov dword ptr [esp+04h], eax
                                                                                                                                                                                                  call 00007F4B7D135197h
                                                                                                                                                                                                  add esp, 08h
                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                  ret
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                  mov eax, dword ptr [ebp+0Ch]
                                                                                                                                                                                                  mov edx, dword ptr [eax+14h]
                                                                                                                                                                                                  test dl, 00000010h
                                                                                                                                                                                                  jne 00007F4B7D081B96h
                                                                                                                                                                                                  mov ecx, dword ptr [ebp+08h]
                                                                                                                                                                                                  test dl, 00000020h
                                                                                                                                                                                                  jne 00007F4B7D081B94h
                                                                                                                                                                                                  push eax
                                                                                                                                                                                                  push ecx
                                                                                                                                                                                                  call 00007F4B7D12A068h
                                                                                                                                                                                                  add esp, 08h
                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                  ret
                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                  jmp 00007F4B7D12938Dh

                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1610000x1c0c.idata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1650000x6c0c.rsrc
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x16c0000x68fc.reloc
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x1455e40x18.rdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x1614a40x3b4.idata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                  Sections

                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                  .text0x10000xbe4800xbe60014afe16819cefb456a57dfbb261bfa84False0.5144246552856205data6.536835421663965IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .data0xc00000x6a40x800b0a386aff6633dee36d56775aea5f680False0.103515625data0.8174171019176437IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .rdata0xc10000x848a80x84a00a0b17314fc2d598b41e4a0eb92ddfd0bFalse0.748982018732328data7.707327915600917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .eh_fram0x1460000x19e380x1a0008212dba1448bfaca52fe84c1c28105b3False0.32677283653846156data5.083061671706065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .bss0x1600000x2700x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .idata0x1610000x1c0c0x1e00d92df5b41991508676da4070bcda8775False0.31940104166666666SysEx File - Oberheim5.017837839075456IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .CRT0x1630000x380x20096ef153fd5ad30b3f2dac280a614d5fdFalse0.078125data0.33445688494273207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .tls0x1640000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .rsrc0x1650000x6c0c0x6e00afb169a073748710747c9549937b7fb8False0.5189630681818181data5.960924050488915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .reloc0x16c0000x68fc0x6a008ea008d8151b2c3d348cef8e65b3146eFalse0.7341907429245284data6.631303672357615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                  Resources

                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                  RT_ICON0x1652b00x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.23902439024390243
                                                                                                                                                                                                  RT_ICON0x1659180x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.38306451612903225
                                                                                                                                                                                                  RT_ICON0x165c000x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.597972972972973
                                                                                                                                                                                                  RT_ICON0x165d280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.6084754797441365
                                                                                                                                                                                                  RT_ICON0x166bd00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.8172382671480144
                                                                                                                                                                                                  RT_ICON0x1674780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.7276011560693642
                                                                                                                                                                                                  RT_ICON0x1679e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.4179460580912863
                                                                                                                                                                                                  RT_ICON0x169f880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.6719043151969981
                                                                                                                                                                                                  RT_ICON0x16b0300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.8315602836879432
                                                                                                                                                                                                  RT_GROUP_ICON0x16b4980x84dataEnglishUnited States0.6363636363636364
                                                                                                                                                                                                  RT_VERSION0x16b51c0x228dataEnglishUnited States0.4891304347826087
                                                                                                                                                                                                  RT_MANIFEST0x16b7440x4c7exported SGML document, ASCII textEnglishUnited States0.4145543744889616

                                                                                                                                                                                                  Imports

                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                  ntdll.dllNtGetContextThread, NtOpenThread, NtSetContextThread
                                                                                                                                                                                                  advapi32.dllGetTokenInformation, OpenProcessToken, SystemFunction036
                                                                                                                                                                                                  bcrypt.dllBCryptGenRandom
                                                                                                                                                                                                  kernel32.dllAddVectoredExceptionHandler, CancelIo, CloseHandle, CompareStringOrdinal, CopyFileExW, CreateDirectoryW, CreateEventW, CreateFileMappingA, CreateFileW, CreateHardLinkW, CreateMutexA, CreateNamedPipeW, CreatePipe, CreateProcessW, CreateSymbolicLinkW, CreateThread, CreateTimerQueue, CreateToolhelp32Snapshot, CreateWaitableTimerExW, DebugActiveProcess, DeleteFileW, DeleteProcThreadAttributeList, DeleteTimerQueue, DeviceIoControl, DuplicateHandle, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FormatMessageW, FreeEnvironmentStringsW, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFileType, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetProcessId, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTimePreciseAsFileTime, GetTempPathW, GetWindowsDirectoryW, HeapAlloc, HeapCreate, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeProcThreadAttributeList, LoadLibraryA, LockFileEx, MapViewOfFile, Module32FirstW, Module32NextW, MultiByteToWideChar, Process32FirstW, Process32NextW, QueryPerformanceCounter, QueryPerformanceFrequency, ReadConsoleW, ReadFile, ReadFileEx, ReleaseMutex, RemoveDirectoryW, RtlCaptureContext, SetCurrentDirectoryW, SetEnvironmentVariableW, SetEvent, SetFileAttributesW, SetFileInformationByHandle, SetFilePointerEx, SetFileTime, SetHandleInformation, SetLastError, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SleepEx, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnlockFile, UnmapViewOfFile, UpdateProcThreadAttribute, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFileEx, lstrlenW
                                                                                                                                                                                                  ntdll.dllNtClose, NtOpenFile, NtQueryInformationProcess, NtQuerySystemInformation, NtReadFile, NtWriteFile, RtlNtStatusToDosError
                                                                                                                                                                                                  userenv.dllGetUserProfileDirectoryW
                                                                                                                                                                                                  ws2_32.dllWSACleanup, WSADuplicateSocketW, WSAGetLastError, WSARecv, WSASend, WSASocketW, WSAStartup, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, getpeername, getsockname, getsockopt, ioctlsocket, listen, recv, recvfrom, select, send, sendto, setsockopt, shutdown
                                                                                                                                                                                                  api-ms-win-core-synch-l1-2-0.dllWaitOnAddress, WakeByAddressAll, WakeByAddressSingle
                                                                                                                                                                                                  bcryptprimitives.dllProcessPrng
                                                                                                                                                                                                  KERNEL32.dllCreateEventA, CreateSemaphoreA, DeleteCriticalSection, EnterCriticalSection, GetCurrentThreadId, GetHandleInformation, GetProcessAffinityMask, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDebuggerPresent, LeaveCriticalSection, OpenProcess, OutputDebugStringA, RaiseException, ReleaseSemaphore, ResetEvent, ResumeThread, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, SuspendThread, TryEnterCriticalSection, VirtualProtect, VirtualQuery
                                                                                                                                                                                                  msvcrt.dll__getmainargs, __initenv, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _exit, _fmode, _fpreset, _initterm, _iob, _onexit, _setjmp3, _strdup, _vsnprintf, abort, calloc, exit, fprintf, free, fwrite, longjmp, malloc, memcmp, memcpy, memmove, memset, printf, realloc, signal, strlen, strncmp, vfprintf

                                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                  2025-01-13T21:42:49.369157+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.74980923.50.98.133443TCP
                                                                                                                                                                                                  2025-01-13T21:42:49.930983+01002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.74980923.50.98.133443TCP

                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.677619934 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.677644014 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.677704096 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.715331078 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.715342999 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.369081974 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.369157076 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.372302055 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.372323990 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.372632027 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.412120104 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.432779074 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.475374937 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.931225061 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.931291103 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.931303024 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.931329966 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.931366920 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.931372881 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.931387901 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.931391001 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.931421995 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:49.931442976 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:50.018527031 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:50.018703938 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:50.018723011 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:50.018783092 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:50.018800020 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:50.018805981 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:50.018873930 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:50.021166086 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:50.021178007 CET4434980923.50.98.133192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:50.021193027 CET49809443192.168.2.723.50.98.133
                                                                                                                                                                                                  Jan 13, 2025 21:42:50.021198034 CET4434980923.50.98.133192.168.2.7

                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.565608025 CET5176553192.168.2.71.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.574609995 CET53517651.1.1.1192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.579888105 CET6164653192.168.2.71.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.589463949 CET53616461.1.1.1192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.590785027 CET5268853192.168.2.71.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.599961996 CET53526881.1.1.1192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.600970030 CET6134853192.168.2.71.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.609463930 CET53613481.1.1.1192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.611480951 CET6160553192.168.2.71.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.620702982 CET53616051.1.1.1192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.622596979 CET5926253192.168.2.71.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.631741047 CET53592621.1.1.1192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.633910894 CET4974353192.168.2.71.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.643004894 CET53497431.1.1.1192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.644119024 CET6071853192.168.2.71.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.653106928 CET53607181.1.1.1192.168.2.7
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.655172110 CET6323853192.168.2.71.1.1.1
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.662281990 CET53632381.1.1.1192.168.2.7

                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.565608025 CET192.168.2.71.1.1.10x7019Standard query (0)truculengisau.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.579888105 CET192.168.2.71.1.1.10x2dd4Standard query (0)fraggielek.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.590785027 CET192.168.2.71.1.1.10xb847Standard query (0)grandiouseziu.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.600970030 CET192.168.2.71.1.1.10xe6d3Standard query (0)littlenotii.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.611480951 CET192.168.2.71.1.1.10xb6e9Standard query (0)marketlumpe.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.622596979 CET192.168.2.71.1.1.10x76e1Standard query (0)nuttyshopr.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.633910894 CET192.168.2.71.1.1.10xcaf7Standard query (0)punishzement.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.644119024 CET192.168.2.71.1.1.10x35b7Standard query (0)spookycappy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.655172110 CET192.168.2.71.1.1.10xebc1Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                  Jan 13, 2025 21:42:30.443747044 CET1.1.1.1192.168.2.70x3908No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:30.443747044 CET1.1.1.1192.168.2.70x3908No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.574609995 CET1.1.1.1192.168.2.70x7019Name error (3)truculengisau.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.589463949 CET1.1.1.1192.168.2.70x2dd4Name error (3)fraggielek.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.599961996 CET1.1.1.1192.168.2.70xb847Name error (3)grandiouseziu.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.609463930 CET1.1.1.1192.168.2.70xe6d3Name error (3)littlenotii.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.620702982 CET1.1.1.1192.168.2.70xb6e9Name error (3)marketlumpe.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.631741047 CET1.1.1.1192.168.2.70x76e1Name error (3)nuttyshopr.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.643004894 CET1.1.1.1192.168.2.70xcaf7Name error (3)punishzement.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.653106928 CET1.1.1.1192.168.2.70x35b7Name error (3)spookycappy.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Jan 13, 2025 21:42:48.662281990 CET1.1.1.1192.168.2.70xebc1No error (0)steamcommunity.com23.50.98.133A (IP address)IN (0x0001)false

                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                  • steamcommunity.com

                                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  0192.168.2.74980923.50.98.1334437620C:\Users\user\Desktop\uo9m.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  2025-01-13 20:42:49 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                                                                                  Host: steamcommunity.com
                                                                                                                                                                                                  2025-01-13 20:42:49 UTC1905INHTTP/1.1 200 OK
                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                  Date: Mon, 13 Jan 2025 20:42:49 GMT
                                                                                                                                                                                                  Content-Length: 25665
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Set-Cookie: sessionid=3f713095140489aea305f2c9; Path=/; Secure; SameSite=None
                                                                                                                                                                                                  Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                                                  2025-01-13 20:42:49 UTC14479INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e
                                                                                                                                                                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
                                                                                                                                                                                                  2025-01-13 20:42:50 UTC10097INData Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09
                                                                                                                                                                                                  Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>
                                                                                                                                                                                                  2025-01-13 20:42:50 UTC1089INData Raw: 68 65 69 72 20 72 65 73 70 65 63 74 69 76 65 20 6f 77 6e 65 72 73 20 69 6e 20 74 68 65 20 55 53 20 61 6e 64 20 6f 74 68 65 72 20 63 6f 75 6e 74 72 69 65 73 2e 3c 62 72 2f 3e 53 6f 6d 65 20 67 65 6f 73 70 61 74 69 61 6c 20 64 61 74 61 20 6f 6e 20 74 68 69 73 20 77 65 62 73 69 74 65 20 69 73 20 70 72 6f 76 69 64 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6c 69 6e 6b 66 69 6c 74 65 72 2f 3f 75 3d 68 74 74 70 25 33 41 25 32 46 25 32 46 77 77 77 2e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0a 09 09 09 09 09
                                                                                                                                                                                                  Data Ascii: heir respective owners in the US and other countries.<br/>Some geospatial data on this website is provided by <a href="https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org" target="_blank" rel=" noopener">geonames.org</a>.<br>


                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                  Start time:15:42:36
                                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                                  Path:C:\Users\user\Desktop\uo9m.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\uo9m.exe"
                                                                                                                                                                                                  Imagebase:0x1f0000
                                                                                                                                                                                                  File size:799'014'912 bytes
                                                                                                                                                                                                  MD5 hash:A83802CA265A8D7D66F7307BF4F16367
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                    Execution Coverage:0.8%
                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:6.2%
                                                                                                                                                                                                    Signature Coverage:69.9%
                                                                                                                                                                                                    Total number of Nodes:959
                                                                                                                                                                                                    Total number of Limit Nodes:17
                                                                                                                                                                                                    execution_graph 78142 bd011f 78143 bd0160 78142->78143 78143->78143 78144 bd028e 78143->78144 78146 bcfcf0 LdrInitializeThunk 78143->78146 78146->78144 78147 bd02ff 78148 bd033e 78147->78148 78149 bd031d 78147->78149 78149->78148 78151 bcfcf0 LdrInitializeThunk 78149->78151 78151->78148 78152 bd065e 78153 bd068f 78152->78153 78154 bd0668 78152->78154 78158 bcfcf0 LdrInitializeThunk 78153->78158 78154->78153 78159 bcfcf0 LdrInitializeThunk 78154->78159 78157 bd071a 78158->78157 78159->78153 78160 1f1319 78161 1f1320 78160->78161 78162 1f1333 _amsg_exit 78161->78162 78163 1f11c2 78161->78163 78166 1f134d _initterm 78162->78166 78168 1f11e7 78162->78168 78164 1f11cf 78163->78164 78165 1f13a0 _initterm 78163->78165 78164->78166 78164->78168 78166->78168 78186 2aac60 78168->78186 78169 1f1219 SetUnhandledExceptionFilter 78170 1f123a 78169->78170 78171 1f123f malloc 78170->78171 78172 1f13c8 78171->78172 78173 1f1264 78171->78173 78174 1f1278 strlen malloc memcpy 78173->78174 78174->78174 78175 1f12b0 78174->78175 78200 2aa8e0 78175->78200 78177 1f12c9 78205 1f3f20 78177->78205 78180 1f13cf 78210 2ab3e0 exit _exit 78180->78210 78181 1f1303 78182 1f130d 78181->78182 78183 1f1380 _cexit 78181->78183 78185 1f13d7 78193 2aac80 78186->78193 78199 2aac73 78186->78199 78187 2aaf08 78188 2aaf19 78187->78188 78187->78199 78190 2aaf47 78188->78190 78211 2aab00 11 API calls 78188->78211 78212 2aaaa0 11 API calls 78190->78212 78192 2aaf5f 78192->78169 78193->78187 78193->78190 78195 2aad62 78193->78195 78198 2aae38 78193->78198 78193->78199 78194 2aaaa0 11 API calls 78194->78195 78195->78193 78195->78194 78196 2aab00 11 API calls 78195->78196 78196->78195 78197 2aae6a VirtualProtect 78197->78198 78198->78197 78198->78199 78199->78169 78201 2aa8e9 78200->78201 78202 2aa880 78200->78202 78201->78177 78213 1f1400 _onexit 78202->78213 78204 2aa8b0 78204->78177 78206 2aa8e0 _onexit 78205->78206 78207 1f3f31 78206->78207 78214 22fe60 AddVectoredExceptionHandler SetThreadStackGuarantee GetCurrentThread SetThreadDescription 78207->78214 78210->78185 78211->78188 78212->78192 78213->78204 78241 230440 78214->78241 78216 22fe9d 78252 2302d0 78216->78252 78219 22fec3 78278 1f4e10 78219->78278 78220 22ff11 78282 23d7e0 304 API calls 78220->78282 78223 22ff57 78283 20e930 GetProcessHeap HeapFree 78223->78283 78224 1f12f0 78224->78180 78224->78181 78227 22ff62 78284 249f44 306 API calls 78227->78284 78242 23044d TlsGetValue 78241->78242 78243 23047c 78241->78243 78244 230459 78242->78244 78249 230494 78242->78249 78285 25d7d0 304 API calls 78243->78285 78244->78216 78246 230486 TlsGetValue 78246->78244 78246->78249 78247 25d7d0 304 API calls 78247->78249 78248 23049e TlsGetValue 78248->78249 78249->78247 78249->78248 78250 2304b0 TlsGetValue 78249->78250 78250->78249 78251 2304be 78250->78251 78251->78216 78253 2302f2 TlsGetValue 78252->78253 78254 2303ab 78252->78254 78257 230308 78253->78257 78265 22febb 78253->78265 78286 25d7d0 304 API calls 78254->78286 78258 230315 TlsGetValue 78257->78258 78287 25d7d0 304 API calls 78257->78287 78261 23032b TlsGetValue 78258->78261 78262 2303cf 78258->78262 78266 230351 78261->78266 78269 230347 78261->78269 78288 25d7d0 304 API calls 78262->78288 78265->78219 78265->78220 78267 23035e TlsSetValue 78266->78267 78290 25d7d0 304 API calls 78266->78290 78272 230373 TlsSetValue 78267->78272 78273 230402 78267->78273 78269->78265 78270 230396 TlsSetValue 78269->78270 78289 25d7d0 304 API calls 78269->78289 78270->78265 78272->78269 78291 25d7d0 304 API calls 78273->78291 78292 1f6fe0 78278->78292 78281 25ce60 WaitOnAddress GetLastError WakeByAddressAll 78282->78223 78283->78227 78285->78246 78286->78253 78287->78258 78288->78261 78289->78270 78290->78267 78291->78272 78295 1f21e0 78292->78295 78293 1f4e1d 78293->78224 78293->78281 78658 1f9790 78295->78658 78297 1f21ee 79033 1f9320 78297->79033 78299 1f222b 79309 27e2c0 304 API calls 78299->79309 78300 1f2205 78300->78299 78302 1f2241 78300->78302 78304 1f2289 CreateMutexA GetLastError 78302->78304 78305 1f2247 78302->78305 78303 1f2284 78303->78304 78307 1f22a5 78304->78307 78308 1f244e 78304->78308 79308 28a430 304 API calls 78305->79308 79064 1f8760 78307->79064 78310 1f2464 78308->78310 78311 1fe250 2 API calls 78308->78311 78310->78293 78311->78310 78315 1f226a 78316 1f24e8 78315->78316 78323 1fe250 2 API calls 78315->78323 78318 1f24e0 78316->78318 78319 1f24fd 78316->78319 78317 1f2375 79140 1f7a40 CreateTimerQueue 78317->79140 78318->78316 78327 1fe250 2 API calls 78318->78327 79314 2a2fc0 206 API calls 78319->79314 78323->78318 78324 1f2508 78328 1f9790 339 API calls 78324->78328 78325 1f22e1 79113 1fdb40 78325->79113 78327->78319 78330 1f2521 78328->78330 79315 233b90 312 API calls 78330->79315 78331 1f2399 78334 1f246f 78331->78334 78335 1f23a4 memcpy 78331->78335 79313 27d7a9 304 API calls 78334->79313 78339 1f23c0 78335->78339 78337 1f252d 79316 1fd880 304 API calls 78337->79316 78339->78339 78344 1f7a40 364 API calls 78339->78344 78342 1f2343 SetFileAttributesW 78345 1f2355 78342->78345 78346 1f2360 78342->78346 78350 1f23e1 78344->78350 78347 1fe250 2 API calls 78345->78347 78346->78317 78352 1fe250 2 API calls 78346->78352 78347->78346 78348 1f374d 79319 245a20 322 API calls 78348->79319 78349 1f2340 78349->78342 79218 1f7f50 memset 78350->79218 78352->78317 78354 1f3754 78367 1fe250 2 API calls 78354->78367 78372 1f389f 78354->78372 78356 1f2542 78356->78348 78358 1f25bf 78356->78358 78357 1f2409 HeapCreate 78359 1f241b HeapAlloc 78357->78359 78360 1f243f 78357->78360 78361 1f3e50 307 API calls 78358->78361 78359->78360 78365 1f242c memcpy 78359->78365 78366 1fe250 2 API calls 78360->78366 78363 1f25cb 78361->78363 78362 1f392f 78371 1f3a6b 78362->78371 78378 1fe250 2 API calls 78362->78378 78368 1f37c5 78363->78368 78369 1f25e2 78363->78369 78364 1fe250 2 API calls 78370 1f2406 78364->78370 78365->78360 78366->78308 78367->78372 79320 289ea0 304 API calls 78368->79320 78373 1f3e50 307 API calls 78369->78373 78370->78357 78375 1f3a86 78371->78375 78379 1fe250 2 API calls 78371->78379 78372->78362 78376 1fe250 2 API calls 78372->78376 78377 1f25fa 78373->78377 78380 1f3aa1 78375->78380 78381 1fe250 2 API calls 78375->78381 78376->78362 78383 1f36d6 78377->78383 78385 1f9320 315 API calls 78377->78385 78378->78371 78379->78375 78382 1f3abc 78380->78382 78384 1fe250 2 API calls 78380->78384 78381->78380 78386 1f3ad7 78382->78386 78390 1fe250 2 API calls 78382->78390 78387 1f36f1 78383->78387 78392 1fe250 2 API calls 78383->78392 78384->78382 78389 1f2637 78385->78389 78391 1f3af2 78386->78391 78394 1fe250 2 API calls 78386->78394 78388 1f21e0 597 API calls 78387->78388 78407 1f36f9 78388->78407 78393 1f9320 315 API calls 78389->78393 78390->78386 78395 1f3b0d 78391->78395 78396 1fe250 2 API calls 78391->78396 78392->78387 78398 1f2654 78393->78398 78394->78391 78397 1f3b23 78395->78397 78399 1fe250 2 API calls 78395->78399 78396->78395 78400 1f3b3e 78397->78400 78404 1fe250 2 API calls 78397->78404 78401 1f9320 315 API calls 78398->78401 78399->78397 78406 1f3b5d 78400->78406 78410 1fe250 2 API calls 78400->78410 78405 1f266e 78401->78405 78402 1f3721 78408 1f373a 78402->78408 78413 1fe250 2 API calls 78402->78413 78403 1fe250 2 API calls 78403->78407 78404->78400 79317 244820 304 API calls 78405->79317 79322 1f14c0 GetProcessHeap HeapFree 78406->79322 78407->78402 78407->78403 78408->78293 78410->78406 78412 1f3c57 78417 1f3c79 78412->78417 78420 1fe250 2 API calls 78412->78420 78413->78408 78414 1f26f0 78415 1f37db 78414->78415 78416 1f2701 78414->78416 79321 28a430 304 API calls 78415->79321 78419 1f9320 315 API calls 78416->78419 78421 1f3c95 78417->78421 78424 1fe250 2 API calls 78417->78424 78422 1f2729 78419->78422 78420->78417 78425 1f3ccc 78421->78425 78428 1fe250 2 API calls 78421->78428 79318 1f8c80 307 API calls 78422->79318 78424->78421 79325 1f1790 GetProcessHeap HeapFree 78425->79325 78431 1f3cb4 78428->78431 78430 1f3cd7 79326 28a242 304 API calls 78430->79326 79323 1f1790 GetProcessHeap HeapFree 78431->79323 78439 1f3cc2 79324 28a242 304 API calls 78439->79324 78659 1f9320 315 API calls 78658->78659 78660 1f97b3 78659->78660 78661 1f9320 315 API calls 78660->78661 78662 1f97cd 78661->78662 78663 1f9320 315 API calls 78662->78663 78664 1f97e7 78663->78664 78665 1f9320 315 API calls 78664->78665 78666 1f9804 78665->78666 78667 1f9320 315 API calls 78666->78667 78668 1f9821 78667->78668 78669 1f9320 315 API calls 78668->78669 78670 1f983e 78669->78670 78671 1f9320 315 API calls 78670->78671 78672 1f985b 78671->78672 78673 1f9320 315 API calls 78672->78673 78674 1f9878 78673->78674 78675 1f9320 315 API calls 78674->78675 78676 1f9895 78675->78676 78677 1f9320 315 API calls 78676->78677 78678 1f98b2 78677->78678 78679 1f9320 315 API calls 78678->78679 78680 1f98cf 78679->78680 78681 1f9320 315 API calls 78680->78681 78682 1f98ec 78681->78682 78683 1f9320 315 API calls 78682->78683 78684 1f9909 78683->78684 78685 1f9320 315 API calls 78684->78685 78686 1f9926 78685->78686 78687 1f9320 315 API calls 78686->78687 78688 1f9943 78687->78688 78689 1f9320 315 API calls 78688->78689 78690 1f9960 78689->78690 78691 1f9320 315 API calls 78690->78691 78692 1f997d 78691->78692 78693 1f9320 315 API calls 78692->78693 78694 1f999a 78693->78694 78695 1f9320 315 API calls 78694->78695 78696 1f99b7 78695->78696 78697 1f9320 315 API calls 78696->78697 78698 1f99d4 78697->78698 78699 1f9320 315 API calls 78698->78699 78700 1f99f1 78699->78700 78701 1f9320 315 API calls 78700->78701 78702 1f9a0e 78701->78702 78703 1f9320 315 API calls 78702->78703 78704 1f9a2b 78703->78704 78705 1f9320 315 API calls 78704->78705 78706 1f9a48 78705->78706 78707 1f9320 315 API calls 78706->78707 78708 1f9a65 78707->78708 78709 1f9320 315 API calls 78708->78709 78710 1f9a82 78709->78710 78711 1f9320 315 API calls 78710->78711 78712 1f9a9f 78711->78712 78713 1f9320 315 API calls 78712->78713 78714 1f9abc 78713->78714 78715 1f9320 315 API calls 78714->78715 78716 1f9ad9 78715->78716 78717 1f9320 315 API calls 78716->78717 78718 1f9af6 78717->78718 78719 1f9320 315 API calls 78718->78719 78720 1f9b13 78719->78720 78721 1f9320 315 API calls 78720->78721 78722 1f9b30 78721->78722 78723 1f9320 315 API calls 78722->78723 78724 1f9b4d 78723->78724 78725 1f9320 315 API calls 78724->78725 78726 1f9b6a 78725->78726 78727 1f9320 315 API calls 78726->78727 78728 1f9b84 78727->78728 78729 1f9320 315 API calls 78728->78729 78730 1f9b9e 78729->78730 78731 1f9320 315 API calls 78730->78731 78732 1f9bb8 78731->78732 78733 1f9320 315 API calls 78732->78733 78734 1f9bd5 CreateToolhelp32Snapshot 78733->78734 78735 1f9feb memset Process32FirstW 78734->78735 78739 1fa37f 78734->78739 78736 1fa379 CloseHandle 78735->78736 78751 1fa040 78735->78751 78736->78739 78737 1fb213 78737->78297 78738 1fe250 2 API calls 78738->78739 78739->78737 78739->78738 78742 1fb2b8 79332 27d7a9 304 API calls 78742->79332 78743 1fa23f memcpy 78743->78751 78745 1fe240 2 API calls 78745->78751 78746 1fa121 memcpy 78746->78751 78747 1fb3cb 78752 1fb3e4 78747->78752 78754 1fe250 2 API calls 78747->78754 78748 1fa2fa Process32NextW 78748->78751 78753 1fa3b8 78748->78753 78749 1fe250 2 API calls 78749->78747 78750 1fa33c CloseHandle GetCurrentProcessId DebugActiveProcess 78757 1fb27f 78750->78757 78758 1fa357 GetCurrentProcess TerminateProcess 78750->78758 78751->78742 78751->78743 78751->78745 78751->78746 78751->78748 78751->78750 78760 1fe250 GetProcessHeap HeapFree 78751->78760 79327 1f6640 304 API calls 78751->79327 79328 1f6d40 305 API calls 78751->79328 78756 1fb3fd 78752->78756 78761 1fe250 2 API calls 78752->78761 78755 1fa3ce CloseHandle 78753->78755 78759 1fe250 2 API calls 78753->78759 78754->78752 78762 1fe240 2 API calls 78755->78762 78768 1fe250 2 API calls 78756->78768 78770 1fb41c 78756->78770 79331 289fd0 304 API calls 78757->79331 78758->78739 78763 1fa36b 78758->78763 78765 1fa3cb 78759->78765 78760->78751 78761->78756 78766 1fa3ea 78762->78766 78767 1fe250 2 API calls 78763->78767 78765->78755 78774 1fa3f8 78766->78774 78775 1fb3a6 78766->78775 78776 1fa374 78767->78776 78768->78770 78771 1fb43b 78770->78771 78772 1fe250 2 API calls 78770->78772 78773 1fb45a 78771->78773 78777 1fe250 2 API calls 78771->78777 78772->78771 78778 1fb479 78773->78778 78781 1fe250 2 API calls 78773->78781 78779 1f9320 315 API calls 78774->78779 79336 27d7c4 304 API calls 78775->79336 78776->78739 78777->78773 78782 1fb498 78778->78782 78785 1fe250 2 API calls 78778->78785 78783 1fa412 78779->78783 78781->78778 78787 1fb4b7 78782->78787 78788 1fe250 2 API calls 78782->78788 78786 1f9320 315 API calls 78783->78786 78784 1fb2cf 78784->78747 78784->78749 78785->78782 78790 1fa42f 78786->78790 78789 1fb4d2 78787->78789 78792 1fe250 2 API calls 78787->78792 78788->78787 78793 1fb4ed 78789->78793 78795 1fe250 2 API calls 78789->78795 78791 1f9320 315 API calls 78790->78791 78794 1fa44c 78791->78794 78792->78789 78796 1fb508 78793->78796 78798 1fe250 2 API calls 78793->78798 78797 1f9320 315 API calls 78794->78797 78795->78793 78799 1fb523 78796->78799 78800 1fe250 2 API calls 78796->78800 78801 1fa469 78797->78801 78798->78796 78802 1fb53e 78799->78802 78804 1fe250 2 API calls 78799->78804 78800->78799 78803 1f9320 315 API calls 78801->78803 78805 1fb559 78802->78805 78807 1fe250 2 API calls 78802->78807 78806 1fa486 78803->78806 78804->78802 78808 1fb574 78805->78808 78810 1fe250 2 API calls 78805->78810 78809 1f9320 315 API calls 78806->78809 78807->78805 78811 1fb58f 78808->78811 78812 1fe250 2 API calls 78808->78812 78814 1fa4a3 78809->78814 78810->78808 78813 1fb5aa 78811->78813 78815 1fe250 2 API calls 78811->78815 78812->78811 78816 1fb5c5 78813->78816 78818 1fe250 2 API calls 78813->78818 78817 1f9320 315 API calls 78814->78817 78815->78813 78820 1fb5e0 78816->78820 78822 1fe250 2 API calls 78816->78822 78819 1fa4c0 78817->78819 78818->78816 78821 1f9320 315 API calls 78819->78821 78823 1fb5fb 78820->78823 78824 1fe250 2 API calls 78820->78824 78826 1fa4dd 78821->78826 78822->78820 78825 1fb616 78823->78825 78827 1fe250 2 API calls 78823->78827 78824->78823 78828 1fb631 78825->78828 78830 1fe250 2 API calls 78825->78830 78829 1f9320 315 API calls 78826->78829 78827->78825 78831 1fb64c 78828->78831 78833 1fe250 2 API calls 78828->78833 78832 1fa4fa 78829->78832 78830->78828 78835 1fb667 78831->78835 78836 1fe250 2 API calls 78831->78836 78834 1f9320 315 API calls 78832->78834 78833->78831 78838 1fa517 78834->78838 78837 1fb682 78835->78837 78840 1fe250 2 API calls 78835->78840 78836->78835 78841 1fb69d 78837->78841 78843 1fe250 2 API calls 78837->78843 78839 1f9320 315 API calls 78838->78839 78842 1fa534 78839->78842 78840->78837 78844 1fb6b8 78841->78844 78846 1fe250 2 API calls 78841->78846 78845 1f9320 315 API calls 78842->78845 78843->78841 78847 1fb6d3 78844->78847 78848 1fe250 2 API calls 78844->78848 78849 1fa551 78845->78849 78846->78844 78850 1fb6ee 78847->78850 78852 1fe250 2 API calls 78847->78852 78848->78847 78851 1f9320 315 API calls 78849->78851 78853 1fb709 78850->78853 78855 1fe250 2 API calls 78850->78855 78854 1fa56e 78851->78854 78852->78850 78856 1fb724 78853->78856 78858 1fe250 2 API calls 78853->78858 78857 1f9320 315 API calls 78854->78857 78855->78853 78859 1fb73f 78856->78859 78860 1fe250 2 API calls 78856->78860 78862 1fa58b 78857->78862 78858->78856 78861 1fb75a 78859->78861 78863 1fe250 2 API calls 78859->78863 78860->78859 78864 1fb76f 78861->78864 78866 1fe250 2 API calls 78861->78866 78865 1f9320 315 API calls 78862->78865 78863->78861 78868 1fb784 78864->78868 78870 1fe250 2 API calls 78864->78870 78867 1fa5a8 78865->78867 78866->78864 78869 1f9320 315 API calls 78867->78869 78871 1fb799 78868->78871 78872 1fe250 2 API calls 78868->78872 78874 1fa5c5 78869->78874 78870->78868 78873 1fb7b4 78871->78873 78875 1fe250 2 API calls 78871->78875 78872->78871 78876 1fb7cf 78873->78876 78878 1fe250 2 API calls 78873->78878 78877 1f9320 315 API calls 78874->78877 78875->78873 78879 1fb7ea 78876->78879 78881 1fe250 2 API calls 78876->78881 78880 1fa5e2 78877->78880 78878->78876 78883 1fb805 78879->78883 78884 1fe250 2 API calls 78879->78884 78882 1f9320 315 API calls 78880->78882 78881->78879 78886 1fa5ff 78882->78886 78885 1fb820 78883->78885 78888 1fe250 2 API calls 78883->78888 78884->78883 78889 1fb83b 78885->78889 78891 1fe250 2 API calls 78885->78891 78887 1f9320 315 API calls 78886->78887 78890 1fa61c 78887->78890 78888->78885 78892 1fb856 78889->78892 78894 1fe250 2 API calls 78889->78894 78893 1f9320 315 API calls 78890->78893 78891->78889 78895 1fb871 78892->78895 78896 1fe250 2 API calls 78892->78896 78897 1fa639 78893->78897 78894->78892 78898 1fb88c 78895->78898 78900 1fe250 2 API calls 78895->78900 78896->78895 78899 1f9320 315 API calls 78897->78899 78901 1fb8a7 78898->78901 78903 1fe250 2 API calls 78898->78903 78902 1fa653 78899->78902 78900->78898 78904 1fb8c2 78901->78904 78906 1fe250 2 API calls 78901->78906 78905 1f9320 315 API calls 78902->78905 78903->78901 78907 1fb8dd 78904->78907 78908 1fe250 2 API calls 78904->78908 78910 1fa66d 78905->78910 78906->78904 78909 1fb8f8 78907->78909 78911 1fe250 2 API calls 78907->78911 78908->78907 78912 1fb913 78909->78912 78914 1fe250 2 API calls 78909->78914 78913 1f9320 315 API calls 78910->78913 78911->78909 78916 1fb92e 78912->78916 78918 1fe250 2 API calls 78912->78918 78915 1fa687 78913->78915 78914->78912 78917 1f9320 315 API calls 78915->78917 78919 1fb949 78916->78919 78920 1fe250 2 API calls 78916->78920 78922 1fa6a4 78917->78922 78918->78916 78921 1fb964 78919->78921 78923 1fe250 2 API calls 78919->78923 78920->78919 78924 1fb97f 78921->78924 78926 1fe250 2 API calls 78921->78926 78925 1f9320 315 API calls 78922->78925 78923->78921 78927 1fb99d 78924->78927 78929 1fe250 2 API calls 78924->78929 78928 1fa6c1 78925->78928 78926->78924 78931 1fb9b5 78927->78931 78932 1fb99a 78927->78932 78930 1f9320 315 API calls 78928->78930 78929->78932 78934 1fa6de 78930->78934 78936 1fe250 2 API calls 78931->78936 78932->78927 78933 1fe250 2 API calls 78932->78933 78933->78931 78935 1f9320 315 API calls 78934->78935 78937 1fa6fb 78935->78937 78938 1fc2cc 78936->78938 78939 1f9320 315 API calls 78937->78939 79337 1f9710 GetProcessHeap HeapFree 78938->79337 78940 1fa718 78939->78940 78943 1f9320 315 API calls 78940->78943 78942 1fc2da 79338 2a2fc0 206 API calls 78942->79338 78945 1fa735 78943->78945 78947 1f9320 315 API calls 78945->78947 78946 1fc2e0 78951 1fc30d 78946->78951 79339 205c30 306 API calls 78946->79339 78948 1fa752 78947->78948 78950 1f9320 315 API calls 78948->78950 78952 1fa76f 78950->78952 78951->78297 78953 1f9320 315 API calls 78952->78953 78954 1fa78c 78953->78954 78955 1f9320 315 API calls 78954->78955 78956 1fa7a9 78955->78956 78957 1f9320 315 API calls 78956->78957 78958 1fa7c6 78957->78958 78959 1f9320 315 API calls 78958->78959 78960 1fa7e3 78959->78960 78961 1f9320 315 API calls 78960->78961 78962 1fa800 78961->78962 78963 1f9320 315 API calls 78962->78963 78964 1fa81d 78963->78964 78965 1f9320 315 API calls 78964->78965 78966 1fa83a 78965->78966 78967 1f9320 315 API calls 78966->78967 78968 1fa857 78967->78968 78969 1f9320 315 API calls 78968->78969 78970 1fa874 78969->78970 78971 1f9320 315 API calls 78970->78971 78972 1fa891 78971->78972 78973 1f9320 315 API calls 78972->78973 78974 1fa8ae 78973->78974 78975 1f9320 315 API calls 78974->78975 78976 1fa8cb 78975->78976 78977 1f9320 315 API calls 78976->78977 78978 1fa8e8 78977->78978 78979 1f9320 315 API calls 78978->78979 78980 1fa905 78979->78980 78981 1f9320 315 API calls 78980->78981 78982 1fa922 78981->78982 78983 1f9320 315 API calls 78982->78983 78984 1fa93f 78983->78984 78985 1f9320 315 API calls 78984->78985 78986 1fa95c 78985->78986 78987 1f9320 315 API calls 78986->78987 78988 1fa979 78987->78988 78989 1f9320 315 API calls 78988->78989 78990 1fa996 78989->78990 78991 1f9320 315 API calls 78990->78991 78992 1fa9b3 78991->78992 78993 1f9320 315 API calls 78992->78993 78994 1fa9d0 78993->78994 78995 1f9320 315 API calls 78994->78995 78996 1fa9ed 78995->78996 78997 1f9320 315 API calls 78996->78997 78998 1faa0a 78997->78998 78999 1f9320 315 API calls 78998->78999 79000 1faa24 78999->79000 79001 1f9320 315 API calls 79000->79001 79002 1faa3b 79001->79002 79003 1f9320 315 API calls 79002->79003 79004 1faa55 79003->79004 79005 1f9320 315 API calls 79004->79005 79009 1faa72 79005->79009 79006 1fb1d7 79329 1f7550 GetProcessHeap HeapFree 79006->79329 79007 1f9320 315 API calls 79007->79009 79009->79006 79009->79007 79010 1fb322 79009->79010 79013 27e090 306 API calls 79009->79013 79015 1fb11c GetModuleHandleA 79009->79015 79016 1fb364 79009->79016 79334 28a430 304 API calls 79010->79334 79011 1fe250 2 API calls 79014 1fb1e5 79011->79014 79013->79009 79014->78737 79014->79011 79018 1fb12c GetProcAddress 79015->79018 79020 1fb086 79015->79020 79335 28a430 304 API calls 79016->79335 79018->79020 79019 1fb16b 79022 1fb239 GetCurrentProcessId DebugActiveProcess 79019->79022 79024 1fe250 2 API calls 79019->79024 79020->79009 79020->79019 79021 1fe250 GetProcessHeap HeapFree 79020->79021 79023 1fb1d2 79020->79023 79021->79020 79025 1fb24f GetCurrentProcess TerminateProcess 79022->79025 79026 1fb2d7 79022->79026 79023->79006 79027 1fb236 79024->79027 79029 1fb263 79025->79029 79030 1fb26e 79025->79030 79333 289fd0 304 API calls 79026->79333 79027->79022 79031 1fe250 2 API calls 79029->79031 79330 1f7550 GetProcessHeap HeapFree 79030->79330 79031->79030 79034 1f95a1 79033->79034 79038 1f9339 79033->79038 79343 28a2c2 304 API calls 79034->79343 79036 1f9593 79342 27d7a9 304 API calls 79036->79342 79037 1f9352 79041 1fe240 2 API calls 79037->79041 79043 1f9364 79037->79043 79038->79036 79038->79037 79039 1f95c9 79039->78300 79041->79043 79042 1f9378 memcpy 79044 1f939a 79042->79044 79045 1f9524 79042->79045 79043->79042 79047 1f9655 79043->79047 79044->79039 79340 1f5da0 308 API calls 79044->79340 79046 1f952f 79045->79046 79048 1fe250 2 API calls 79045->79048 79061 1f954b 79046->79061 79344 28a430 304 API calls 79046->79344 79346 27d7a9 304 API calls 79047->79346 79048->79046 79053 1f9506 79341 1f5680 310 API calls 79053->79341 79059 1f9650 79059->79047 79063 1f9573 79061->79063 79345 28a430 304 API calls 79061->79345 79063->78300 79065 1f8790 79064->79065 79067 1f8837 79065->79067 79069 1f87d7 79065->79069 79086 1f22ad 79065->79086 79347 1f5310 305 API calls 79065->79347 79353 28a430 304 API calls 79067->79353 79348 1f8880 305 API calls 79069->79348 79070 1f885b 79354 1f7900 GetProcessHeap HeapFree 79070->79354 79073 1f87e8 79349 1f8880 305 API calls 79073->79349 79074 1f8868 79355 2a2fc0 206 API calls 79074->79355 79076 1f87f9 79350 1f8880 305 API calls 79076->79350 79079 1f8871 79356 28a251 304 API calls 79079->79356 79080 1f880a 79351 1f8880 305 API calls 79080->79351 79084 1f881b 79352 1f8880 305 API calls 79084->79352 79087 1f3e50 GetModuleHandleExW 79086->79087 79088 1f3e7a memset GetModuleFileNameW 79087->79088 79089 1f22b6 79087->79089 79088->79089 79090 1f3ea2 79088->79090 79089->78317 79099 2816c0 79089->79099 79091 1f3f09 79090->79091 79092 1f3ea9 79090->79092 79358 290310 304 API calls 79091->79358 79357 23fe30 304 API calls 79092->79357 79096 1f3ed0 79096->79089 79097 1f3eb4 79097->79089 79097->79096 79098 1fe250 2 API calls 79097->79098 79098->79096 79100 2816d0 79099->79100 79101 281716 79099->79101 79105 1fe240 2 API calls 79100->79105 79108 2816ee memcpy 79100->79108 79359 27d7a9 304 API calls 79101->79359 79104 281724 79360 27d7a9 304 API calls 79104->79360 79106 2816e7 79105->79106 79106->79104 79106->79108 79108->78325 79117 1fdb5a 79113->79117 79114 1fdee9 79362 27d7a9 304 API calls 79114->79362 79116 1fe240 2 API calls 79119 1fdccb 79116->79119 79117->79114 79117->79116 79130 1f232b 79117->79130 79119->79114 79125 1fdcd6 79119->79125 79125->79130 79361 1f6640 304 API calls 79125->79361 79130->78342 79310 1fe250 79130->79310 79141 1f2382 79140->79141 79142 1f7a56 CreateEventW 79140->79142 79210 1fe240 79141->79210 79142->79141 79143 1f7a6d GetModuleHandleA 79142->79143 79143->79141 79144 1f7a7c 79143->79144 79144->79141 79363 206260 79144->79363 79146 1f7a91 79372 1f6360 79146->79372 79149 1f9320 315 API calls 79150 1f7abb LoadLibraryA 79149->79150 79151 1f9320 315 API calls 79150->79151 79152 1f7ae3 GetProcAddress 79151->79152 79153 1f7afa 79152->79153 79154 1f7b03 79152->79154 79155 1fe250 2 API calls 79153->79155 79156 1f7b18 79154->79156 79158 1fe250 2 API calls 79154->79158 79155->79154 79157 1f9320 315 API calls 79156->79157 79159 1f7b32 GetModuleHandleA 79157->79159 79158->79156 79160 1f9320 315 API calls 79159->79160 79161 1f7b5a GetProcAddress 79160->79161 79162 1f7b7a 79161->79162 79163 1f7b71 79161->79163 79165 1f7b8f 79162->79165 79166 1fe250 2 API calls 79162->79166 79164 1fe250 2 API calls 79163->79164 79164->79162 79167 1f9320 315 API calls 79165->79167 79166->79165 79168 1f7ba9 LoadLibraryA 79167->79168 79169 1f9320 315 API calls 79168->79169 79170 1f7bd1 GetProcAddress 79169->79170 79171 1f7be8 79170->79171 79172 1f7bf4 79170->79172 79173 1fe250 2 API calls 79171->79173 79174 1f7bf1 79172->79174 79177 1f7c06 79172->79177 79173->79174 79174->79172 79175 1fe250 2 API calls 79174->79175 79175->79177 79176 1f9320 315 API calls 79178 1f7c20 LoadLibraryA 79176->79178 79177->79176 79179 1f9320 315 API calls 79178->79179 79180 1f7c48 GetProcAddress 79179->79180 79181 1f7c5f 79180->79181 79182 1f7c68 79180->79182 79184 1fe250 2 API calls 79181->79184 79183 1f7c7d 79182->79183 79185 1fe250 2 API calls 79182->79185 79186 1f9320 315 API calls 79183->79186 79184->79182 79185->79183 79187 1f7c97 LoadLibraryA 79186->79187 79188 1f9320 315 API calls 79187->79188 79189 1f7cbf GetProcAddress 79188->79189 79190 1f7cd6 79189->79190 79191 1f7cdf 79189->79191 79192 1fe250 2 API calls 79190->79192 79193 1f7cf4 79191->79193 79195 1fe250 2 API calls 79191->79195 79192->79191 79194 1f9320 315 API calls 79193->79194 79196 1f7d0e LoadLibraryA 79194->79196 79195->79193 79197 1f9320 315 API calls 79196->79197 79198 1f7d36 GetProcAddress 79197->79198 79199 1f7d4c 79198->79199 79200 1f7d55 79198->79200 79201 1fe250 2 API calls 79199->79201 79202 1f7d6a 79200->79202 79203 1fe250 2 API calls 79200->79203 79201->79200 79204 1f7dc6 79202->79204 79205 1f7da6 CreateEventW 79202->79205 79203->79202 79204->79141 79393 206090 GetProcessHeap HeapFree 79204->79393 79205->79204 79207 1f7db7 WaitForSingleObject 79205->79207 79207->79204 79209 1f7de1 SetEvent DeleteTimerQueue 79207->79209 79208 1f7dd6 79208->79141 79209->79141 79209->79204 79211 2493f0 79210->79211 79212 249402 79211->79212 79213 249419 79211->79213 79468 25a950 GetProcessHeap 79212->79468 79215 25a950 2 API calls 79213->79215 79217 24942c 79215->79217 79216 249413 79216->78331 79217->78331 79219 1f7f89 79218->79219 79220 1f8136 79218->79220 79222 1f9320 315 API calls 79219->79222 79221 1f82e4 AddVectoredExceptionHandler NtQueryInformationProcess 79220->79221 79224 1f9320 315 API calls 79220->79224 79223 1f831d 79221->79223 79228 1f7fa0 79222->79228 79225 1fe240 2 API calls 79223->79225 79239 1f815a 79224->79239 79226 1f8337 79225->79226 79230 1f865e 79226->79230 79231 1f8342 NtQuerySystemInformation 79226->79231 79227 1f7fcb 79472 27e2c0 304 API calls 79227->79472 79228->79227 79234 1f7fe1 79228->79234 79480 27d7a9 304 API calls 79230->79480 79238 1f85f7 79231->79238 79265 1f8364 79231->79265 79232 1f818b 79476 27e2c0 304 API calls 79232->79476 79233 1f8198 79233->79232 79240 1f81a1 79233->79240 79241 1f802c GetModuleHandleA 79234->79241 79242 1f7fe7 79234->79242 79237 1f8027 79237->79241 79245 1fe250 2 API calls 79238->79245 79239->79232 79239->79233 79239->79240 79246 1f81ec GetModuleHandleA 79240->79246 79247 1f81a7 79240->79247 79250 1f803b LoadLibraryA 79241->79250 79251 1f8049 79241->79251 79471 28a430 304 API calls 79242->79471 79244 1f81e7 79244->79246 79252 1f23ed 79245->79252 79256 1f9320 315 API calls 79246->79256 79475 28a430 304 API calls 79247->79475 79250->79251 79287 1f85bb 79250->79287 79257 1f9320 315 API calls 79251->79257 79252->78357 79252->78364 79281 1f820f 79256->79281 79272 1f8063 79257->79272 79260 1f83c4 79262 1f846f 79260->79262 79263 1f85e2 79260->79263 79261 1f8403 NtOpenThread 79261->79265 79268 1fe250 2 API calls 79262->79268 79263->79238 79273 1fe250 2 API calls 79263->79273 79265->79238 79265->79260 79265->79261 79479 1f64f0 304 API calls 79265->79479 79290 1f8484 79268->79290 79269 1fe250 2 API calls 79269->79252 79270 1f808b 79474 27e2c0 304 API calls 79270->79474 79271 1f8096 79271->79270 79279 1f809d 79271->79279 79272->79270 79272->79271 79272->79279 79273->79238 79274 1f8296 79277 1f829d GetProcAddress 79274->79277 79285 1f82af 79277->79285 79286 1f857e 79277->79286 79278 1f8490 NtGetContextThread 79278->79287 79278->79290 79283 1f80a6 79279->79283 79284 1f80f0 GetProcAddress 79279->79284 79280 1f80e9 79280->79284 79281->79277 79282 1f800d 79281->79282 79477 28a430 304 API calls 79281->79477 79478 27e2c0 304 API calls 79282->79478 79473 28a430 304 API calls 79283->79473 79292 1f8541 79284->79292 79293 1f8101 79284->79293 79289 1f82cb 79285->79289 79297 1fe250 2 API calls 79285->79297 79296 1fe250 2 API calls 79286->79296 79306 1f852d 79286->79306 79287->79252 79287->79269 79289->79221 79300 1fe250 2 API calls 79289->79300 79290->79278 79294 1f84de 79290->79294 79295 1f8503 NtSetContextThread 79290->79295 79302 1fe250 2 API calls 79292->79302 79292->79306 79298 1f811d 79293->79298 79299 1fe250 2 API calls 79293->79299 79294->79295 79295->79287 79301 1f851a NtClose 79295->79301 79296->79306 79297->79289 79298->79220 79304 1fe250 2 API calls 79298->79304 79299->79298 79305 1f82e1 79300->79305 79301->79278 79301->79306 79302->79306 79303 1f8579 79303->79252 79307 1f8133 79304->79307 79305->79221 79306->79252 79306->79287 79306->79303 79307->79220 79308->78315 79309->78303 79311 249450 GetProcessHeap HeapFree 79310->79311 79311->78349 79314->78324 79315->78337 79316->78356 79317->78414 79320->78354 79321->78354 79322->78412 79323->78439 79325->78430 79327->78751 79328->78751 79329->79014 79330->78776 79334->78784 79335->78784 79336->78784 79337->78942 79338->78946 79339->78951 79340->79053 79341->79045 79344->79061 79345->79059 79348->79073 79349->79076 79350->79080 79351->79084 79352->79086 79353->79070 79354->79074 79355->79079 79357->79097 79361->79125 79394 206520 79363->79394 79367 206273 79367->79146 79368 20637a 79368->79146 79371 206294 79371->79368 79398 205c30 306 API calls 79371->79398 79399 20a7b0 308 API calls 79371->79399 79466 206390 308 API calls 79372->79466 79374 1f6373 79375 1f637a 79374->79375 79467 28a050 304 API calls 79374->79467 79375->79149 79393->79208 79400 2041e0 79394->79400 79397 28a430 304 API calls 79397->79371 79398->79371 79399->79371 79401 204392 79400->79401 79402 2041f9 TlsGetValue 79400->79402 79460 25d7d0 304 API calls 79401->79460 79404 204209 79402->79404 79405 20437f 79402->79405 79404->79405 79407 204328 79404->79407 79448 20a990 79404->79448 79405->79367 79405->79397 79406 204398 TlsGetValue 79406->79404 79406->79405 79409 1fe240 2 API calls 79407->79409 79411 204341 79409->79411 79410 204244 79412 2043bc 79410->79412 79413 20424f 79410->79413 79414 204348 TlsGetValue TlsSetValue 79411->79414 79415 2043ae 79411->79415 79462 289fd0 304 API calls 79412->79462 79457 206540 304 API calls 79413->79457 79414->79405 79419 204366 79414->79419 79461 27d7c4 304 API calls 79415->79461 79422 204372 79419->79422 79459 206090 GetProcessHeap HeapFree 79419->79459 79420 2043b7 79463 27d7c4 304 API calls 79420->79463 79421 20426f 79458 206540 304 API calls 79421->79458 79425 1fe250 2 API calls 79422->79425 79425->79405 79426 204284 79428 1fe240 2 API calls 79426->79428 79430 20429d 79428->79430 79429 204414 79432 1fe250 2 API calls 79429->79432 79430->79420 79431 2042a8 memset 79430->79431 79431->79407 79433 204443 79432->79433 79464 2a2fc0 206 API calls 79433->79464 79435 20444c 79436 1fe250 2 API calls 79435->79436 79438 20445d 79435->79438 79436->79438 79465 28a251 304 API calls 79438->79465 79449 20a99e 79448->79449 79454 20a9c8 79448->79454 79450 20ae60 BCryptGenRandom SystemFunction036 79449->79450 79451 20a9a7 79450->79451 79452 1fe240 GetProcessHeap HeapAlloc 79451->79452 79451->79454 79453 20a9c1 79452->79453 79453->79454 79455 27d7c4 304 API calls 79453->79455 79454->79410 79456 20a9e0 79455->79456 79456->79410 79457->79421 79458->79426 79459->79422 79460->79406 79461->79420 79463->79429 79464->79435 79466->79374 79469 25a95c HeapAlloc 79468->79469 79470 25a96a 79468->79470 79469->79216 79470->79216 79471->79282 79472->79237 79473->79282 79474->79280 79475->79282 79476->79244 79477->79282 79478->79274 79479->79265 79481 bcfcb4 79485 bd12a0 79481->79485 79483 bcfcb9 RtlReAllocateHeap 79484 bcfcde 79483->79484 79486 bd12b0 79485->79486 79486->79483 79486->79486 79487 bcfeb4 79488 bcfec0 GetForegroundWindow 79487->79488 79490 bcff65 79488->79490 79491 2a5b20 79509 2a5700 19 API calls 79491->79509 79493 2a5c33 79494 2a5b36 GetCurrentThreadId CreateEventA 79495 2a5b2c 79494->79495 79495->79493 79495->79494 79496 2a5b8c GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 79495->79496 79501 2a5c3d 79495->79501 79497 2aba9e abort 79496->79497 79498 2a5bf0 GetThreadPriority TlsSetValue 79496->79498 79500 2abab1 GetModuleHandleA 79497->79500 79498->79493 79498->79497 79505 2abb19 79500->79505 79506 2abae9 GetProcAddress GetProcAddress 79500->79506 79510 2a57f0 23 API calls 79501->79510 79511 2a5a60 23 API calls 79501->79511 79504 2a5c58 TlsGetValue 79507 2a5c78 79504->79507 79508 2a5c6d 79504->79508 79506->79505 79507->79491 79507->79497 79509->79495 79510->79501 79511->79504 79517 bd0748 79519 bd0769 79517->79519 79520 bd078e 79517->79520 79518 bd07ee 79519->79520 79524 bcfcf0 LdrInitializeThunk 79519->79524 79520->79518 79523 bcfcf0 LdrInitializeThunk 79520->79523 79523->79518 79524->79520 79525 b98860 79527 b9886f 79525->79527 79526 b98ab7 ExitProcess 79527->79526 79528 b98884 GetCurrentProcessId GetCurrentThreadId 79527->79528 79537 b98aa0 79527->79537 79530 b988a9 79528->79530 79531 b988ad SHGetSpecialFolderPathW GetForegroundWindow 79528->79531 79530->79531 79532 b98959 79531->79532 79539 bce510 79532->79539 79534 b98a15 79534->79537 79542 b9cac0 CoInitializeEx 79534->79542 79543 bcfc60 FreeLibrary 79537->79543 79540 bd12a0 79539->79540 79541 bce51a RtlAllocateHeap 79540->79541 79541->79534 79543->79526 79544 bce545 79545 bd12a0 79544->79545 79546 bce54a RtlFreeHeap 79545->79546 79547 bca640 79548 bca648 79547->79548 79549 bca650 79548->79549 79551 bcfcf0 LdrInitializeThunk 79548->79551 79551->79548 79552 bd2da0 79554 bd2dc0 79552->79554 79553 bd2e9e 79554->79553 79556 bcfcf0 LdrInitializeThunk 79554->79556 79556->79553 79557 bd30e0 79558 bd311f 79557->79558 79559 bd30f9 79557->79559 79559->79558 79563 bcfcf0 LdrInitializeThunk 79559->79563 79561 bd3148 79561->79558 79564 bcfcf0 LdrInitializeThunk 79561->79564 79563->79561 79564->79558

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 001F9790 Relevance: 40.7, APIs: 19, Strings: 3, Instructions: 2160processCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 001F9320: memcpy.MSVCRT(00000001,00000021,00315AC0), ref: 001F937D
                                                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001F9FDD
                                                                                                                                                                                                    • memset.MSVCRT ref: 001F9FFB
                                                                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 001FA033
                                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000000), ref: 001FA128
                                                                                                                                                                                                    • memcpy.MSVCRT(00000001,?,00000000,?,?,?,00000002,00000000), ref: 001FA245
                                                                                                                                                                                                    • Process32NextW.KERNEL32(?,0000022C), ref: 001FA304
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000002,00000000), ref: 001FA37A
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 001FA3D1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • called `Result::unwrap()` on an `Err` value/rustc/243d2ca4db6f96d2d18aaf3a2381251d38eb6b0b\library\alloc\src\slice.rs, xrefs: 001FB355, 001FB397
                                                                                                                                                                                                    • :, xrefs: 001FB03E
                                                                                                                                                                                                    • ;Z1, xrefs: 001FB2C3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memcpy$CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32memset
                                                                                                                                                                                                    • String ID: :$;Z1$called `Result::unwrap()` on an `Err` value/rustc/243d2ca4db6f96d2d18aaf3a2381251d38eb6b0b\library\alloc\src\slice.rs
                                                                                                                                                                                                    • API String ID: 3108730875-772805852
                                                                                                                                                                                                    • Opcode ID: 4d968d453f88b17dfe6c885231d38eba70ccab3bc5226f078449697e5ab9b960
                                                                                                                                                                                                    • Instruction ID: de33d481068d25c8add6712135b645fcaca0ccc16144b6ab7c0f9226b3c2dcc5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4d968d453f88b17dfe6c885231d38eba70ccab3bc5226f078449697e5ab9b960
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 06138075E4071CABDB21EF64CC46FEAB379AF59700F0441E5FA087A182E7B19A85CE50
                                                                                                                                                                                                    Function 001F7A40 Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 335libraryloadertimeCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 582 1f7a40-1f7a50 CreateTimerQueue 583 1f7dd9-1f7de0 582->583 584 1f7a56-1f7a67 CreateEventW 582->584 584->583 585 1f7a6d-1f7a76 GetModuleHandleA 584->585 585->583 586 1f7a7c-1f7a7f 585->586 586->583 587 1f7a85-1f7af8 call 206260 call 1f6360 call 1f9320 LoadLibraryA call 1f9320 GetProcAddress 586->587 596 1f7afa-1f7b03 call 1fe250 587->596 597 1f7b06-1f7b0b 587->597 596->597 599 1f7b0d-1f7b18 call 1fe250 597->599 600 1f7b1b-1f7b6f call 1f9320 GetModuleHandleA call 1f9320 GetProcAddress 597->600 599->600 608 1f7b7d-1f7b82 600->608 609 1f7b71-1f7b7a call 1fe250 600->609 611 1f7b84-1f7b8f call 1fe250 608->611 612 1f7b92-1f7be6 call 1f9320 LoadLibraryA call 1f9320 GetProcAddress 608->612 609->608 611->612 620 1f7be8-1f7bec call 1fe250 612->620 621 1f7bf4-1f7bf9 612->621 625 1f7bf1 620->625 623 1f7bfb-1f7c06 call 1fe250 621->623 624 1f7c09-1f7c5d call 1f9320 LoadLibraryA call 1f9320 GetProcAddress 621->624 623->624 632 1f7c5f-1f7c68 call 1fe250 624->632 633 1f7c6b-1f7c70 624->633 625->621 632->633 634 1f7c72-1f7c7d call 1fe250 633->634 635 1f7c80-1f7cd4 call 1f9320 LoadLibraryA call 1f9320 GetProcAddress 633->635 634->635 644 1f7cd6-1f7cdf call 1fe250 635->644 645 1f7ce2-1f7ce7 635->645 644->645 647 1f7ce9-1f7cf4 call 1fe250 645->647 648 1f7cf7-1f7d4a call 1f9320 LoadLibraryA call 1f9320 GetProcAddress 645->648 647->648 656 1f7d4c-1f7d55 call 1fe250 648->656 657 1f7d58-1f7d5d 648->657 656->657 659 1f7d5f-1f7d6a call 1fe250 657->659 660 1f7d6d-1f7d9a 657->660 659->660 663 1f7d9c-1f7da0 660->663 664 1f7dc6-1f7dcb 660->664 663->664 667 1f7da2-1f7da4 663->667 664->583 665 1f7dcd-1f7dd6 call 206090 664->665 665->583 667->664 668 1f7da6-1f7db5 CreateEventW 667->668 668->664 670 1f7db7-1f7dc4 WaitForSingleObject 668->670 670->664 672 1f7de1-1f7df2 SetEvent DeleteTimerQueue 670->672 672->583 673 1f7df4 672->673 673->665
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateTimerQueue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,001F2382), ref: 001F7A49
                                                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001F7A60
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001F7A6F
                                                                                                                                                                                                      • Part of subcall function 001F9320: memcpy.MSVCRT(00000001,00000021,00315AC0), ref: 001F937D
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 001F7AC5
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 001F7AEB
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000), ref: 001F7B3C
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 001F7B62
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,?,?,?,00000000,?), ref: 001F7BB3
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,?,?,?,00000000,?), ref: 001F7C2A
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 001F7C50
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,?,?,?,00000000,?), ref: 001F7CA1
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 001F7CC7
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,?,?,?,00000000,?), ref: 001F7D18
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 001F7D3E
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 001F7BD9
                                                                                                                                                                                                      • Part of subcall function 001FE250: GetProcessHeap.KERNEL32(?), ref: 00249460
                                                                                                                                                                                                      • Part of subcall function 001FE250: HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 00249469
                                                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00000000,?,?,?,00000000,?), ref: 001F7DAE
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,001F2382,00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 001F7DBD
                                                                                                                                                                                                    • SetEvent.KERNEL32(00000000,00000000,001F2382,00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 001F7DE2
                                                                                                                                                                                                    • DeleteTimerQueue.KERNEL32(00000000), ref: 001F7DE8
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad$CreateEvent$HandleHeapModuleQueueTimer$DeleteFreeObjectProcessSingleWaitmemcpy
                                                                                                                                                                                                    • String ID: {~U
                                                                                                                                                                                                    • API String ID: 93789523-940978701
                                                                                                                                                                                                    • Opcode ID: d24d235ae2c93485fd7c901745408f9aa2b217acfdaf9a42c0f24468f7c6b3f2
                                                                                                                                                                                                    • Instruction ID: f4cda95860d7e333104cce35da4cc36c670e1382571e8f817ee08331d98c17e8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d24d235ae2c93485fd7c901745408f9aa2b217acfdaf9a42c0f24468f7c6b3f2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 67B14FB5E40309BBEF11ABB49C82FFE766DAF59740F444520FA10B61C2EBB5D9508A20
                                                                                                                                                                                                    Function 001F21E0 Relevance: 31.5, APIs: 13, Strings: 4, Instructions: 1764memorysynchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 001F9320: memcpy.MSVCRT(00000001,00000021,00315AC0), ref: 001F937D
                                                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 001F2290
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 001F2295
                                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000007,?,?,?,?,?,?,00000000), ref: 001F2349
                                                                                                                                                                                                    • memcpy.MSVCRT(00000000,002B12C4,000632FF,?,?,?,00000000), ref: 001F23B1
                                                                                                                                                                                                    • HeapCreate.KERNEL32(00040000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 001F2412
                                                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,00000008,000632FF,00040000,00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 001F2423
                                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,000632FF,00000000,00000008,000632FF,00040000,00000000,00000000), ref: 001F2435
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memcpy$CreateHeap$AllocAttributesErrorFileLastMutex
                                                                                                                                                                                                    • String ID: $/i:S$SYNC$a Display implementation returned an error unexpectedly/rustc/243d2ca4db6f96d2d18aaf3a2381251d38eb6b0b\library\alloc\src\string.rs
                                                                                                                                                                                                    • API String ID: 394507146-447308790
                                                                                                                                                                                                    • Opcode ID: 47f7976a78730714b675e305e52eddbba3114a4926d3254e5dddd700e82133db
                                                                                                                                                                                                    • Instruction ID: a4c025a48dd2c3adafbd226e898ed169781c684b3e15eb4107bd799f419d5b74
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 47f7976a78730714b675e305e52eddbba3114a4926d3254e5dddd700e82133db
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00E25BB1E0021CABEF21DB54DC42FEEB7B9AF55700F0401A5EA09B7291E7719E948F61
                                                                                                                                                                                                    Function 001F7F50 Relevance: 26.8, APIs: 13, Strings: 2, Instructions: 587librarynativeloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1298 1f7f50-1f7f83 memset 1299 1f7f89-1f7faf call 1f9320 1298->1299 1300 1f8136-1f813d 1298->1300 1310 1f7fcd-1f7fdf call 28fc80 1299->1310 1311 1f7fb1-1f7fb3 1299->1311 1301 1f82e4-1f831b AddVectoredExceptionHandler NtQueryInformationProcess 1300->1301 1302 1f8143-1f8169 call 1f9320 1300->1302 1304 1f831d-1f8320 1301->1304 1305 1f8323-1f833c call 1fe240 1301->1305 1314 1f818d-1f8193 call 28fc80 1302->1314 1315 1f816b-1f816d 1302->1315 1304->1305 1321 1f865e-1f8677 call 27d7a9 1305->1321 1322 1f8342-1f835e NtQuerySystemInformation 1305->1322 1316 1f8015-1f802a call 27e2c0 1310->1316 1327 1f7fe1-1f7fe5 1310->1327 1311->1316 1317 1f7fb5-1f7fb7 1311->1317 1326 1f8198-1f819f 1314->1326 1323 1f816f-1f817b 1315->1323 1324 1f81d5-1f81ea call 27e2c0 1315->1324 1336 1f802c-1f8039 GetModuleHandleA 1316->1336 1325 1f7fc0-1f7fc4 1317->1325 1347 1f867d-1f86a4 1321->1347 1348 1f8708-1f8710 1321->1348 1331 1f85fa-1f8602 call 1fe250 1322->1331 1332 1f8364-1f8381 1322->1332 1333 1f8180-1f8184 1323->1333 1344 1f81ec-1f8221 GetModuleHandleA call 1f9320 1324->1344 1325->1327 1334 1f7fc6-1f7fc9 1325->1334 1326->1324 1335 1f81a1-1f81a5 1326->1335 1327->1336 1337 1f7fe7-1f8010 call 28a430 1327->1337 1351 1f8607-1f8621 1331->1351 1332->1331 1341 1f8387-1f8399 1332->1341 1333->1335 1342 1f8186-1f8189 1333->1342 1334->1325 1343 1f7fcb 1334->1343 1335->1344 1345 1f81a7-1f81d0 call 28a430 1335->1345 1349 1f803b-1f8043 LoadLibraryA 1336->1349 1350 1f8049-1f8075 call 1f9320 1336->1350 1368 1f827f 1337->1368 1352 1f83a0-1f83aa 1341->1352 1342->1333 1353 1f818b 1342->1353 1343->1316 1383 1f823d-1f824b call 28fc80 1344->1383 1384 1f8223-1f8225 1344->1384 1345->1368 1367 1f86a4-1f86ac call 1fe250 1347->1367 1357 1f8756-1f875e call 2a2fc0 1348->1357 1358 1f8712-1f8753 call 1fe250 1348->1358 1349->1350 1360 1f8623-1f8642 1349->1360 1386 1f808d-1f808f 1350->1386 1387 1f8077-1f8079 1350->1387 1362 1f8650-1f865d 1351->1362 1363 1f83ac-1f83b7 1352->1363 1364 1f83d0-1f83dc 1352->1364 1353->1324 1358->1357 1360->1362 1371 1f8644-1f8647 1360->1371 1374 1f83bd-1f83c2 1363->1374 1375 1f8461-1f8469 1363->1375 1364->1363 1365 1f83de-1f83e7 1364->1365 1377 1f8403-1f843e NtOpenThread 1365->1377 1367->1348 1379 1f8281-1f829b call 27e2c0 1368->1379 1385 1f8648-1f864d call 1fe250 1371->1385 1374->1352 1376 1f83c4 1374->1376 1381 1f846f-1f848c call 1fe250 1375->1381 1382 1f85e2-1f85e7 1375->1382 1376->1375 1390 1f83fd-1f8401 1377->1390 1391 1f8440-1f844c 1377->1391 1416 1f829d-1f82a9 GetProcAddress 1379->1416 1417 1f8490-1f84a1 NtGetContextThread 1381->1417 1382->1331 1392 1f85e9-1f85f7 call 1fe250 1382->1392 1383->1379 1413 1f824d-1f8254 1383->1413 1384->1379 1400 1f8227-1f8229 1384->1400 1385->1362 1399 1f8091-1f809b call 28fc80 1386->1399 1397 1f807b-1f807d 1387->1397 1398 1f80d4-1f80ee call 27e2c0 1387->1398 1390->1363 1390->1377 1405 1f844e-1f845f call 1f64f0 1391->1405 1406 1f83f0-1f83fa 1391->1406 1392->1331 1402 1f8080-1f8084 1397->1402 1426 1f80f0-1f80fb GetProcAddress 1398->1426 1399->1398 1418 1f809d-1f80a4 1399->1418 1412 1f8230-1f8234 1400->1412 1402->1418 1419 1f8086-1f8089 1402->1419 1405->1406 1406->1390 1412->1413 1421 1f8236-1f8239 1412->1421 1413->1416 1424 1f8256-1f827c call 28a430 1413->1424 1428 1f82af-1f82c0 1416->1428 1429 1f857e-1f859a 1416->1429 1430 1f85bb-1f85cb 1417->1430 1431 1f84a7-1f84ae 1417->1431 1425 1f80a6-1f80cf call 28a430 1418->1425 1418->1426 1419->1402 1423 1f808b 1419->1423 1421->1412 1422 1f823b 1421->1422 1422->1379 1423->1398 1424->1368 1425->1368 1441 1f8541-1f855d 1426->1441 1442 1f8101-1f8112 1426->1442 1434 1f82ce-1f82d6 1428->1434 1435 1f82c2-1f82cb call 1fe250 1428->1435 1439 1f859c-1f85a5 call 1fe250 1429->1439 1440 1f85a8-1f85b0 1429->1440 1432 1f85d2-1f85d7 1430->1432 1436 1f84d5-1f84dc 1431->1436 1437 1f84b0-1f84cb 1431->1437 1432->1362 1447 1f85d9-1f85e0 1432->1447 1434->1301 1444 1f82d8-1f82e1 call 1fe250 1434->1444 1435->1434 1445 1f84de-1f84f9 1436->1445 1446 1f8503-1f8514 NtSetContextThread 1436->1446 1437->1436 1439->1440 1440->1362 1443 1f85b6 1440->1443 1449 1f855f-1f8568 call 1fe250 1441->1449 1450 1f856b-1f8573 1441->1450 1454 1f8114-1f811d call 1fe250 1442->1454 1455 1f8120-1f8128 1442->1455 1443->1371 1444->1301 1445->1446 1446->1430 1460 1f851a-1f8527 NtClose 1446->1460 1447->1385 1449->1450 1450->1371 1462 1f8579 1450->1462 1454->1455 1455->1300 1457 1f812a-1f8133 call 1fe250 1455->1457 1457->1300 1460->1417 1467 1f852d-1f853c 1460->1467 1462->1362 1467->1432
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memset.MSVCRT ref: 001F7F6A
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 001F802F
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000), ref: 001F803C
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 001F80F4
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 001F81F0
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 001F82A2
                                                                                                                                                                                                    • AddVectoredExceptionHandler.KERNEL32(00000001,001F7E80), ref: 001F82EB
                                                                                                                                                                                                      • Part of subcall function 001F9320: memcpy.MSVCRT(00000001,00000021,00315AC0), ref: 001F937D
                                                                                                                                                                                                    • NtQueryInformationProcess.NTDLL(000000FF,00000000,?,00000018,00000000), ref: 001F830D
                                                                                                                                                                                                    • NtQuerySystemInformation.NTDLL(00000005,00000000,00100000,00000000), ref: 001F8357
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressHandleInformationModuleProcQuery$ExceptionHandlerLibraryLoadProcessSystemVectoredmemcpymemset
                                                                                                                                                                                                    • String ID: ?$called `Result::unwrap()` on an `Err` value
                                                                                                                                                                                                    • API String ID: 4247985971-3528718506
                                                                                                                                                                                                    • Opcode ID: ade27f9a332ab8c6f5f01fd81ecde77d4638374d109d3819c5793d3892fc337f
                                                                                                                                                                                                    • Instruction ID: 73743612247431eb7fcef9f5c337d9942d0c58b0f5372dc7061e072ffd22c393
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ade27f9a332ab8c6f5f01fd81ecde77d4638374d109d3819c5793d3892fc337f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A2226FB1E003089BDB15DF94DC81BFEBBF9AF59704F140065FA04A7292EBB19945CB61
                                                                                                                                                                                                    Function 001F116A Relevance: 15.2, APIs: 10, Instructions: 150sleepstringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1470 1f116a-1f1185 1471 1f11a4-1f11b0 1470->1471 1472 1f11b2-1f11bc 1471->1472 1473 1f1190-1f1192 1471->1473 1474 1f1333-1f1347 _amsg_exit 1472->1474 1475 1f11c2-1f11c9 1472->1475 1476 1f1198-1f11a1 Sleep 1473->1476 1477 1f1320-1f132d 1473->1477 1480 1f134d-1f136d _initterm 1474->1480 1481 1f11e7-1f11e9 1474->1481 1478 1f11cf-1f11e1 1475->1478 1479 1f13a0-1f13be _initterm 1475->1479 1476->1471 1477->1474 1477->1475 1478->1480 1478->1481 1482 1f11ef-1f11f6 1480->1482 1483 1f1373-1f1379 1480->1483 1481->1482 1481->1483 1484 1f11f8-1f1211 1482->1484 1485 1f1214-1f125e call 2aac60 SetUnhandledExceptionFilter call 2aa6f0 call 2aaa90 malloc 1482->1485 1483->1482 1484->1485 1493 1f13c8-1f13ca 1485->1493 1494 1f1264-1f1275 1485->1494 1495 1f1278-1f12ae strlen malloc memcpy 1494->1495 1495->1495 1496 1f12b0-1f12fd call 2aa8e0 call 1f3f20 1495->1496 1501 1f13cf-1f13de call 2ab3e0 1496->1501 1502 1f1303-1f130b 1496->1502 1503 1f130d-1f1318 1502->1503 1504 1f1380-1f1395 _cexit 1502->1504
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3806033187-0
                                                                                                                                                                                                    • Opcode ID: cffd193d51f672ef7b282b86a2c4dcfc11a440e413ebda95c8ebf3460bd5c831
                                                                                                                                                                                                    • Instruction ID: 7deb2bfcb1fd5e0e2be18b2ba8ecc4ec019a0a7cfd9168dd7de1eb961e707588
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cffd193d51f672ef7b282b86a2c4dcfc11a440e413ebda95c8ebf3460bd5c831
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66519AB4904309DFCB16EFA4D88466EBBF8FF45311F014829DA8997360DB72A944CF92
                                                                                                                                                                                                    Function 00B98860 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 190threadCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1511 b98860-b98871 call bcf640 1514 b98ab7-b98ab9 ExitProcess 1511->1514 1515 b98877-b9887e call bc8690 1511->1515 1518 b98ab2 call bcfc60 1515->1518 1519 b98884-b988a7 GetCurrentProcessId GetCurrentThreadId 1515->1519 1518->1514 1521 b988a9-b988ab 1519->1521 1522 b988ad-b98953 SHGetSpecialFolderPathW GetForegroundWindow 1519->1522 1521->1522 1523 b989d9-b989e9 1522->1523 1524 b98959-b989d7 1522->1524 1525 b989f0-b98a0a 1523->1525 1524->1523 1525->1525 1526 b98a0c-b98a38 call bce510 1525->1526 1529 b98a40-b98a5c 1526->1529 1530 b98a5e-b98a74 1529->1530 1531 b98a76-b98a8a call b99d10 1529->1531 1530->1529 1533 b98a8f-b98a94 1531->1533 1534 b98aa0-b98aa7 1533->1534 1535 b98a96-b98a9b call b9cac0 call b9b670 1533->1535 1534->1518 1537 b98aa9-b98aaf call b98180 1534->1537 1535->1534 1537->1518
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00B98884
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00B9888D
                                                                                                                                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00B98934
                                                                                                                                                                                                    • GetForegroundWindow.USER32 ref: 00B9894B
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00B98AB9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534711979.0000000000B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 00B91000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b91000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                                                                                                                                                    • String ID: dI$$dI$
                                                                                                                                                                                                    • API String ID: 4063528623-1516109411
                                                                                                                                                                                                    • Opcode ID: e249be2d4263b5429c9379d2d3736288f70fa70b17d7d2d76daf381a1f20ba6d
                                                                                                                                                                                                    • Instruction ID: 87d5c2ac2e59fe19293f2f2265c7e4c8026c31cb9cf2c399e57d95c92953e518
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e249be2d4263b5429c9379d2d3736288f70fa70b17d7d2d76daf381a1f20ba6d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76515733B403044BC718AEB58C9636AFAD7DBC5310F0AC17EA954DB3A2EE789C058685
                                                                                                                                                                                                    Function 001F1319 Relevance: 10.6, APIs: 7, Instructions: 96stringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1542 1f1319-1f132d 1544 1f1333-1f1347 _amsg_exit 1542->1544 1545 1f11c2-1f11c9 1542->1545 1548 1f134d-1f136d _initterm 1544->1548 1549 1f11e7-1f11e9 1544->1549 1546 1f11cf-1f11e1 1545->1546 1547 1f13a0-1f13be _initterm 1545->1547 1546->1548 1546->1549 1550 1f11ef-1f11f6 1548->1550 1551 1f1373-1f1379 1548->1551 1549->1550 1549->1551 1552 1f11f8-1f1211 1550->1552 1553 1f1214-1f125e call 2aac60 SetUnhandledExceptionFilter call 2aa6f0 call 2aaa90 malloc 1550->1553 1551->1550 1552->1553 1561 1f13c8-1f13ca 1553->1561 1562 1f1264-1f1275 1553->1562 1563 1f1278-1f12ae strlen malloc memcpy 1562->1563 1563->1563 1564 1f12b0-1f12eb call 2aa8e0 call 1f3f20 1563->1564 1568 1f12f0-1f12fd 1564->1568 1569 1f13cf-1f13de call 2ab3e0 1568->1569 1570 1f1303-1f130b 1568->1570 1571 1f130d-1f1318 1570->1571 1572 1f1380-1f1395 _cexit 1570->1572
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: malloc$ExceptionFilterUnhandled_amsg_exit_inittermmemcpystrlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1364285269-0
                                                                                                                                                                                                    • Opcode ID: be84af105ebcfe3575ef4dbdb336185f3345bbde02f576ef12bca98b74a8b8e6
                                                                                                                                                                                                    • Instruction ID: 83806530e44148e72178d9b3d05c803763e640bc2e30959ee782a889da03e901
                                                                                                                                                                                                    • Opcode Fuzzy Hash: be84af105ebcfe3575ef4dbdb336185f3345bbde02f576ef12bca98b74a8b8e6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 904145B4904309CFCB56EF64D88466EBBF5BF49311F00882DD98897360DB36A944CF92
                                                                                                                                                                                                    Function 001F1187 Relevance: 9.1, APIs: 6, Instructions: 102sleepstringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1635 1f1187-1f118e 1636 1f1190-1f1192 1635->1636 1637 1f1198-1f11b0 Sleep 1636->1637 1638 1f1320-1f132d 1636->1638 1637->1636 1646 1f11b2-1f11bc 1637->1646 1639 1f1333-1f1347 _amsg_exit 1638->1639 1640 1f11c2-1f11c9 1638->1640 1644 1f134d-1f136d _initterm 1639->1644 1645 1f11e7-1f11e9 1639->1645 1642 1f11cf-1f11e1 1640->1642 1643 1f13a0-1f13be _initterm 1640->1643 1642->1644 1642->1645 1647 1f11ef-1f11f6 1644->1647 1648 1f1373-1f1379 1644->1648 1645->1647 1645->1648 1646->1639 1646->1640 1649 1f11f8-1f1211 1647->1649 1650 1f1214-1f125e call 2aac60 SetUnhandledExceptionFilter call 2aa6f0 call 2aaa90 malloc 1647->1650 1648->1647 1649->1650 1658 1f13c8-1f13ca 1650->1658 1659 1f1264-1f1275 1650->1659 1660 1f1278-1f12ae strlen malloc memcpy 1659->1660 1660->1660 1661 1f12b0-1f12fd call 2aa8e0 call 1f3f20 1660->1661 1666 1f13cf-1f13de call 2ab3e0 1661->1666 1667 1f1303-1f130b 1661->1667 1668 1f130d-1f1318 1667->1668 1669 1f1380-1f1395 _cexit 1667->1669
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_inittermmemcpystrlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2601417275-0
                                                                                                                                                                                                    • Opcode ID: 925ce1dca3ae049905f4cd9a8fc74c91c91766304706f0144e8d1b00c004e482
                                                                                                                                                                                                    • Instruction ID: 3d6365a62e25502e4adc19ceb2f4f7ed7d8f7bc304081db2cadd422e029f2ae8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 925ce1dca3ae049905f4cd9a8fc74c91c91766304706f0144e8d1b00c004e482
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F14168B0A04309CFCB55EF68D88476EB7F4BF48351F008829D98897360DB32A944CF92
                                                                                                                                                                                                    Function 0022FE60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129threadCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • AddVectoredExceptionHandler.KERNEL32(00000000,0025A790,?,?,?,?,?,?,?,?,?,?,00000001,?,?,001F3F4A), ref: 0022FE70
                                                                                                                                                                                                    • SetThreadStackGuarantee.KERNEL32(00005000,00000000,0025A790,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0022FE80
                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0022FE85
                                                                                                                                                                                                    • SetThreadDescription.KERNELBASE(00000000,main,00005000,00000000,0025A790,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0022FE96
                                                                                                                                                                                                      • Part of subcall function 00230440: TlsGetValue.KERNEL32(?,?,?,0022FE9D,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0023044F
                                                                                                                                                                                                      • Part of subcall function 002302D0: TlsGetValue.KERNEL32(00000000,?,00000000,00350058,?,?,?,?,?,?,?,?,?,?,00000001), ref: 002302F4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Thread$Value$CurrentDescriptionExceptionGuaranteeHandlerStackVectored
                                                                                                                                                                                                    • String ID: main
                                                                                                                                                                                                    • API String ID: 1241031705-3207122276
                                                                                                                                                                                                    • Opcode ID: 0e54f8cfa2b85dc3774540fd1393b9063abea992d467d468e2286345a54c1296
                                                                                                                                                                                                    • Instruction ID: dd4bc219436c8c3c01f00d26d13caaa50a81340e4f7cdf13a26b06963a6f8ef0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e54f8cfa2b85dc3774540fd1393b9063abea992d467d468e2286345a54c1296
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E41A5F1D10209ABEB05DFE4EC81BDEB7B8AF04304F144025F804A7291EB759969CFA5
                                                                                                                                                                                                    Function 001F1160 Relevance: 7.6, APIs: 5, Instructions: 110sleepstringCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1708 1f1160-1f1185 1710 1f11a4-1f11b0 1708->1710 1711 1f11b2-1f11bc 1710->1711 1712 1f1190-1f1192 1710->1712 1713 1f1333-1f1347 _amsg_exit 1711->1713 1714 1f11c2-1f11c9 1711->1714 1715 1f1198-1f11a1 Sleep 1712->1715 1716 1f1320-1f132d 1712->1716 1719 1f134d-1f136d _initterm 1713->1719 1720 1f11e7-1f11e9 1713->1720 1717 1f11cf-1f11e1 1714->1717 1718 1f13a0-1f13be _initterm 1714->1718 1715->1710 1716->1713 1716->1714 1717->1719 1717->1720 1721 1f11ef-1f11f6 1719->1721 1722 1f1373-1f1379 1719->1722 1720->1721 1720->1722 1723 1f11f8-1f1211 1721->1723 1724 1f1214-1f125e call 2aac60 SetUnhandledExceptionFilter call 2aa6f0 call 2aaa90 malloc 1721->1724 1722->1721 1723->1724 1732 1f13c8-1f13ca 1724->1732 1733 1f1264-1f1275 1724->1733 1734 1f1278-1f12ae strlen malloc memcpy 1733->1734 1734->1734 1735 1f12b0-1f12fd call 2aa8e0 call 1f3f20 1734->1735 1740 1f13cf-1f13de call 2ab3e0 1735->1740 1741 1f1303-1f130b 1735->1741 1742 1f130d-1f1318 1741->1742 1743 1f1380-1f1395 _cexit 1741->1743
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3806033187-0
                                                                                                                                                                                                    • Opcode ID: 3298c23478c6225654ec6234c2be4788c35c96a07442480d00138cc04454f896
                                                                                                                                                                                                    • Instruction ID: f68c28d1ccb34da1bbdfed2b611a260afbbf3215457db07fd0be0eeb65ee079b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3298c23478c6225654ec6234c2be4788c35c96a07442480d00138cc04454f896
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45416AB5904309DFCB15DF68D98466EBBF8FF45311F048929D94497360DB32A944CF92
                                                                                                                                                                                                    Function 0020AE60 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1818 20ae60-20ae6d 1819 20ae9b-20aea1 1818->1819 1820 20ae6f-20ae81 BCryptGenRandom 1818->1820 1820->1819 1821 20ae83-20ae98 SystemFunction036 1820->1821 1821->1819
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • BCryptGenRandom.BCRYPT(00000000,?,?,00000002,00000000,00000000,?,?,0020A9A7,?,Y\ ,?,00000000,?,00205C59,?), ref: 0020AE77
                                                                                                                                                                                                    • SystemFunction036.ADVAPI32(?,?,00000000,?,?,00000002,00000000,00000000,?,?,0020A9A7,?,Y\ ,?,00000000), ref: 0020AE89
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CryptFunction036RandomSystem
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1232939966-0
                                                                                                                                                                                                    • Opcode ID: 64ff9b39271a35cde2008302aba175f506d380be61680f8c4f234fde65af9d4d
                                                                                                                                                                                                    • Instruction ID: 7f0d443b3319392fe62550165d6c0b5c2ebb429093bc7bdfda7da52bf72a9929
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 64ff9b39271a35cde2008302aba175f506d380be61680f8c4f234fde65af9d4d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DDE0D8336113297AEF2019959CC1F66BB5CDB8ABE4F520221FF1897092C9604C5101E0
                                                                                                                                                                                                    Function 00B9AF9D Relevance: 2.6, Strings: 2, Instructions: 81COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1845 b9af9d-b9b1bf 1846 b9b1c0-b9b1d7 1845->1846 1846->1846 1847 b9b1d9-b9b1e4 1846->1847 1848 b9b1e7-b9b1eb 1847->1848
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534711979.0000000000B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 00B91000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b91000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: $$'P
                                                                                                                                                                                                    • API String ID: 0-3739442336
                                                                                                                                                                                                    • Opcode ID: 68170e2fb9ddc145a0ab2f973105040c4f167f541d8be59701ff71c1096ac9ac
                                                                                                                                                                                                    • Instruction ID: c00e74fd2031f71fdb1fe781cec2936ea9076e869de0849a241bbbc8c4d7868c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 68170e2fb9ddc145a0ab2f973105040c4f167f541d8be59701ff71c1096ac9ac
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7851C9B8045B448FE264CF229592BD7BBB1BB22304F108A0DD2EB5BB55DB717046CF86
                                                                                                                                                                                                    Function 001FE250 Relevance: 2.5, APIs: 2, Instructions: 19memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcessHeap.KERNEL32(?), ref: 00249460
                                                                                                                                                                                                    • HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 00249469
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3859560861-0
                                                                                                                                                                                                    • Opcode ID: 16e183b6eb68152252668b6be5a544e1ffa688d1baf64f404ecaa14cce942121
                                                                                                                                                                                                    • Instruction ID: b4b62ad6450ae02f75918d696ff8f7d3ce1c2f842537c1f7340bf82d49c9b396
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 16e183b6eb68152252668b6be5a544e1ffa688d1baf64f404ecaa14cce942121
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77E0EC31124315BBCA04AA55C845A4BB7ACEB45764F104415F94867211C770BD50CAD5
                                                                                                                                                                                                    Function 00BCFCF0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LdrInitializeThunk.NTDLL(00BD2ECD,776E7000,00000018,?,?,00000018,?,?,?), ref: 00BCFD1E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534711979.0000000000B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 00B91000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b91000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InitializeThunk
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2994545307-0
                                                                                                                                                                                                    • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                    • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                                                                                                                                                    Function 00B9BB50 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534711979.0000000000B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 00B91000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b91000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: Ga/
                                                                                                                                                                                                    • API String ID: 0-89300550
                                                                                                                                                                                                    • Opcode ID: 51550702cfd504d72f5a12aeca09be598326afd27c599b703129edc261ec91e3
                                                                                                                                                                                                    • Instruction ID: aaa47ca888901d13569dc71871978ca67096ab7d1f2864ddb19b5bfa91e60633
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51550702cfd504d72f5a12aeca09be598326afd27c599b703129edc261ec91e3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B84113B12593458BCB08CF64DCA167BB7E1FFE4314F58852DE4868B3A0EB34C9028B46
                                                                                                                                                                                                    Function 00BCFB02 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534711979.0000000000B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 00B91000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b91000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 5ca926707e30495cfe13d707a6afe50ab5bbb3b1fa5b40a492be75a379a47bca
                                                                                                                                                                                                    • Instruction ID: abde8f9d1bf0944c5fb558b4707fab6230b1754e2213d02b35fa66d34f72d3da
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ca926707e30495cfe13d707a6afe50ab5bbb3b1fa5b40a492be75a379a47bca
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BA01D87060D742EBC318CF259C21A2ABBE1AB82700F14D46DE09597255DB30D501CB46
                                                                                                                                                                                                    Function 002A5B20 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 126threadlibraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1275 2a5b20-2a5b24 1276 2a5b27 call 2a5700 1275->1276 1277 2a5b2c-2a5b30 1276->1277 1278 2a5c33-2a5c3c 1277->1278 1279 2a5b36-2a5b86 GetCurrentThreadId CreateEventA call 2a9090 1277->1279 1282 2a5b8c-2a5bea GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 1279->1282 1283 2a5c3d-2a5c53 call 2a57f0 call 2a5a60 1279->1283 1284 2aba9e-2abae7 abort GetModuleHandleA 1282->1284 1285 2a5bf0-2a5c2d GetThreadPriority TlsSetValue 1282->1285 1293 2a5c58-2a5c6b TlsGetValue 1283->1293 1294 2abb19-2abb1e 1284->1294 1295 2abae9-2abb18 GetProcAddress * 2 1284->1295 1285->1278 1285->1284 1296 2a5c78-2a5c7b 1293->1296 1297 2a5c6d-2a5c70 1293->1297 1295->1294 1296->1275 1296->1284
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 002A5B3D
                                                                                                                                                                                                    • CreateEventA.KERNEL32 ref: 002A5B65
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,771ADF20), ref: 002A5BA7
                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 002A5BAB
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,771ADF20), ref: 002A5BB3
                                                                                                                                                                                                    • DuplicateHandle.KERNELBASE ref: 002A5BDF
                                                                                                                                                                                                    • GetThreadPriority.KERNEL32 ref: 002A5BF6
                                                                                                                                                                                                    • TlsSetValue.KERNEL32 ref: 002A5C22
                                                                                                                                                                                                    • TlsGetValue.KERNEL32 ref: 002A5C60
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA9E
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,002A3854), ref: 002ABADC
                                                                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 002ABAFC
                                                                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 002ABB10
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • RemoveVectoredExceptionHandler, xrefs: 002ABB05
                                                                                                                                                                                                    • AddVectoredExceptionHandler, xrefs: 002ABAF1
                                                                                                                                                                                                    • kernel32.dll, xrefs: 002ABAD5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Current$Thread$AddressHandleProcProcessValue$CreateDuplicateEventModulePriorityabort
                                                                                                                                                                                                    • String ID: AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
                                                                                                                                                                                                    • API String ID: 1214264455-3889795909
                                                                                                                                                                                                    • Opcode ID: 5a15e14eca08fd37ebd283370eebbba2a8c28937b35b643c6cdc1c7301d8387b
                                                                                                                                                                                                    • Instruction ID: 348b3c475db0ff666bef83f25f7bccec33992977679dd0ed6c041ea7e10f267a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a15e14eca08fd37ebd283370eebbba2a8c28937b35b643c6cdc1c7301d8387b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 58414AB18147008FD701AF79E98931ABFF8FB45315F004A6DE88587266EB74D858CFA2
                                                                                                                                                                                                    Function 001F9320 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1575 1f9320-1f9333 1576 1f9339-1f9344 1575->1576 1577 1f95a1-1f95c4 call 28a2c2 1575->1577 1578 1f934a-1f934c 1576->1578 1579 1f9586-1f958d call 1f91b0 1576->1579 1584 1f95c9-1f95ce call 1fe440 1577->1584 1581 1f9593-1f959c call 27d7a9 1578->1581 1582 1f9352 1578->1582 1579->1581 1579->1582 1581->1577 1585 1f9354-1f935f call 1fe240 1582->1585 1586 1f9373 1582->1586 1593 1f9364-1f9369 1585->1593 1592 1f9378-1f9394 memcpy 1586->1592 1594 1f939a-1f9428 1592->1594 1595 1f95d3-1f95d5 1592->1595 1598 1f936f-1f9371 1593->1598 1599 1f9655-1f9671 call 27d7a9 1593->1599 1594->1584 1600 1f942e-1f9529 call 1f5da0 call 1f5680 1594->1600 1596 1f95d7-1f95e0 call 1fe250 1595->1596 1597 1f95e3-1f95fc call 28a430 1595->1597 1596->1597 1606 1f9601-1f964b call 28a430 1597->1606 1598->1592 1610 1f96a4-1f96bc call 2a2fc0 1599->1610 1611 1f9673-1f96a1 call 1fe250 1599->1611 1600->1595 1617 1f952f-1f9545 call 203e80 1600->1617 1614 1f9650-1f9653 1606->1614 1622 1f96be-1f96c4 1610->1622 1623 1f96d2 1610->1623 1611->1610 1614->1599 1617->1597 1627 1f954b-1f956d call 290510 1617->1627 1625 1f96d8-1f96e3 call 298d20 1622->1625 1626 1f96c6-1f96d1 call 299980 1622->1626 1623->1625 1627->1606 1634 1f9573-1f9585 1627->1634
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memcpy.MSVCRT(00000001,00000021,00315AC0), ref: 001F937D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                    • String ID: 2-by$called `Result::unwrap()` on an `Err` value$expa$nd 3$te k
                                                                                                                                                                                                    • API String ID: 3510742995-1970462302
                                                                                                                                                                                                    • Opcode ID: e1a166737ec7a9cbc43110627d94fab274aff46c476afb873889f77da98004b9
                                                                                                                                                                                                    • Instruction ID: 2ab058ccd444813c474d767add222b91d9040741ba9e2bc31581fee25cb6ec08
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1a166737ec7a9cbc43110627d94fab274aff46c476afb873889f77da98004b9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B6917F75918B88DAD721EF14DC41BABB7F9BFDA340F004A0EF9889B151EB709484CB52
                                                                                                                                                                                                    Function 002041E0 Relevance: 6.5, APIs: 5, Instructions: 247COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1746 2041e0-2041f3 1747 204392-2043a6 call 25d7d0 TlsGetValue 1746->1747 1748 2041f9-204203 TlsGetValue 1746->1748 1750 204209 1747->1750 1755 2043ac 1747->1755 1748->1750 1751 20438a-204391 1748->1751 1753 204388 1750->1753 1754 20420f-204214 1750->1754 1753->1751 1756 204226-20423f call 20a990 1754->1756 1757 204216-204220 1754->1757 1755->1751 1761 204244-204249 1756->1761 1757->1756 1758 204328-204346 call 1fe240 1757->1758 1765 204348-204364 TlsGetValue TlsSetValue 1758->1765 1766 2043ae-2043ba call 27d7c4 1758->1766 1763 2043bc-204403 call 289fd0 1761->1763 1764 20424f-2042a2 call 206540 * 2 call 1fe240 1761->1764 1777 204406 1763->1777 1781 204408-204451 call 27d7c4 call 1fe250 call 2a2fc0 1764->1781 1789 2042a8-20431e memset 1764->1789 1770 204382-204386 1765->1770 1771 204366-20436a 1765->1771 1766->1777 1770->1751 1775 204375-20437f call 1fe250 1771->1775 1776 20436c-204372 call 206090 1771->1776 1775->1770 1776->1775 1777->1781 1795 204460-204469 call 28a251 1781->1795 1796 204453-20445d call 1fe250 1781->1796 1789->1758 1801 204478-2044a7 call 2a2fc0 call 28a251 1795->1801 1802 20446b-204475 call 206090 1795->1802 1796->1795 1809 2044b6-2044be 1801->1809 1810 2044a9-2044b1 1801->1810 1802->1801 1812 2044c0-2044d7 1809->1812 1813 2044d9-2044df 1809->1813 1811 20453b-20454a call 204710 1810->1811 1812->1811 1814 2044e1-204506 1813->1814 1815 204508-204536 1813->1815 1814->1811 1815->1811
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(-00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002041FB
                                                                                                                                                                                                    • memset.MSVCRT ref: 002042C2
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(00000000), ref: 00204350
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(00000000,00000000,00000000), ref: 0020435D
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 0020439E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Value$memset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3732838118-0
                                                                                                                                                                                                    • Opcode ID: 7f33e08bbb117c3656fe84d1bc9521f70ba22d5193d457dd47aa5874da29355f
                                                                                                                                                                                                    • Instruction ID: bfe085d670ad834622e83cfa6fba4d02ccc657e98ecd0d7a72c0ee1ddf26c2ce
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f33e08bbb117c3656fe84d1bc9521f70ba22d5193d457dd47aa5874da29355f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 44914BB1914340AFD701EF248C427EABBF4AFA5314F148658FA445B2D3E7719668CB92
                                                                                                                                                                                                    Function 0025A950 Relevance: 2.5, APIs: 2, Instructions: 14memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcessHeap.KERNEL32(?,0024942C,?,?,?,?,?,?,?,?,?,?,?,?,80000000,?), ref: 0025A953
                                                                                                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,0024942C), ref: 0025A963
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$AllocProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1617791916-0
                                                                                                                                                                                                    • Opcode ID: d7fd53b4c5597121ba28862d77ff2c03ee8de1afbacbf0044e3576887307571b
                                                                                                                                                                                                    • Instruction ID: bd227a3f30dd0687c04ba6a47f16dd92c2c465cc75668db9d424fe0a34a792b0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d7fd53b4c5597121ba28862d77ff2c03ee8de1afbacbf0044e3576887307571b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BEC08C3202030D6B8F002EF02C06A2B335C6F85310B140424BE0C81412ED36D4309A91
                                                                                                                                                                                                    Function 00BCFEB4 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetForegroundWindow.USER32 ref: 00BCFF55
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534711979.0000000000B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 00B91000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b91000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ForegroundWindow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2020703349-0
                                                                                                                                                                                                    • Opcode ID: 9b73f1acad88e96621a6d576259a3daa459bcc3ff4271de7874e35f03b7117b0
                                                                                                                                                                                                    • Instruction ID: ac14e154a2194430938ca892b2769342239cf512bfd85122de2851eca9dae00f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b73f1acad88e96621a6d576259a3daa459bcc3ff4271de7874e35f03b7117b0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6001F236B661428B8B488B38DC619BBB7E3E781314B4898BED152C33A5EE38D4058B01
                                                                                                                                                                                                    Function 00BCFCB4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlReAllocateHeap.NTDLL(?,00000000), ref: 00BCFCC0
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534711979.0000000000B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 00B91000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b91000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                    • Opcode ID: f7f823b5029b781a7eba3cdff90bc3c0f3feacb30003f205e65b8dc870ea5a5e
                                                                                                                                                                                                    • Instruction ID: 945cd1aaf26a795d95a6ebcbf8ee0dcd2e6a300f75270a4227c0874fc73d9077
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f7f823b5029b781a7eba3cdff90bc3c0f3feacb30003f205e65b8dc870ea5a5e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 21B09B3124505079C5141759FD49F9B7E65D791751F5000E5F1019A07546115441D658
                                                                                                                                                                                                    Function 00BCE510 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlAllocateHeap.NTDLL(?,00000000,C9C82FCE,A16C1943,00B98A15,C9C82FCE), ref: 00BCE520
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534711979.0000000000B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 00B91000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b91000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocateHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1279760036-0
                                                                                                                                                                                                    • Opcode ID: 7a794144e8689837f409a128272eb7cdfc3793bca359fa57e74434950ea2f368
                                                                                                                                                                                                    • Instruction ID: 9ed3fdabbf458aab00360fc2930bafe57f1f9d0740cc3dd6b3785bd6be454be7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a794144e8689837f409a128272eb7cdfc3793bca359fa57e74434950ea2f368
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7C09B31455160BFC9142B14FC05FC67F98DF45361F420491B004A7171C7616C81C6D8
                                                                                                                                                                                                    Function 00BCE545 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlFreeHeap.NTDLL(?,00000000), ref: 00BCE550
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534711979.0000000000B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 00B91000, based on PE: false
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_b91000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FreeHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3298025750-0
                                                                                                                                                                                                    • Opcode ID: 6e13b1d045c4bf2dbe1f76639ca842fd3e2cead4ce88363a44642a6c1a78d4be
                                                                                                                                                                                                    • Instruction ID: 8e066b73103fee1a312e599e9213597b830344698faa12573a10b2015c771d0b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e13b1d045c4bf2dbe1f76639ca842fd3e2cead4ce88363a44642a6c1a78d4be
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6B01230041050BEC6103B14FC0AFC53E50EB01350F010081B108990B18B115851C58C

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 00253374 Relevance: 107.7, APIs: 49, Strings: 10, Instructions: 4422COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 002533C7
                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(?), ref: 00253559
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00253EBD
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 002571E3
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00257ABB
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseEnvironmentHandleStrings$ErrorFreeLast
                                                                                                                                                                                                    • String ID: program path has no file name$.exeprogram not found$?$H$PATHlibrary\std\src\sys_common\process.rs$\?\\$]?\\$assertion failed: is_code_point_boundary(self, new_len)$assertion failed: self.height > 0$exe\\.\NULexit code:
                                                                                                                                                                                                    • API String ID: 1593577933-227677938
                                                                                                                                                                                                    • Opcode ID: e33f41b95110ef2600a02dfde4a520f64ca6d3625be7588438ec8e20d9bf467e
                                                                                                                                                                                                    • Instruction ID: 2c94b03cbc1f6d30e8027d920f7029a77a0b3ca849988f7e64a83b251f7723bd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e33f41b95110ef2600a02dfde4a520f64ca6d3625be7588438ec8e20d9bf467e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C48303719283519FD720CF24C881BABB7E1BFD9305F14892DEC8997392E7709958CB86
                                                                                                                                                                                                    Function 002A2110 Relevance: 53.0, APIs: 27, Strings: 3, Instructions: 494stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • RemoveVectoredExceptionHandler, xrefs: 002ABB05
                                                                                                                                                                                                    • AddVectoredExceptionHandler, xrefs: 002ABAF1
                                                                                                                                                                                                    • kernel32.dll, xrefs: 002ABAD5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: strlen
                                                                                                                                                                                                    • String ID: AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
                                                                                                                                                                                                    • API String ID: 39653677-3889795909
                                                                                                                                                                                                    • Opcode ID: 4fd9ac2a9b333ab402457d6f106c270fba116438444a5a74494dfca86b04bff0
                                                                                                                                                                                                    • Instruction ID: 3882230897c8fbab72d82fd77f1bbe8f648a52a2a7ac73dca6e3091b92a673dd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4fd9ac2a9b333ab402457d6f106c270fba116438444a5a74494dfca86b04bff0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D612D070928741CFD724CF2CC484766BBE1AF87314F0986ADD8D58B3A2DB75A858DB42
                                                                                                                                                                                                    Function 0025F02E Relevance: 45.6, APIs: 18, Strings: 6, Instructions: 3587COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • O, xrefs: 00262CE6
                                                                                                                                                                                                    • .debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_types, xrefs: 002600D3
                                                                                                                                                                                                    • O, xrefs: 002622BC
                                                                                                                                                                                                    • P, xrefs: 002612B2
                                                                                                                                                                                                    • 4, xrefs: 00261F9E
                                                                                                                                                                                                    • .debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwo, xrefs: 002624A9
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: .debug_abbrev.debug_addr.debug_aranges.debug_cu_index.debug_info.debug_line.debug_line_str.debug_loc.debug_loclists.debug_ranges.debug_rnglists.debug_str.debug_str_offsets.debug_tu_index.debug_types$.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwo$4$O$O$P
                                                                                                                                                                                                    • API String ID: 0-793445337
                                                                                                                                                                                                    • Opcode ID: 7a72772147dfb70dd6863f8b195a063e6a039346089af5700387fcce0fcf9992
                                                                                                                                                                                                    • Instruction ID: b353ec669a3adeaec633b9f51305a20e6f58b6a97f20e0de4ffd7a68b21a86be
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a72772147dfb70dd6863f8b195a063e6a039346089af5700387fcce0fcf9992
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3A8336B19187818FD775CF18C490BABB7E1BFC9304F108A2EE98D97251DB70A995CB42
                                                                                                                                                                                                    Function 0024D750 Relevance: 42.7, APIs: 28, Instructions: 706COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileInformationByHandleEx.KERNEL32(?,00000000,?,00000028), ref: 0024D7EF
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000028), ref: 0024D828
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,00000000,?,00000028), ref: 0024D837
                                                                                                                                                                                                    • GetFileInformationByHandleEx.KERNEL32(?,00000001,?,00000400), ref: 0024D8CB
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00000001,?,00000400), ref: 0024D8E1
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000028), ref: 0024DD9F
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000028), ref: 0024DDB2
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000028), ref: 0024DE21
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Handle$Close$ErrorFileInformationLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4143594976-0
                                                                                                                                                                                                    • Opcode ID: ae86bfa57efdde3cc184cd2372d734958537ebbd2f29fd58e1d28398761717d9
                                                                                                                                                                                                    • Instruction ID: 30e77cda5ae57ed05acc7b80acb12e5bc75f52914d11e2fe73142a32da95d2a5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae86bfa57efdde3cc184cd2372d734958537ebbd2f29fd58e1d28398761717d9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C44221719283419BE724DF24C881B6FBBE5AFD5304F14891DF98897292E7B1D824CB53
                                                                                                                                                                                                    Function 002A4260 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 396COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: AddVectoredExceptionHandler$P<*$RemoveVectoredExceptionHandler$kernel32.dll
                                                                                                                                                                                                    • API String ID: 0-2451487645
                                                                                                                                                                                                    • Opcode ID: e92eb4e8869fd67333276991026a661baecf5de5de23de15411345ba5202bc02
                                                                                                                                                                                                    • Instruction ID: cdabbcc53c2f06f9ad4350bbc1edbb8aeb92a8375642ce5a0975b2f65068d3ec
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e92eb4e8869fd67333276991026a661baecf5de5de23de15411345ba5202bc02
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 29E19171A247018FCB14EF18C48066AF7E5BFD6314F558A69EC999B301DBB0ED25CB81
                                                                                                                                                                                                    Function 0025C2B0 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 428COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000), ref: 0025C3F1
                                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00000000,00000002,00000000,00000000), ref: 0025C400
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 0025C40B
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 0025C41C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$FullNamePath
                                                                                                                                                                                                    • String ID: \\?\$\\?\UNC\$o1$
                                                                                                                                                                                                    • API String ID: 2482867836-849259126
                                                                                                                                                                                                    • Opcode ID: 6240812cb2368ae72bbbede1e171d315fb29df45741ec44add27600fc1b56dd2
                                                                                                                                                                                                    • Instruction ID: 9558e26af471aa4ae6ef3aaff46a2284d269f54b6d24b62b570c3eac436c879e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6240812cb2368ae72bbbede1e171d315fb29df45741ec44add27600fc1b56dd2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B6F1BFB1D2030A9FCB14CF94C885AAEB7B5AF48315F348069EC15AB241F7709D69CB99
                                                                                                                                                                                                    Function 00285260 Relevance: 11.9, Strings: 9, Instructions: 621COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: +NaNinf00e00E0assertion failed: ndigits > 0$\}2$assertion failed: buf.len() >= MAX_SIG_DIGITS$assertion failed: d.mant + d.plus < (1 << 61)$assertion failed: d.mant > 0$assertion failed: d.mant.checked_add(d.plus).is_some()$assertion failed: d.mant.checked_sub(d.minus).is_some()$assertion failed: d.minus > 0$assertion failed: edelta >= 0library\core\src\num\diy_float.rs
                                                                                                                                                                                                    • API String ID: 0-3589558864
                                                                                                                                                                                                    • Opcode ID: ec2b1097a8c684637cc07fc2381d33ce60f88565f833b75adf2572234a6af514
                                                                                                                                                                                                    • Instruction ID: 98094c44d4abdd9142e12c94873633b94f0feffddc3d694f166fc857eef565a1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ec2b1097a8c684637cc07fc2381d33ce60f88565f833b75adf2572234a6af514
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 81325A75A097119FC704DF29C88071AF7E2BFC8754F158A2EF899A73A5D670DC058B82
                                                                                                                                                                                                    Function 002511A0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 407windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memset.MSVCRT ref: 002511C6
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(NTDLL.DLL), ref: 002511E2
                                                                                                                                                                                                    • FormatMessageW.KERNEL32(00001200,00000000,?,00000000,?,00000800,00000000), ref: 0025120E
                                                                                                                                                                                                    • GetLastError.KERNEL32(00001200,00000000,?,00000000,?,00000800,00000000), ref: 00251274
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorFormatHandleLastMessageModulememset
                                                                                                                                                                                                    • String ID: NTDLL.DLL$
                                                                                                                                                                                                    • API String ID: 1434010500-1336672817
                                                                                                                                                                                                    • Opcode ID: 16a75fbdca16915d6a0867eb894fcc9b1df5a1f915eca522d62178fc6897dce3
                                                                                                                                                                                                    • Instruction ID: 365f24589d0e068526b953d10e77d3a8eda4a1f437fd7a73b606321af16b35ed
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 16a75fbdca16915d6a0867eb894fcc9b1df5a1f915eca522d62178fc6897dce3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FEE1D172D20219ABDF10DFD4DC81BEEBBB8AF49351F180165F905B7241E77099A8CBA4
                                                                                                                                                                                                    Function 002047F0 Relevance: 9.9, Strings: 7, Instructions: 1131COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 2-by$expa$expand 3$nd 32-by$te k2-by$te k2-byexpate knd 3$te knd 3expa
                                                                                                                                                                                                    • API String ID: 0-1772262818
                                                                                                                                                                                                    • Opcode ID: 1391a8e0975a9adc2b0a8bfe7d6b8fa79609e5bb0249d7250758481f8c467e98
                                                                                                                                                                                                    • Instruction ID: 254967e30a1280c0707023ddb86824108cb58f7ea4f6ac87a52659b3bb786982
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1391a8e0975a9adc2b0a8bfe7d6b8fa79609e5bb0249d7250758481f8c467e98
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89E244B0D012288FDB64CFA9C984BCDFBF1BF88314F6581AAD409B7215D7306A968F54
                                                                                                                                                                                                    Function 001F5680 Relevance: 9.5, APIs: 5, Strings: 1, Instructions: 457COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                                    • String ID: Q7
                                                                                                                                                                                                    • API String ID: 438689982-2739210867
                                                                                                                                                                                                    • Opcode ID: a132514f777cc059d64dc81abc1baa2eafa473448465cd9746c3fd28b6d3f499
                                                                                                                                                                                                    • Instruction ID: 9aaa1f604bc5986979c844aa97c5880c652ecd284b86ac71b450c600d5191b94
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a132514f777cc059d64dc81abc1baa2eafa473448465cd9746c3fd28b6d3f499
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D412A3A18083C59EE7029B34981D7AB3F915F62318F5C45BCE5D80E283D777951AC7A3
                                                                                                                                                                                                    Function 001FB3D0 Relevance: 9.1, Strings: 6, Instructions: 1608COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID: 2-bynd 3$expa$expa$te k2-bynd 3$te k2-bynd 3$te kexpate k2-bynd 3expa
                                                                                                                                                                                                    • API String ID: 3859560861-1169423403
                                                                                                                                                                                                    • Opcode ID: b3bfee0bd5dba486e5d42040b4a3bcdae1049ce0dde488c11a7bfe1c92ddc570
                                                                                                                                                                                                    • Instruction ID: 65ebed9f92a218563f5c9db7a7ac4189f7a98480b09f1be4abc65e94c58f77c5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b3bfee0bd5dba486e5d42040b4a3bcdae1049ce0dde488c11a7bfe1c92ddc570
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C038CB0E002288BDF64CFA9C981BDDBBB5BF88304F1581AAE509B7211D7706E95CF54
                                                                                                                                                                                                    Function 001FB3E9 Relevance: 9.1, Strings: 6, Instructions: 1599COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID: 2-bynd 3$expa$expa$te k2-bynd 3$te k2-bynd 3$te kexpate k2-bynd 3expa
                                                                                                                                                                                                    • API String ID: 3859560861-1169423403
                                                                                                                                                                                                    • Opcode ID: 97f48c8a2df15bce88681cfdd8023e39d4d935f3ea2e86bb036e49e5159a010f
                                                                                                                                                                                                    • Instruction ID: b83e57d4cf35a0fdf97b22e84c97ee11c3db588547ccdf5b6f03cc157fb0d3d5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 97f48c8a2df15bce88681cfdd8023e39d4d935f3ea2e86bb036e49e5159a010f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A038BB0E002288BDF64CFA9C981BDDBBB5BF88314F1581AAE509B7211D7706E95CF54
                                                                                                                                                                                                    Function 001FB402 Relevance: 9.1, Strings: 6, Instructions: 1590COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID: 2-bynd 3$expa$expa$te k2-bynd 3$te k2-bynd 3$te kexpate k2-bynd 3expa
                                                                                                                                                                                                    • API String ID: 3859560861-1169423403
                                                                                                                                                                                                    • Opcode ID: 5a53c02f49d76ba054c5d8cdedf8ccb7d9c4aa8412a1ef7929b9f78e25328295
                                                                                                                                                                                                    • Instruction ID: eaa850cba4f583b6cd7192cc094b029b09e6fe81ce6cfdd19bba763e4ce9f9cd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a53c02f49d76ba054c5d8cdedf8ccb7d9c4aa8412a1ef7929b9f78e25328295
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4038BB0E002288BDF64CFA9C981BDDBBB5BF88314F1581AAE509B7211D7706E95CF54
                                                                                                                                                                                                    Function 001FB421 Relevance: 9.1, Strings: 6, Instructions: 1581COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID: 2-bynd 3$expa$expa$te k2-bynd 3$te k2-bynd 3$te kexpate k2-bynd 3expa
                                                                                                                                                                                                    • API String ID: 3859560861-1169423403
                                                                                                                                                                                                    • Opcode ID: d0d6c653647b1ac2fc5204ca45a0add7fe6ca094c464a0d1f0e59dc988b86494
                                                                                                                                                                                                    • Instruction ID: fe4ea5ccb701c6e7170b7ae738188c1f119d318ff43e9d2f4582d360bf8677db
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0d6c653647b1ac2fc5204ca45a0add7fe6ca094c464a0d1f0e59dc988b86494
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 11037BB0E002288BDF64CFA9C981BDDBBB5BF88314F1581AAE509B7211D7706E95CF54
                                                                                                                                                                                                    Function 001FB440 Relevance: 9.1, Strings: 6, Instructions: 1572COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID: 2-bynd 3$expa$expa$te k2-bynd 3$te k2-bynd 3$te kexpate k2-bynd 3expa
                                                                                                                                                                                                    • API String ID: 3859560861-1169423403
                                                                                                                                                                                                    • Opcode ID: 2d908bec1a1d2e581b9ce5a7d83b88b4ebd8b32afe260412c86cb5c25306573d
                                                                                                                                                                                                    • Instruction ID: 1f721188a44fc7296ae1fbf9cc286e156ec2f8760ef1e16848bbab72d8769b84
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d908bec1a1d2e581b9ce5a7d83b88b4ebd8b32afe260412c86cb5c25306573d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 10037BB0E002288BDB64CFA9C981BDDFBB5BF88314F1581AAE509B7211D7706E95CF54
                                                                                                                                                                                                    Function 002405A0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 316threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InitializeProcThreadAttributeList.KERNEL32(00000000,?,00000000,00000000), ref: 002405C2
                                                                                                                                                                                                    • InitializeProcThreadAttributeList.KERNEL32(00000001,?,00000000,00000000,00000000,?,00000000,00000000), ref: 00240663
                                                                                                                                                                                                    • UpdateProcThreadAttribute.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000001,?,00000000,00000000,00000000,?,00000000,00000000), ref: 00240746
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • panicked at :fulllibrary\std\src\path.rs, xrefs: 00240843
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AttributeProcThread$InitializeList$Update
                                                                                                                                                                                                    • String ID: panicked at :fulllibrary\std\src\path.rs
                                                                                                                                                                                                    • API String ID: 3806694049-4028486446
                                                                                                                                                                                                    • Opcode ID: c6f2b76dafba8aca1cc2810c9ecd88f2b55dcac8d53247d81cb28ae2bb4011b2
                                                                                                                                                                                                    • Instruction ID: 1da1832e7cab0f0f478c0323b3824652bd1c204a822ffca82ce74371320d8af2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c6f2b76dafba8aca1cc2810c9ecd88f2b55dcac8d53247d81cb28ae2bb4011b2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FCB1F875A202019BDB189F54CCC1BBAB7A9EF94704F04842DEE45AB382D771AC65CBA1
                                                                                                                                                                                                    Function 001FB45F Relevance: 9.1, Strings: 6, Instructions: 1563COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID: 2-bynd 3$expa$expa$te k2-bynd 3$te k2-bynd 3$te kexpate k2-bynd 3expa
                                                                                                                                                                                                    • API String ID: 3859560861-1169423403
                                                                                                                                                                                                    • Opcode ID: 532962badd38df1cb995748a58e9fdd6c4e6288cdcdf5b2eddac7b7c85a74756
                                                                                                                                                                                                    • Instruction ID: 7fdab947ccf18ad7f513e1fde3a7c4dd6371fef9eb0470295d21ffdf9b4885c9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 532962badd38df1cb995748a58e9fdd6c4e6288cdcdf5b2eddac7b7c85a74756
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E6037BB0E002288BDB64CFA9C981BDDBBB5BF88314F1581AAE509B7211D7706E95CF54
                                                                                                                                                                                                    Function 001FB47E Relevance: 9.1, Strings: 6, Instructions: 1554COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID: 2-bynd 3$expa$expa$te k2-bynd 3$te k2-bynd 3$te kexpate k2-bynd 3expa
                                                                                                                                                                                                    • API String ID: 3859560861-1169423403
                                                                                                                                                                                                    • Opcode ID: 07ecdccdceb3101277b9e4b56625270e025fe5ad9bc3cd12b1419d8d0e5065cd
                                                                                                                                                                                                    • Instruction ID: 5d67ca9b8164ae093d3692cd3cc2e494a6230d694d6252f26a9d15a090634165
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 07ecdccdceb3101277b9e4b56625270e025fe5ad9bc3cd12b1419d8d0e5065cd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AD037AB0E002288BDB64CFA9C981BDDFBB5BF88314F1581AAE509B7211D7706E95CF54
                                                                                                                                                                                                    Function 001FB49D Relevance: 9.0, Strings: 6, Instructions: 1545COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID: 2-bynd 3$expa$expa$te k2-bynd 3$te k2-bynd 3$te kexpate k2-bynd 3expa
                                                                                                                                                                                                    • API String ID: 3859560861-1169423403
                                                                                                                                                                                                    • Opcode ID: b9f984c8f28114fb4950daa2d55bf18ddf86b999a331c8ed514b31ddf38ab385
                                                                                                                                                                                                    • Instruction ID: 648022d9723599a80d13183131862371cb2472474ae3a673f9fba3b47c3fa4e3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b9f984c8f28114fb4950daa2d55bf18ddf86b999a331c8ed514b31ddf38ab385
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AF037AB0E002288BDB64CFA9C981BDDFBB5BF88314F1581AAE509B7211D7706E95CF54
                                                                                                                                                                                                    Function 0024E620 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 226COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0024E78A
                                                                                                                                                                                                    • memset.MSVCRT ref: 0024E7A7
                                                                                                                                                                                                    • FindFirstFileExW.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0024E7C2
                                                                                                                                                                                                    • FindClose.KERNEL32(00000000,?,00000001,?,00000000,00000000,00000000), ref: 0024E7D4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseFind$FileFirstHandlememset
                                                                                                                                                                                                    • String ID: <E$
                                                                                                                                                                                                    • API String ID: 4181070385-1664981623
                                                                                                                                                                                                    • Opcode ID: 7ecbe1628e7cd48f7581625cf54dc9eca581097102232d79518f2467efe830e0
                                                                                                                                                                                                    • Instruction ID: b021d487758d8b64b68df17e9a0a401412929f824fae09d7e35c5cc40cdec5d4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ecbe1628e7cd48f7581625cf54dc9eca581097102232d79518f2467efe830e0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E9144B0E103099BEF24CF94C885BAEBBF5BF58314F148429E919AB381E774A954CF51
                                                                                                                                                                                                    Function 001FC2BB Relevance: 8.7, Strings: 6, Instructions: 1154COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID: 2-bynd 3$expa$expa$te k2-bynd 3$te k2-bynd 3$te kexpate k2-bynd 3expa
                                                                                                                                                                                                    • API String ID: 3859560861-1169423403
                                                                                                                                                                                                    • Opcode ID: 493cbb696afc764adfdf4cd0c010092deedfd2ad82f3e2a1a88f88279add4c1b
                                                                                                                                                                                                    • Instruction ID: a3c11d3c02a5df0405b82545036ca7153e0504eb86e02bf427b3c2ad9a0d98d0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 493cbb696afc764adfdf4cd0c010092deedfd2ad82f3e2a1a88f88279add4c1b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DE243B0D012288FDB64CFA9C980BDDFBB1BF88314F2581AAD509B7215D7706A95CF94
                                                                                                                                                                                                    Function 001FC2E0 Relevance: 8.6, Strings: 6, Instructions: 1147COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 2-bynd 3$expa$expa$te k2-bynd 3$te k2-bynd 3$te kexpate k2-bynd 3expa
                                                                                                                                                                                                    • API String ID: 0-1169423403
                                                                                                                                                                                                    • Opcode ID: 5b4e6dc10e4845c98df1a516c390e4f0a8b47a4ab8de50f9d2de8cc8d659db94
                                                                                                                                                                                                    • Instruction ID: 325386f17c9979acf7b2ae1a67bfc261b2a011097f7ccf87eaca3c71db39cdf1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b4e6dc10e4845c98df1a516c390e4f0a8b47a4ab8de50f9d2de8cc8d659db94
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9DE253B0D012288FDB64CFA9C980BDDFBB1BF88314F2581AAD509B7215D7706A95CF94
                                                                                                                                                                                                    Function 00270684 Relevance: 8.2, Strings: 6, Instructions: 734COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 11tf$21tf$fs10$fs11$ft10$zero
                                                                                                                                                                                                    • API String ID: 0-3297899624
                                                                                                                                                                                                    • Opcode ID: 392d2f25d44e45a3f4478907d7506dfbff153e0ad2e0708c9d3bfbe1bfcbb4cd
                                                                                                                                                                                                    • Instruction ID: ee99cb927a163f2976cc68fa561616e0075ec02ea0260d1f1ed8a421ac70ac96
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 392d2f25d44e45a3f4478907d7506dfbff153e0ad2e0708c9d3bfbe1bfcbb4cd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE4261144381B28C97695F2EC4260737AE2DF5A74138BC097D78F4F9F9D1B94BB0A2A1
                                                                                                                                                                                                    Function 00280190 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 484COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000003,?,?,?,00001200,00000000), ref: 00280352
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                    • String ID: @k2$@k2
                                                                                                                                                                                                    • API String ID: 3510742995-1906436157
                                                                                                                                                                                                    • Opcode ID: e47691ad67d19873332642a5f5b11515f128bc7c05121c0fe6b14fc133349c4a
                                                                                                                                                                                                    • Instruction ID: a6c4ba00fd4b00c4e6b98c5095b81ef1c47056f1824408506e41569ad90edfa3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e47691ad67d19873332642a5f5b11515f128bc7c05121c0fe6b14fc133349c4a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E502BF76E2121A8FDF00DF94C8C17EEBBB4EB55310F180169D815A7381D778AA69CBA0
                                                                                                                                                                                                    Function 0024F651 Relevance: 7.8, APIs: 5, Instructions: 275filenativesynchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • NtReadFile.NTDLL(?,00000000,00000000,00000000,00000103,?,?,00000000,00000000), ref: 0024F7C0
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,00000000,00000103,?,?,00000000,00000000), ref: 0024F7D1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileObjectReadSingleWait
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 631497895-0
                                                                                                                                                                                                    • Opcode ID: dbeb3989a7ef100167b73f91ccc87a88f07133abd597ffd7a4128bd990b32f9f
                                                                                                                                                                                                    • Instruction ID: 5cd48023faf070e68b9a87dd77ff29047f28d074e1b0f59427cb82179465ba3a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dbeb3989a7ef100167b73f91ccc87a88f07133abd597ffd7a4128bd990b32f9f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3FB1C1B1A1021A9FDB18CF94D990BEEBBF5FF88314F244429E859E7340D374A961CB90
                                                                                                                                                                                                    Function 002874A1 Relevance: 7.6, Strings: 6, Instructions: 131COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: \u$\u${${$}$}
                                                                                                                                                                                                    • API String ID: 0-582841131
                                                                                                                                                                                                    • Opcode ID: 70739933e9cfe8085253f3ac776bc55e73f9586bcf761a7edf84e6dae7619172
                                                                                                                                                                                                    • Instruction ID: b9c5de2ff3508f52ad18416a2e0d173c5cb5f0efdba7490120ab644267d4a860
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 70739933e9cfe8085253f3ac776bc55e73f9586bcf761a7edf84e6dae7619172
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 12515D32E1FAD585C7128B7844101AEFFF21FEA200F2D82DAD4981F383DA758526D7A5
                                                                                                                                                                                                    Function 0027719E Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: \u$\u${${$}$}
                                                                                                                                                                                                    • API String ID: 0-582841131
                                                                                                                                                                                                    • Opcode ID: e8e72e2c60209979a4f59c5373fb73d33c656b2dde61d6b1815fcba20c6e4bb8
                                                                                                                                                                                                    • Instruction ID: 7d76bb3d68795782e5bb587b14f45ddc966e3736418bb24e6b0eaf6c58cad077
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e8e72e2c60209979a4f59c5373fb73d33c656b2dde61d6b1815fcba20c6e4bb8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46414932E197C685D7068B7444211BEFFB21FE6210F2D82AAD4AD1B383D3346566D3A5
                                                                                                                                                                                                    Function 0027C5E0 Relevance: 7.2, Strings: 5, Instructions: 957COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • `fmt::Error`s should be impossible without a `fmt::Formatter`, xrefs: 0027D230
                                                                                                                                                                                                    • __ZN, xrefs: 0027CA5B
                                                                                                                                                                                                    • .g2, xrefs: 0027CD54
                                                                                                                                                                                                    • .llvm./rust/deps\rustc-demangle-0.1.24\src\lib.rs, xrefs: 0027C5F8
                                                                                                                                                                                                    • .g2, xrefs: 0027C935
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memcmp
                                                                                                                                                                                                    • String ID: .g2$.g2$.llvm./rust/deps\rustc-demangle-0.1.24\src\lib.rs$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`
                                                                                                                                                                                                    • API String ID: 1475443563-4158856779
                                                                                                                                                                                                    • Opcode ID: 57c85e6ac5d6bb78cc335f12646a8ba98c9e26728ecdcb81851646a6b9b4a09f
                                                                                                                                                                                                    • Instruction ID: 57a80cea8196e65034c1bbf5b197bdd6209d4682f0569240f91d47f9d7a76769
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 57c85e6ac5d6bb78cc335f12646a8ba98c9e26728ecdcb81851646a6b9b4a09f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B72E372A283529FD714CF24C89166AB7E2AFC5310F24CA1DF99D97291D370EC51CB92
                                                                                                                                                                                                    Function 00283040 Relevance: 6.8, Strings: 5, Instructions: 577COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • cannot parse float from empty stringinvalid float literalassertion failed: edelta >= 0library\core\src\num\diy_float.rs, xrefs: 00283729
                                                                                                                                                                                                    • (z2, xrefs: 002836FE
                                                                                                                                                                                                    • FFFF, xrefs: 0028308B
                                                                                                                                                                                                    • FFFF, xrefs: 0028323B
                                                                                                                                                                                                    • -, xrefs: 002836C4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: (z2$-$FFFF$FFFF$cannot parse float from empty stringinvalid float literalassertion failed: edelta >= 0library\core\src\num\diy_float.rs
                                                                                                                                                                                                    • API String ID: 0-1329382674
                                                                                                                                                                                                    • Opcode ID: 193d5f4cb81d4adb8bee5911336f5c8202a9f0cb4ac8d9988c9914383edd0b46
                                                                                                                                                                                                    • Instruction ID: e48fdf692a949746bcd697c0b6c1eeb4c80304e14d6cd6e12e631e949d5fd824
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 193d5f4cb81d4adb8bee5911336f5c8202a9f0cb4ac8d9988c9914383edd0b46
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 79228F75E1121A8FCB04CF9DC8807AEFBF2FF88714F298169D414AB395E7749A118B94
                                                                                                                                                                                                    Function 00282610 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 267COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                                    • String ID: -
                                                                                                                                                                                                    • API String ID: 368790112-2547889144
                                                                                                                                                                                                    • Opcode ID: 156c1cc98e00b52c2eb147dca7ef177f5be11a500ac84775126efc2e813356d2
                                                                                                                                                                                                    • Instruction ID: 041bd9b709518fd1a224778c41ddce6cd7243ca40029067cc7df2465d8863983
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 156c1cc98e00b52c2eb147dca7ef177f5be11a500ac84775126efc2e813356d2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C913F39E2226ACBDF15DE65C8807BDF7EAFF44310F584169D814672C0E770AE598BA0
                                                                                                                                                                                                    Function 0024C080 Relevance: 6.1, APIs: 4, Instructions: 101filenativeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • NtOpenFile.NTDLL(00000000,?,?,00000103,00000007,?), ref: 0024C0F7
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileOpen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2669468079-0
                                                                                                                                                                                                    • Opcode ID: 89484cdf688e6904b864a7d63a7fcb7f50b7a8e3516dc63803876d2d5f1bd5fa
                                                                                                                                                                                                    • Instruction ID: f793bbdf6fd7e7c7637841d8a23c5e9e6facfa57257988b52c0e8c4e1103b742
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 89484cdf688e6904b864a7d63a7fcb7f50b7a8e3516dc63803876d2d5f1bd5fa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E8316FB49112099BEF18CF98D885BEFBBB8EB08344F20041EE509E7241E7749994CFA1
                                                                                                                                                                                                    Function 0025E0F0 Relevance: 6.1, APIs: 4, Instructions: 101networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 002503A0: WSASocketW.WS2_32(00000002,0023E889,00000000,00000000,00000000,00000081), ref: 002503CC
                                                                                                                                                                                                    • bind.WS2_32(?,?,00000010), ref: 0025E1D4
                                                                                                                                                                                                    • listen.WS2_32(?,00000080), ref: 0025E1E4
                                                                                                                                                                                                    • WSAGetLastError.WS2_32 ref: 0025E1F6
                                                                                                                                                                                                    • closesocket.WS2_32(?), ref: 0025E20C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLastSocketbindclosesocketlisten
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1850986032-0
                                                                                                                                                                                                    • Opcode ID: d559ed1b261830674227b05bc75517edc5d80458868c48baad5be633f5688941
                                                                                                                                                                                                    • Instruction ID: 31fae20b3f1facf6b36caa43ca4adb775addcd854bc404560c25ce7274267887
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d559ed1b261830674227b05bc75517edc5d80458868c48baad5be633f5688941
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 334105708143599BCB14CF64C480AAEBBF5EF56300F15C45AEC989B342E3359E58CB65
                                                                                                                                                                                                    Function 002507B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • recv.WS2_32(?,?,7FFFFFFF,00000000), ref: 00250832
                                                                                                                                                                                                    • WSAGetLastError.WS2_32(?,?,7FFFFFFF,00000000,?,?,assertion failed: socket != sys::c::INVALID_SOCKET as RawSocketlibrary\std\src\os\windows\io\socket.rs,0000003F,0031AED4), ref: 0025083C
                                                                                                                                                                                                      • Part of subcall function 00240330: memset.MSVCRT ref: 00240350
                                                                                                                                                                                                      • Part of subcall function 00240330: GetCurrentProcessId.KERNEL32 ref: 0024035A
                                                                                                                                                                                                      • Part of subcall function 00240330: WSADuplicateSocketW.WS2_32(0F08C483,00000000,?), ref: 00240362
                                                                                                                                                                                                      • Part of subcall function 00240330: WSASocketW.WS2_32(?,?,?,?,00000000,00000081), ref: 00240386
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • assertion failed: socket != sys::c::INVALID_SOCKET as RawSocketlibrary\std\src\os\windows\io\socket.rs, xrefs: 00250805
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Socket$CurrentDuplicateErrorLastProcessmemsetrecv
                                                                                                                                                                                                    • String ID: assertion failed: socket != sys::c::INVALID_SOCKET as RawSocketlibrary\std\src\os\windows\io\socket.rs
                                                                                                                                                                                                    • API String ID: 3340724250-42570012
                                                                                                                                                                                                    • Opcode ID: 08af540709320331141c24b4f9b6513f02f37fe2e96474056051120912c2a672
                                                                                                                                                                                                    • Instruction ID: 47d8da096fa28aef413f2fcf7bfc3ab427aa3a5b40a0cc85141e2ae095062be1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 08af540709320331141c24b4f9b6513f02f37fe2e96474056051120912c2a672
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D21E731A00259ABCB24DF68D8405EEBBE5DF05321F108A6AF9ACD73D0D631A954CB95
                                                                                                                                                                                                    Function 0023C2AE Relevance: 4.8, APIs: 3, Instructions: 266COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 17005e2b10e3e4e1f97fc2c34b08d1f4b6c0267ba5448ce97306494291f79a64
                                                                                                                                                                                                    • Instruction ID: f04cb3abc131918b3a3b5ba3d7ffc55b83a6e79916cb132c6f5426e3a07083d0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 17005e2b10e3e4e1f97fc2c34b08d1f4b6c0267ba5448ce97306494291f79a64
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D8B1A9B5E1025A8FDB14CFA8C890BEDBBB5BF49304F24815AE815BB391D374A951CF90
                                                                                                                                                                                                    Function 0025E4A0 Relevance: 4.6, APIs: 3, Instructions: 95networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • bind.WS2_32(?,?,00000010), ref: 0025E57E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: bind
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1187836755-0
                                                                                                                                                                                                    • Opcode ID: 3e5f8c1567ebf8a95675f0624b77552d0a62da397174a692d0f2d9a1ba1d6aee
                                                                                                                                                                                                    • Instruction ID: 8b01fa0bb24c426daef2072187a763fbabb9ea36e9854634adb394a83294ab12
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e5f8c1567ebf8a95675f0624b77552d0a62da397174a692d0f2d9a1ba1d6aee
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E41127091828ACFCB10CF64D580AAEBBF1EF55304F55845AE8899B342F335EA58CB65
                                                                                                                                                                                                    Function 0022E6C9 Relevance: 4.5, Strings: 3, Instructions: 790COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: O$O$O
                                                                                                                                                                                                    • API String ID: 0-1604089782
                                                                                                                                                                                                    • Opcode ID: 63a4310b131ada51dd8db1aa43cfdfb799093d2b73e4dbfbe2312b80b1a433c8
                                                                                                                                                                                                    • Instruction ID: 5a372427d5f15e645606bf7348ac18854982d631946441a404ab2fe0951b4895
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 63a4310b131ada51dd8db1aa43cfdfb799093d2b73e4dbfbe2312b80b1a433c8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F8247749183919FC724CF19D080B6AFBF1BF88310F158A6EE89997362D770E855CB92
                                                                                                                                                                                                    Function 00295380 Relevance: 4.3, Strings: 3, Instructions: 576COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: $-$NAN
                                                                                                                                                                                                    • API String ID: 0-3673145351
                                                                                                                                                                                                    • Opcode ID: 1b8dba3663aaf4d5a860fdbf70f1d0aae5c3daef54ab4f610a1f1e54c59d73a7
                                                                                                                                                                                                    • Instruction ID: 19e490eff79d810c1e1e9ab66e5f121532ebb8acc2d3785501aa76543addd4bc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b8dba3663aaf4d5a860fdbf70f1d0aae5c3daef54ab4f610a1f1e54c59d73a7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77223671A287258FEB12CF24C8807AEB7E5FF85314F14892DE885A7281D374DD59CB82
                                                                                                                                                                                                    Function 0029A370 Relevance: 4.3, Strings: 3, Instructions: 525COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: -+NaNinf00e00E0assertion failed: ndigits > 0$.$d
                                                                                                                                                                                                    • API String ID: 0-1458908954
                                                                                                                                                                                                    • Opcode ID: 8c21e8084b80c54979092ad2d711f88f2cc3519deacc4538d0f789eaa8a15986
                                                                                                                                                                                                    • Instruction ID: 6128e802e49f19efd78fd3bf80d76fb97b2fc98efcc0982c7fbedd877eab2450
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c21e8084b80c54979092ad2d711f88f2cc3519deacc4538d0f789eaa8a15986
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE02D472F102298FDF18CE6DC8957ADB6B6BB88300F1A813DD809EB391D6759D458BC1
                                                                                                                                                                                                    Function 00206540 Relevance: 3.7, Strings: 2, Instructions: 1198COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • te kexpate k2-byte kte k2-by2-bynd 3nd 3expa2-byexpand 3, xrefs: 00206856
                                                                                                                                                                                                    • nd 3expa, xrefs: 002068A4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: nd 3expa$te kexpate k2-byte kte k2-by2-bynd 3nd 3expa2-byexpand 3
                                                                                                                                                                                                    • API String ID: 0-2854347106
                                                                                                                                                                                                    • Opcode ID: a29f715f6d2fcaed6b58b3be88853907cee8bcc336144ecb45ba229b79d6de9e
                                                                                                                                                                                                    • Instruction ID: 3bf23fc60b4a1524c60c789cd57a499aadc901fe1eac9743f825dcf91153ba2d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a29f715f6d2fcaed6b58b3be88853907cee8bcc336144ecb45ba229b79d6de9e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5FE25AB0D012288FDB68CF99C984BDDFBB1BF88314F6581AAD409B7215D7346A86CF54
                                                                                                                                                                                                    Function 002090B0 Relevance: 3.7, Strings: 2, Instructions: 1178COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • nd 3expa, xrefs: 002093D4
                                                                                                                                                                                                    • te kexpate k2-byte kte k2-by2-bynd 3nd 3expa2-byexpand 3, xrefs: 00209386
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: nd 3expa$te kexpate k2-byte kte k2-by2-bynd 3nd 3expa2-byexpand 3
                                                                                                                                                                                                    • API String ID: 0-2854347106
                                                                                                                                                                                                    • Opcode ID: 64ed0acc27c8227c16d32ef560bab9731505e12ab7309660c7c83622f68fff33
                                                                                                                                                                                                    • Instruction ID: 08e085400ccde75382256887e58abc42151eb01e81f070b3ea45e5929b7a83d4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 64ed0acc27c8227c16d32ef560bab9731505e12ab7309660c7c83622f68fff33
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A9E259B0D012288FDB68CF99C984BDDFBB1BF88314F6581AAD409B7215D7346A86CF54
                                                                                                                                                                                                    Function 00211080 Relevance: 3.0, APIs: 2, Instructions: 500COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 701328e23a0e5dc6adafd7ed6b7304df9096c2c5af97ebf4c13bbf5a1365ffbc
                                                                                                                                                                                                    • Instruction ID: ec78efaaf47051e70a070d488692a97c792b5e4dd16bd4442f7a07da77d2ebcb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 701328e23a0e5dc6adafd7ed6b7304df9096c2c5af97ebf4c13bbf5a1365ffbc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F612D131A147019FCB14CF18C880AAAB7F6FFD9350F148A1DE9899B351D771E9A5CB82
                                                                                                                                                                                                    Function 00210290 Relevance: 3.0, APIs: 2, Instructions: 500COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 9d20080d5f17355b49bba04f9ac84e2d96974d37429b8600816d4b17ab09c53b
                                                                                                                                                                                                    • Instruction ID: a4c97cf07e007358214ad13e9cd408a6da649b6feb28591e8c355104e83190b9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9d20080d5f17355b49bba04f9ac84e2d96974d37429b8600816d4b17ab09c53b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B12C031A187019FC714CF18C8C0AAAB7E6FFD9310F158A5EF4999B251D7B0E995CB82
                                                                                                                                                                                                    Function 00211720 Relevance: 2.9, APIs: 2, Instructions: 424COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 2cddcd4f8e800f8c1d161ef288d1f7d3b86d5a7ad7660ea52d0ae7d7d10d6a89
                                                                                                                                                                                                    • Instruction ID: cb26152e6831b2eb3c71e03dd9b6d617f59cdbc9dcecee059d61428ce5ee2446
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2cddcd4f8e800f8c1d161ef288d1f7d3b86d5a7ad7660ea52d0ae7d7d10d6a89
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 96F17C71E2011A9FCF24CE98C881AEEB7B6FF98310F158129E915B7350D771ADA1CB90
                                                                                                                                                                                                    Function 001F6640 Relevance: 2.9, Strings: 2, Instructions: 374COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • XP1, xrefs: 001F684F
                                                                                                                                                                                                    • called `Result::unwrap()` on an `Err` valueRng::fill failed~\.cargo\registry\src\index.crates.io-1949cf8c6b5b557f\rand-0.8.5\src\rng.rs, xrefs: 001F6845
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: XP1$called `Result::unwrap()` on an `Err` valueRng::fill failed~\.cargo\registry\src\index.crates.io-1949cf8c6b5b557f\rand-0.8.5\src\rng.rs
                                                                                                                                                                                                    • API String ID: 0-3795276692
                                                                                                                                                                                                    • Opcode ID: 943af524b76a486b9902b6007ee447a2735e4f01bdc2825e4737ad61f03406be
                                                                                                                                                                                                    • Instruction ID: e48c1379006e8df4d8f3790fc3b45222b25a5c52ebfa85256d362f9adda6ceac
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 943af524b76a486b9902b6007ee447a2735e4f01bdc2825e4737ad61f03406be
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6ED12835E04B599BC7169F3C88426BAF7A1BFDA384F44C72EEDA577246E73098458380
                                                                                                                                                                                                    Function 0028C1A0 Relevance: 2.7, Strings: 2, Instructions: 234COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • -+NaNinf00e00E0assertion failed: ndigits > 0, xrefs: 0028C300
                                                                                                                                                                                                    • e0E0assertion failed: buf.len() >= ndigits || buf.len() >= maxlen, xrefs: 0028C459
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: -+NaNinf00e00E0assertion failed: ndigits > 0$e0E0assertion failed: buf.len() >= ndigits || buf.len() >= maxlen
                                                                                                                                                                                                    • API String ID: 0-3864725730
                                                                                                                                                                                                    • Opcode ID: 98584e9a108f5bf849af9f0cd1a8f2b9914412d1afb5b39dd01edc84f86fd1b5
                                                                                                                                                                                                    • Instruction ID: 358005c5f39ffc6a1e2bab0349cd25c61e62e8b92495da084b3d4557ecdac883
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 98584e9a108f5bf849af9f0cd1a8f2b9914412d1afb5b39dd01edc84f86fd1b5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 60914875A2A3509BD714DF14C881BABB7E2FFC8304F60892EF989472D0DBB48944CB52
                                                                                                                                                                                                    Function 0028B5E0 Relevance: 2.7, Strings: 2, Instructions: 233COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • -+NaNinf00e00E0assertion failed: ndigits > 0, xrefs: 0028B731
                                                                                                                                                                                                    • assertion failed: buf.len() >= maxlen, xrefs: 0028B943
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: -+NaNinf00e00E0assertion failed: ndigits > 0$assertion failed: buf.len() >= maxlen
                                                                                                                                                                                                    • API String ID: 0-2939795802
                                                                                                                                                                                                    • Opcode ID: 6a966857ca2731c6d4382c06326834b30bcd04b02c928db613e675979856f34c
                                                                                                                                                                                                    • Instruction ID: 23028c90ca2865b804ce22a3cba95f55ab68229d7d293b54dfd34e017cc85f48
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a966857ca2731c6d4382c06326834b30bcd04b02c928db613e675979856f34c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3791EEB5A1A3108BD305DF15C84076BB7E6EFC8304F148A2DF5998B2D0EBB9D945CB46
                                                                                                                                                                                                    Function 00291610 Relevance: 2.1, APIs: 1, Instructions: 802COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memcmp.MSVCRT(00000001,?,00000000), ref: 002917BE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memcmp
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1475443563-0
                                                                                                                                                                                                    • Opcode ID: aa6505ca418ab7da1652f5096cd802bcf09527bc859fd96a962be4123a54d297
                                                                                                                                                                                                    • Instruction ID: b629e3e5e4cfd3131335f1cb22b374cc260c537b45cd348a7d9877d77c5ed23c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa6505ca418ab7da1652f5096cd802bcf09527bc859fd96a962be4123a54d297
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0662D071E2021A8FDF15CF69C8807FEBBB6BF99340F15826AE845B7241D7709D618B90
                                                                                                                                                                                                    Function 002887E0 Relevance: 1.8, Strings: 1, Instructions: 519COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 0
                                                                                                                                                                                                    • API String ID: 0-4108050209
                                                                                                                                                                                                    • Opcode ID: 0c52329c57ecbd61bd91fba5b64004b460eda4c981e7756f99357ff424e1fdb4
                                                                                                                                                                                                    • Instruction ID: 6fb6aef6f76b2214750c0e9a0d094432283368554290adb6ec5a70ff9c37d729
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c52329c57ecbd61bd91fba5b64004b460eda4c981e7756f99357ff424e1fdb4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F22B075D1222A8FCF14DFA8C8802ADF7B2BF89314F58825AD861BB3C5D7756911CB90
                                                                                                                                                                                                    Function 0029F580 Relevance: 1.6, Strings: 1, Instructions: 372COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: t(
                                                                                                                                                                                                    • API String ID: 0-2597814420
                                                                                                                                                                                                    • Opcode ID: 5a235130cabb6d3ffd7e4ca78b4ce63bf8e4bbcab72b44d2455351cf0178de93
                                                                                                                                                                                                    • Instruction ID: 225f93d78f38a507f155c2a7526925663efced32587b798533fe80337b0f8a65
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a235130cabb6d3ffd7e4ca78b4ce63bf8e4bbcab72b44d2455351cf0178de93
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AC1AB37B106205BEBA49E3DDCD16A973CBEBC4394F2B8139D96A9B191C5709C1347C0
                                                                                                                                                                                                    Function 00221540 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: 8
                                                                                                                                                                                                    • API String ID: 0-4194326291
                                                                                                                                                                                                    • Opcode ID: 30dc2d6210e65d507386ea76b5b4443455e9e63ab62d1f8b099af04167086ef8
                                                                                                                                                                                                    • Instruction ID: ba7ec60d1562996c0eb1dce3adc7584efe85a63bde470f7d7a63b8f8e439057b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 30dc2d6210e65d507386ea76b5b4443455e9e63ab62d1f8b099af04167086ef8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 79C1C5B1D102299FDB04CFD9D8806AEFBF2FF94314F24822AD415AB354D7749966CB90
                                                                                                                                                                                                    Function 00231750 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemInfo.KERNEL32(?), ref: 00231770
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: InfoSystem
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 31276548-0
                                                                                                                                                                                                    • Opcode ID: 4c78ec4e76b9cb4bc0c40053ab8a3564782a79c7b0f1c54ad422115530bcb34f
                                                                                                                                                                                                    • Instruction ID: b5742ed7608dba47c088a43e329f35f9f143e2ca170c4a2054631c40e9f8a082
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4c78ec4e76b9cb4bc0c40053ab8a3564782a79c7b0f1c54ad422115530bcb34f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AEF082B4D143498BCB10DF68D5807EABBF8AF1D314F14D519E889A7300E770A9D0CB91
                                                                                                                                                                                                    Function 002653B0 Relevance: .3, Instructions: 347COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d26adac4bae540f9be7e6b35b9929f5dbcc45b82d6ff8b4d0a7c78f40a124fda
                                                                                                                                                                                                    • Instruction ID: 2841f36176f8c40ec58bf8ad82ad713e2fea5088408ba1b42d28413c337fc0e2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d26adac4bae540f9be7e6b35b9929f5dbcc45b82d6ff8b4d0a7c78f40a124fda
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BEB15B71B14A364BDB188E69C8907BEB7EAEF85320F6D8179D8459B394DA748CD0C780
                                                                                                                                                                                                    Function 002210E0 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: c72fc035f39ff18bf0ebcc914572c194267d3bf521bf6442c4757bc8df46418d
                                                                                                                                                                                                    • Instruction ID: 3bed96e3e892a84ff960fe5fa256484d43483cba5bf319ea9443cf43a8a27403
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c72fc035f39ff18bf0ebcc914572c194267d3bf521bf6442c4757bc8df46418d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B9C15CB4A183529FC704CF59D480A1AFBE1BFD9314F248A6EE8988B351D771D856CB82
                                                                                                                                                                                                    Function 0021E3F0 Relevance: .3, Instructions: 257COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 29c05a1d145bfee6839909fe7057fdf2cb79e8d31774a3f9a4b20896963833e5
                                                                                                                                                                                                    • Instruction ID: 1aa956638d08de15976fc302a909aab8d1fb71ef48eb700de015e03f0e177e59
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 29c05a1d145bfee6839909fe7057fdf2cb79e8d31774a3f9a4b20896963833e5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 81B172B5D112168FCB04CF69C4806EEFBF2FF99314F29829AD419AB352D3759846CB90
                                                                                                                                                                                                    Function 00282370 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 534626304540d3f25a5af39a4b9a4902d6d064e32871fddd8e7c958310b0aaf1
                                                                                                                                                                                                    • Instruction ID: 355412cce01d5e45f1c7a04ccfea68c435aaaeadbc7b2d05c4f8cede993271d9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 534626304540d3f25a5af39a4b9a4902d6d064e32871fddd8e7c958310b0aaf1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F81DF75E12216CFCB08DF68C8A07BEB7F2AF88310F594129D9166B3C5DB349D158BA0
                                                                                                                                                                                                    Function 001F4160 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: e7c3a8c272d9e18af34b744a2acdbb4c9c2eaac91b03173a6868f7824011764b
                                                                                                                                                                                                    • Instruction ID: 4341c1a337b0c45d778f0815472c2bafb64be468dac6788ec8eb5e62884a1be8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e7c3a8c272d9e18af34b744a2acdbb4c9c2eaac91b03173a6868f7824011764b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77415364E19F995AE3039A3C58036B3F758AFF72C9B41E70BEDE035417E72099829284
                                                                                                                                                                                                    Function 00204018 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 34f8aad2d6413faeac46a3ed75cc5bf9ef96fbcaf51b8db1757c0a2f35813ca7
                                                                                                                                                                                                    • Instruction ID: bc9045ff070fd23f1f194e8f3b812bd449e4ad3fd703ec16cecfc1da65b9f900
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 34f8aad2d6413faeac46a3ed75cc5bf9ef96fbcaf51b8db1757c0a2f35813ca7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D001BCB18053549FC71AEF68C805886BFB5AF46210B06C2A6EC489B362D734E914CBE2
                                                                                                                                                                                                    Function 00204112 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 3ffd6cbd36bce322eade584a8a91c75ecc27ad9f0d7b14e3488de81505caf5f0
                                                                                                                                                                                                    • Instruction ID: 28d88d60b52998c78e15b61d4fd2993b16bc5d496c3c42ecc6a0837b0ae892a9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ffd6cbd36bce322eade584a8a91c75ecc27ad9f0d7b14e3488de81505caf5f0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE01A2718057549FC71ADF28C855896FFB5BF46210B06C296EC489B362C734ED14CBE1
                                                                                                                                                                                                    Function 001FE4A0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: d03620d403ba9fe56e8385862889056e31b02eb4500f0615abc6941b0861f724
                                                                                                                                                                                                    • Instruction ID: cde46e73b72a1f3bced479ee0299295ea9bd7bcbae9f40f1c0ecae52e442d9fe
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d03620d403ba9fe56e8385862889056e31b02eb4500f0615abc6941b0861f724
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A5D052726097104BC3288F4FA800942FBECDBC8320B00C43FA08EC3700CAB1A8008BA4
                                                                                                                                                                                                    Function 002A0520 Relevance: 64.9, APIs: 34, Strings: 3, Instructions: 197COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • RemoveVectoredExceptionHandler, xrefs: 002ABB05
                                                                                                                                                                                                    • AddVectoredExceptionHandler, xrefs: 002ABAF1
                                                                                                                                                                                                    • kernel32.dll, xrefs: 002ABAD5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
                                                                                                                                                                                                    • API String ID: 0-3889795909
                                                                                                                                                                                                    • Opcode ID: d33b8041fe78695798dd79d0c63367e128d25b5072b7adfb5e275d8ff1ac532f
                                                                                                                                                                                                    • Instruction ID: 44ce2379b402aa0768a4029f8151d77c0d1220b7c62a5eec28284da9dc82f599
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d33b8041fe78695798dd79d0c63367e128d25b5072b7adfb5e275d8ff1ac532f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6851E1B19143469FEB25DF28D8C072ABBF4BF86314F08489DD8854B252CB35EC65CB82
                                                                                                                                                                                                    Function 002A06B0 Relevance: 63.2, APIs: 33, Strings: 3, Instructions: 170libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA09
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA0E
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA13
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA18
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA1D
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA22
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA27
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA2C
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA31
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA36
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA3B
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA40
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA45
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA4A
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA4F
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA54
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA59
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA60
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA65
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA6A
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA6F
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA74
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA79
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA7E
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA83
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA88
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA8D
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA94
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA99
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA9E
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,002A3854), ref: 002ABADC
                                                                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 002ABAFC
                                                                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 002ABB10
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • RemoveVectoredExceptionHandler, xrefs: 002ABB05
                                                                                                                                                                                                    • AddVectoredExceptionHandler, xrefs: 002ABAF1
                                                                                                                                                                                                    • kernel32.dll, xrefs: 002ABAD5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: abort$AddressProc$HandleModule
                                                                                                                                                                                                    • String ID: AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
                                                                                                                                                                                                    • API String ID: 1748640044-3889795909
                                                                                                                                                                                                    • Opcode ID: 7515787f9b0877fb8da24a8884b56ecbfd67e36d8255454f1426c95a1d8ea25a
                                                                                                                                                                                                    • Instruction ID: 066615e7b89df7172dfdab508455cbe3deb975cca5a4a383588052e5339bb0c4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7515787f9b0877fb8da24a8884b56ecbfd67e36d8255454f1426c95a1d8ea25a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B741EE716247048FD7109F58DCC1B6BB7F5EB86310F00892AE98587262EB34AC68CF62
                                                                                                                                                                                                    Function 0024B0B0 Relevance: 60.0, APIs: 24, Strings: 10, Instructions: 484libraryloaderstringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000,00000000,00000000,?), ref: 0024B0CC
                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(dbghelp.dll,00000000,000000FF,00000000,00000000,00000000,?), ref: 0024B0DF
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,SymGetOptions), ref: 0024B113
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(SymSetOptions), ref: 0024B141
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(SymInitializeW), ref: 0024B170
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(SymInitializeW), ref: 0024B184
                                                                                                                                                                                                    • memset.MSVCRT ref: 0024B1D2
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(SymGetSearchPathW), ref: 0024B202
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(SymGetSearchPathW), ref: 0024B216
                                                                                                                                                                                                    • lstrlenW.KERNEL32(00000002), ref: 0024B22A
                                                                                                                                                                                                    • memcpy.MSVCRT(?,Local\RustBacktraceMutex00000000,00000021), ref: 0024B24F
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 0024B257
                                                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 0024B2DC
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,?), ref: 0024B2FA
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(EnumerateLoadedModulesW64), ref: 0024B3B0
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(EnumerateLoadedModulesW64), ref: 0024B3C4
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(SymSetSearchPathW), ref: 0024B420
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(SymSetSearchPathW), ref: 0024B430
                                                                                                                                                                                                    • ReleaseMutex.KERNEL32(?,000000FF,00000021,0031BF9C), ref: 0024B4D1
                                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,0031BF9C), ref: 0024B4EC
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$CurrentProcess$Mutexlstrlen$CloseCreateHandleLibraryLoadObjectReleaseSingleWaitmemcpymemset
                                                                                                                                                                                                    • String ID: EnumerateLoadedModulesW64$Local\RustBacktraceMutex00000000$SymGetOptions$SymGetSearchPathW$SymInitializeW$SymSetOptions$SymSetSearchPathW$assertion failed: len >= 0$called `Result::unwrap()` on an `Err` value$dbghelp.dll
                                                                                                                                                                                                    • API String ID: 2256804348-37522383
                                                                                                                                                                                                    • Opcode ID: 9b1178c326ae9d2608f7b189b6f7a102664f1ddde176f58eadb290cde05d2b83
                                                                                                                                                                                                    • Instruction ID: 6d87f8e62b75f2971e9d0542e5f440339fa1e6329ec4b9f7f652ace71d76453b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b1178c326ae9d2608f7b189b6f7a102664f1ddde176f58eadb290cde05d2b83
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE02F771E203169BCF1ADFA4DC81BEEB7B9AF59310F140125E904A7292EB71DD60CB91
                                                                                                                                                                                                    Function 002A1230 Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 185libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA22
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA27
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA2C
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA31
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA36
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA3B
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA40
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA45
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA4A
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA4F
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA54
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA59
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA60
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA65
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA6A
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA6F
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA74
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA79
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA7E
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA83
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA88
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA8D
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA94
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA99
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA9E
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,002A3854), ref: 002ABADC
                                                                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 002ABAFC
                                                                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 002ABB10
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • RemoveVectoredExceptionHandler, xrefs: 002ABB05
                                                                                                                                                                                                    • AddVectoredExceptionHandler, xrefs: 002ABAF1
                                                                                                                                                                                                    • kernel32.dll, xrefs: 002ABAD5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: abort$AddressProc$HandleModule
                                                                                                                                                                                                    • String ID: AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
                                                                                                                                                                                                    • API String ID: 1748640044-3889795909
                                                                                                                                                                                                    • Opcode ID: f36d69a9491234a7b7c6249aec36847a3d3c6e5eeabd03afea50007733886e8e
                                                                                                                                                                                                    • Instruction ID: a62daa6328b1b58dd6526c882b483329ffb2771a630a4ce03eb2305c2233c8cf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f36d69a9491234a7b7c6249aec36847a3d3c6e5eeabd03afea50007733886e8e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE51E271A206199FCB00DF6CD8817A9BBF5BF46354F084126EC55CB352EB34E861CB91
                                                                                                                                                                                                    Function 002A2760 Relevance: 49.1, APIs: 25, Strings: 3, Instructions: 132libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 002A2110: strlen.MSVCRT ref: 002A219D
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA31
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA36
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA3B
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA40
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA45
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA4A
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA4F
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA54
                                                                                                                                                                                                    • abort.MSVCRT(?,?,?,?,00000001,?,002A1A63), ref: 002ABA59
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA60
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA65
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA6A
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA6F
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA74
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA79
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA7E
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA83
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA88
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA8D
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA94
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA99
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA9E
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,002A3854), ref: 002ABADC
                                                                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 002ABAFC
                                                                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 002ABB10
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • RemoveVectoredExceptionHandler, xrefs: 002ABB05
                                                                                                                                                                                                    • AddVectoredExceptionHandler, xrefs: 002ABAF1
                                                                                                                                                                                                    • kernel32.dll, xrefs: 002ABAD5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: abort$AddressProc$HandleModulestrlen
                                                                                                                                                                                                    • String ID: AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
                                                                                                                                                                                                    • API String ID: 1472221321-3889795909
                                                                                                                                                                                                    • Opcode ID: a29fe83d84c8bd189c1bbef4ee68de26315742ef11b9f77aec2944bec09ebfa2
                                                                                                                                                                                                    • Instruction ID: 1fedeb8e5fc4880c5a92c48084cfdc66be85dfff845800513858831af182463a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a29fe83d84c8bd189c1bbef4ee68de26315742ef11b9f77aec2944bec09ebfa2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C64181B4518780CFE716DF3CE9457167FE8AB92305F04495DEAC487262DBBA8908CB27
                                                                                                                                                                                                    Function 002A3060 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • RemoveVectoredExceptionHandler, xrefs: 002ABB05
                                                                                                                                                                                                    • AddVectoredExceptionHandler, xrefs: 002ABAF1
                                                                                                                                                                                                    • kernel32.dll, xrefs: 002ABAD5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
                                                                                                                                                                                                    • API String ID: 0-3889795909
                                                                                                                                                                                                    • Opcode ID: cc307039c48de17be75b7b5c6bf01ce28d5c38c0685baceff7a908d26d7153ea
                                                                                                                                                                                                    • Instruction ID: 35efab24c2325b462aaa73ca4eef4d7146d8ae6da04805130bf57e8d1b4cd477
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cc307039c48de17be75b7b5c6bf01ce28d5c38c0685baceff7a908d26d7153ea
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 44311E749112099FCB14EF68D981AAEBBF4FF46314F008569E84897312EB30AE55CF92
                                                                                                                                                                                                    Function 002A3130 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 112COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: strlen
                                                                                                                                                                                                    • String ID: @$AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
                                                                                                                                                                                                    • API String ID: 39653677-2564961135
                                                                                                                                                                                                    • Opcode ID: 53e897720dfcf363104780b747539d0c4b35de4d76b88cdd47c46ea32df60c45
                                                                                                                                                                                                    • Instruction ID: 97c85f7cfbd2c61c2cc830767ee0afbe1ac07254a5f76d4745ef444267e4dcc4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 53e897720dfcf363104780b747539d0c4b35de4d76b88cdd47c46ea32df60c45
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E031B270A143049FDB11EF6DED857AEBBF8AF46300F004569E94887211DB349E54CF52
                                                                                                                                                                                                    Function 00247630 Relevance: 35.4, APIs: 13, Strings: 7, Instructions: 429libraryloaderthreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00232C10: SetLastError.KERNEL32(00000000), ref: 00232C85
                                                                                                                                                                                                      • Part of subcall function 00232C10: GetCurrentDirectoryW.KERNEL32(00000000,00000002,00000000), ref: 00232C8C
                                                                                                                                                                                                      • Part of subcall function 00232C10: GetLastError.KERNEL32(00000000,?,00000000,00000000,00000002,00000000), ref: 00232C97
                                                                                                                                                                                                      • Part of subcall function 00232C10: GetLastError.KERNEL32(00000000,?,00000000,00000000,00000002,00000000), ref: 00232CA8
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00247758
                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 00247761
                                                                                                                                                                                                    • memset.MSVCRT ref: 00247779
                                                                                                                                                                                                    • RtlCaptureContext.KERNEL32(?), ref: 00247782
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(SymFunctionTableAccess64,?), ref: 002477C8
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(SymGetModuleBase64,SymFunctionTableAccess64), ref: 002477F7
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(SymFunctionTableAccess64,?), ref: 0024780B
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(StackWalkEx,SymFunctionTableAccess64), ref: 00247828
                                                                                                                                                                                                    • memset.MSVCRT ref: 00247851
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • SymFunctionTableAccess64, xrefs: 002477BD
                                                                                                                                                                                                    • StackWalkEx, xrefs: 0024781D
                                                                                                                                                                                                    • P , xrefs: 0024774C
                                                                                                                                                                                                    • SymGetModuleBase64, xrefs: 002477EC
                                                                                                                                                                                                    • stack backtrace:, xrefs: 00247702
                                                                                                                                                                                                    • note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_end_short_backtrace__rust_begin_short_backtraces [... omitted frame ...], xrefs: 00247A7B
                                                                                                                                                                                                    • StackWalk64, xrefs: 00247B95
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Current$AddressErrorLastProc$Processmemset$CaptureContextDirectoryThread
                                                                                                                                                                                                    • String ID: P $StackWalk64$StackWalkEx$SymFunctionTableAccess64$SymGetModuleBase64$note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_end_short_backtrace__rust_begin_short_backtraces [... omitted frame ...]$stack backtrace:
                                                                                                                                                                                                    • API String ID: 1663827168-168452244
                                                                                                                                                                                                    • Opcode ID: 730c1a54a9b162bdb810d44620b9068c8fbaa6a2489f55d30504359081777318
                                                                                                                                                                                                    • Instruction ID: 8a84709e18170dff3d32923854838b454a668f4e54068cfc7a491f5e59d99587
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 730c1a54a9b162bdb810d44620b9068c8fbaa6a2489f55d30504359081777318
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 171247B151C381AFE725DF24C844B9BBBE8BF85304F04491EF99887291E7719A58CB93
                                                                                                                                                                                                    Function 0024D320 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 364fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,00110080,00000007,00000000,00000003,02200080,00000000), ref: 0024D41F
                                                                                                                                                                                                    • GetFileInformationByHandleEx.KERNEL32(00000000,00000009,?,00000008,?,00110080,00000007,00000000,00000003,02200080,00000000), ref: 0024D435
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00110080,00000007,00000000,00000003,02200080,00000000), ref: 0024D462
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,00110000,00000007,00000000,00000003,02000080,00000000,?,00110080,00000007,00000000,00000003,02200080,00000000), ref: 0024D49F
                                                                                                                                                                                                    • memcpy.MSVCRT(-0000000C,?,?,?,?,02200080,00000000), ref: 0024D506
                                                                                                                                                                                                    • SetFileInformationByHandle.KERNEL32(?,00000016,00000000,?,?,?,?,?,?,02200080,00000000), ref: 0024D517
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,02200080,00000000), ref: 0024D538
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,02200080,00000000), ref: 0024D66E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • called `Result::unwrap()` on an `Err` value, xrefs: 0024D643
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileHandle$CloseCreateInformation$ErrorLastmemcpy
                                                                                                                                                                                                    • String ID: called `Result::unwrap()` on an `Err` value
                                                                                                                                                                                                    • API String ID: 2465000479-2333694755
                                                                                                                                                                                                    • Opcode ID: 4ba3e1324033566e8921c6f2d2fa9430f3d7799ca411f1f040364852c645dbb1
                                                                                                                                                                                                    • Instruction ID: 6bfbdf591b04d99b80b3ebe8fb5f9cfcb370469a9b11aae051b1ad8d9b32366e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ba3e1324033566e8921c6f2d2fa9430f3d7799ca411f1f040364852c645dbb1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 18D1B2B1E10309ABDF15DFA4DC82BAEBBB4AF59304F144025F905B7292EB719960CF61
                                                                                                                                                                                                    Function 002A3320 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 134libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA60
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA65
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA6A
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA6F
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA74
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA79
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA7E
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA83
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA88
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA8D
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA94
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA99
                                                                                                                                                                                                    • abort.MSVCRT(?,?,00000008,?,00000000,?,002A3854), ref: 002ABA9E
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,002A3854), ref: 002ABADC
                                                                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 002ABAFC
                                                                                                                                                                                                    • GetProcAddress.KERNEL32 ref: 002ABB10
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • RemoveVectoredExceptionHandler, xrefs: 002ABB05
                                                                                                                                                                                                    • AddVectoredExceptionHandler, xrefs: 002ABAF1
                                                                                                                                                                                                    • kernel32.dll, xrefs: 002ABAD5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: abort$AddressProc$HandleModule
                                                                                                                                                                                                    • String ID: AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
                                                                                                                                                                                                    • API String ID: 1748640044-3889795909
                                                                                                                                                                                                    • Opcode ID: 5b1fb4c9923087b87cae1d7b1ab53e5f2570f888d64a0f6944c4abc338dc2680
                                                                                                                                                                                                    • Instruction ID: 5a79ec1938411a9d49815d4b6a0364532e5f27fa687edf3382af7a67cf1c8157
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b1fb4c9923087b87cae1d7b1ab53e5f2570f888d64a0f6944c4abc338dc2680
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E31F7726192048FD704DF2CE88176AB7F5FBC2314F18816EE4498B325DB36A915CB92
                                                                                                                                                                                                    Function 00233670 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000), ref: 0023370E
                                                                                                                                                                                                    • GetUserProfileDirectoryW.USERENV(000000FC,?,?,00000000), ref: 0023371F
                                                                                                                                                                                                    • GetLastError.KERNEL32(000000FC,?,?,00000000), ref: 00233760
                                                                                                                                                                                                    • GetLastError.KERNEL32(000000FC,?,?,00000000), ref: 00233777
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • called `Result::unwrap()` on an `Err` value, xrefs: 00233B1E
                                                                                                                                                                                                    • USERPROFILE\\.\pipe\__rust_anonymous_pipe1__., xrefs: 00233685
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$DirectoryProfileUser
                                                                                                                                                                                                    • String ID: USERPROFILE\\.\pipe\__rust_anonymous_pipe1__.$called `Result::unwrap()` on an `Err` value
                                                                                                                                                                                                    • API String ID: 2013343546-4144570884
                                                                                                                                                                                                    • Opcode ID: 48749b2b4b33c617e5917b09abc58010b0f418ca6e5ed58aa5ced4ebcb60bd98
                                                                                                                                                                                                    • Instruction ID: 34afba05bec0321b5c6a9209a01b787c6c59187ab25bdecbb04e120e12b9fd90
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 48749b2b4b33c617e5917b09abc58010b0f418ca6e5ed58aa5ced4ebcb60bd98
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1EC1E2F1A24305ABDB10DF54CC82BAEB7E8AF98310F144529F954A7342E7B4DF248B91
                                                                                                                                                                                                    Function 0025A3B0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 273COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000), ref: 0025A425
                                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00000000,00000002,00000000,00000000), ref: 0025A431
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 0025A43C
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 0025A44D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$FullNamePath
                                                                                                                                                                                                    • String ID: SetThreadDescription$kernel32
                                                                                                                                                                                                    • API String ID: 2482867836-1950310818
                                                                                                                                                                                                    • Opcode ID: ad1814691a09c1421385e3f50a1024972ad54552ca92aabce51146229f5304fc
                                                                                                                                                                                                    • Instruction ID: 75ff244ee94a8a7dca3d7326cf98d022c9a6bf6becd0cca5f9e84ea554ef2897
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ad1814691a09c1421385e3f50a1024972ad54552ca92aabce51146229f5304fc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D91C371E20205ABDB009FA4DC87FBEB7B9AF49304F184125ED05A7342E7719D24CB6A
                                                                                                                                                                                                    Function 002A63F0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 134COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 002A53F0: calloc.MSVCRT ref: 002A547E
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,002A4AF3), ref: 002A646F
                                                                                                                                                                                                    • TlsGetValue.KERNEL32 ref: 002A6495
                                                                                                                                                                                                    • TlsGetValue.KERNEL32 ref: 002A64BF
                                                                                                                                                                                                    • fprintf.MSVCRT ref: 002A6500
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Value$callocfprintf
                                                                                                                                                                                                    • String ID: once %p is %ld$AddVectoredExceptionHandler$RemoveVectoredExceptionHandler$kernel32.dll
                                                                                                                                                                                                    • API String ID: 811747394-2209695033
                                                                                                                                                                                                    • Opcode ID: 135a897144dc8dc50badce625d6cff7c56cb44a7e0fea21bb9e63a685e834b89
                                                                                                                                                                                                    • Instruction ID: 72859760c5b6f9e0f244e6f33b7fc9287514fd53620771edc09fdeaedcc0aca2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 135a897144dc8dc50badce625d6cff7c56cb44a7e0fea21bb9e63a685e834b89
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BA416EB45247118FD711AF35E98962BBBE4EF86350F08492DE88587312EB74D864CF93
                                                                                                                                                                                                    Function 002A9470 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • calloc.MSVCRT ref: 002A94A2
                                                                                                                                                                                                    • CreateSemaphoreA.KERNEL32 ref: 002A94F8
                                                                                                                                                                                                    • CreateSemaphoreA.KERNEL32 ref: 002A951F
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 002A953E
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 002A9549
                                                                                                                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 002A9554
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalInitializeSection$CreateSemaphore$calloc
                                                                                                                                                                                                    • String ID: l
                                                                                                                                                                                                    • API String ID: 2075313795-2517025534
                                                                                                                                                                                                    • Opcode ID: d0439984c6018e3543accf8df26cca95b84a5c0e5dc4ff6783f4455007432962
                                                                                                                                                                                                    • Instruction ID: e0484eb6600dfed789a1a6c594656c42966c17980d6819f1d0d585cfba5393ba
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0439984c6018e3543accf8df26cca95b84a5c0e5dc4ff6783f4455007432962
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 473148B19043008FEB10BF39D58936ABBE4EF41310F058A6DD8848B395EB79C894CF82
                                                                                                                                                                                                    Function 002504F0 Relevance: 16.7, APIs: 11, Instructions: 183networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ioctlsocket.WS2_32(?,8004667E,00000001), ref: 0025051B
                                                                                                                                                                                                    • WSAGetLastError.WS2_32 ref: 0025054A
                                                                                                                                                                                                    • connect.WS2_32(?,00000001,00000010), ref: 002505A5
                                                                                                                                                                                                    • ioctlsocket.WS2_32(?,8004667E,00000001), ref: 002505C4
                                                                                                                                                                                                    • WSAGetLastError.WS2_32 ref: 002505D0
                                                                                                                                                                                                    • ioctlsocket.WS2_32(?,8004667E,00000001), ref: 002505F2
                                                                                                                                                                                                    • WSAGetLastError.WS2_32(?,8004667E,00000001), ref: 0025063B
                                                                                                                                                                                                    • memset.MSVCRT ref: 0025069F
                                                                                                                                                                                                    • memset.MSVCRT ref: 002506C5
                                                                                                                                                                                                    • select.WS2_32(00000001,00000000,00000001,00000001,?), ref: 002506ED
                                                                                                                                                                                                    • WSAGetLastError.WS2_32 ref: 002506FE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$ioctlsocket$memset$connectselect
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1299707133-0
                                                                                                                                                                                                    • Opcode ID: dd9586d84526e67ac3080c88025803b8e0cc51bb9a0659929fbc5c0a4cd4ccd4
                                                                                                                                                                                                    • Instruction ID: 79b9508e4b7bcd615a1922d588dc4165051cc720246ab764ae61681be02acff8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dd9586d84526e67ac3080c88025803b8e0cc51bb9a0659929fbc5c0a4cd4ccd4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC71D2B091020ADFDB10DF64CD80BEEB7B5AF45324F244155E818AB391E770AEA4CF95
                                                                                                                                                                                                    Function 00240330 Relevance: 16.6, APIs: 11, Instructions: 81networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memset.MSVCRT ref: 00240350
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 0024035A
                                                                                                                                                                                                    • WSADuplicateSocketW.WS2_32(0F08C483,00000000,?), ref: 00240362
                                                                                                                                                                                                    • WSASocketW.WS2_32(?,?,?,?,00000000,00000081), ref: 00240386
                                                                                                                                                                                                    • WSAGetLastError.WS2_32 ref: 00240398
                                                                                                                                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,00000000,00000081), ref: 002403BA
                                                                                                                                                                                                    • WSASocketW.WS2_32(?,?,?,?,00000000,00000001), ref: 002403E4
                                                                                                                                                                                                    • SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,?,00000000,00000001,?,?,?,?,00000000,00000081), ref: 002403F5
                                                                                                                                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,00000000,00000001,?,?,?,?,00000000,00000081), ref: 00240407
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000,?,?,?,?,00000000,00000001,?,?,?,?,00000000,00000081), ref: 00240417
                                                                                                                                                                                                    • closesocket.WS2_32(00000000), ref: 00240426
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$Socket$CurrentDuplicateHandleInformationProcessclosesocketmemset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2222771188-0
                                                                                                                                                                                                    • Opcode ID: 385d7b35f455f21a572e9bde6b22e34dce3e72efc4e3b4c79ed6e4c15a8551a0
                                                                                                                                                                                                    • Instruction ID: 73d39d8bbfaae9685d3218f8c999b0ea2d8057c1f39f070554be0c9e41e9efe0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 385d7b35f455f21a572e9bde6b22e34dce3e72efc4e3b4c79ed6e4c15a8551a0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 40212830420341ABDF706F64CD89F6A7EA49F02710F2045A9F39CDA1D1D7B5A8E18F11
                                                                                                                                                                                                    Function 00245750 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 203synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0024576B
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0024584E
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00245862
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,000000FF), ref: 0024586B
                                                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 002458BF
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,000000FF), ref: 0024590A
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000001,00000000,00000000,00000000,00000000,000000FF), ref: 00245910
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 002459C0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait
                                                                                                                                                                                                    • String ID: called `Result::unwrap()` on an `Err` value
                                                                                                                                                                                                    • API String ID: 17306042-2333694755
                                                                                                                                                                                                    • Opcode ID: 5596442e8e4ea6efd91ee490d56d9cbae694345513a07391cfac7bda27007a1a
                                                                                                                                                                                                    • Instruction ID: f6615b63d803ae0503d1e431aae79bc1174534a55f045f13b3cb250a4d8f0e82
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5596442e8e4ea6efd91ee490d56d9cbae694345513a07391cfac7bda27007a1a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC71C270D10B09EBDF15EFA0CC41BEEF7B8AF49304F108519E8557A182EBB5A955CBA0
                                                                                                                                                                                                    Function 0021B550 Relevance: 15.5, APIs: 8, Strings: 2, Instructions: 462COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • assertion failed: new_left_len <= CAPACITY, xrefs: 0021BBF1
                                                                                                                                                                                                    • assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}, xrefs: 0021BC09, 0021BC53
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memmove
                                                                                                                                                                                                    • String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}$assertion failed: new_left_len <= CAPACITY
                                                                                                                                                                                                    • API String ID: 2162964266-2079967719
                                                                                                                                                                                                    • Opcode ID: b5c12660cbd001dc39241494e4c0e471519a845dba9b4a21e821718d8a383ccf
                                                                                                                                                                                                    • Instruction ID: 17f9de5c06d13e84fb49a790ad7a755b0da5b4dedc6a1823aa741af179b80867
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b5c12660cbd001dc39241494e4c0e471519a845dba9b4a21e821718d8a383ccf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D225A75D106198BCB15CF98C880AEEF7F5FF98304F14826ED8096B255EB71AA92CF50
                                                                                                                                                                                                    Function 0025D530 Relevance: 15.2, APIs: 12, Instructions: 232COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • TlsGetValue.KERNEL32 ref: 0025D57D
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(?,00000000), ref: 0025D58E
                                                                                                                                                                                                    • TlsGetValue.KERNEL32 ref: 0025D5CD
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(?,00000000), ref: 0025D5DE
                                                                                                                                                                                                    • TlsGetValue.KERNEL32 ref: 0025D61D
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(?,00000000), ref: 0025D62E
                                                                                                                                                                                                    • TlsGetValue.KERNEL32 ref: 0025D66D
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(?,00000000), ref: 0025D67E
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(?), ref: 0025D6BA
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(?,00000000,?), ref: 0025D6C8
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(00000000), ref: 0025D6E0
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(00000000,00000002,00000000), ref: 0025D6F9
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Value
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3702945584-0
                                                                                                                                                                                                    • Opcode ID: 890aa2ed7727f5ecebcf3e73a18e2d98aa7c69f1c85e9107270101ed26b50752
                                                                                                                                                                                                    • Instruction ID: 39403b2e08a1a243b69cb108c9d94151f2d7de6b475dafc87adcd80849dde556
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 890aa2ed7727f5ecebcf3e73a18e2d98aa7c69f1c85e9107270101ed26b50752
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F713EB5A203064BDB309F64D881BAFB3ACAF49715F590018DD0967341EF31ED69CB99
                                                                                                                                                                                                    Function 0023F2B0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 150networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • accept.WS2_32(?,?,00000080), ref: 0023F30E
                                                                                                                                                                                                    • WSAGetLastError.WS2_32 ref: 0023F35E
                                                                                                                                                                                                    • closesocket.WS2_32(00000000), ref: 0023F3F3
                                                                                                                                                                                                    • closesocket.WS2_32(00000000), ref: 0023F44A
                                                                                                                                                                                                    • setsockopt.WS2_32(?,00000000,00000004,00000000,00000004), ref: 0023F47E
                                                                                                                                                                                                    • WSAGetLastError.WS2_32(?,00000000,00000004,00000000,00000004,00000000,00000000,?,00000000,00000000), ref: 0023F48A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 0023F435
                                                                                                                                                                                                    • assertion failed: len >= mem::size_of::<c::sockaddr_in>()library\std\src\sys_common\net.rs, xrefs: 0023F424, 0023F43C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLastclosesocket$acceptsetsockopt
                                                                                                                                                                                                    • String ID: assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()library\std\src\sys_common\net.rs
                                                                                                                                                                                                    • API String ID: 1216698370-513854611
                                                                                                                                                                                                    • Opcode ID: 4a2ae6a827e5e4579e555ebeb208ed7a170fb7003532dc1be14ce5e44388b1a2
                                                                                                                                                                                                    • Instruction ID: d7cf91388c5cb54839d3133c275a2049cda514db318927efde1cf33650d2108b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a2ae6a827e5e4579e555ebeb208ed7a170fb7003532dc1be14ce5e44388b1a2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4651A1B49183409BD728CF18D481AABB7F5EFC9314F10492DFA9983390D7359945CB96
                                                                                                                                                                                                    Function 0024C2F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memset.MSVCRT ref: 0024C366
                                                                                                                                                                                                    • FindNextFileW.KERNEL32(0544C5E8,?), ref: 0024C370
                                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000250,0544C5E8,?), ref: 0024C3D7
                                                                                                                                                                                                    • memcpy.MSVCRT(?,00236288,0000021E), ref: 0024C470
                                                                                                                                                                                                    • FindClose.KERNEL32(0544C5E8,?,0544C5E8,?), ref: 0024C4B8
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Findmemcpy$CloseFileNextmemset
                                                                                                                                                                                                    • String ID: .
                                                                                                                                                                                                    • API String ID: 924662966-248832578
                                                                                                                                                                                                    • Opcode ID: 29ac1023d57b7cbd743a62390d38b3630b2b1577139acb3c0ce0037c9c84b8e2
                                                                                                                                                                                                    • Instruction ID: f69cee84057280737cfa8980e703ce23e1c6f9388f0b7f040c0d624b507392be
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 29ac1023d57b7cbd743a62390d38b3630b2b1577139acb3c0ce0037c9c84b8e2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B55138749216069BCB59DF19C9847BAB774FF49310F508295EC086F282D774D9E0CB91
                                                                                                                                                                                                    Function 0024C5C0 Relevance: 13.7, APIs: 9, Instructions: 215fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,00000000,?,?,?,?,00000000), ref: 0024C717
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,?,?,?,00000000), ref: 0024C738
                                                                                                                                                                                                    • SetFileInformationByHandle.KERNEL32(00000000,00000005,00000000,00000008,?,00000000), ref: 0024C760
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000005,00000000,00000008,?,00000000), ref: 0024C769
                                                                                                                                                                                                    • SetFileInformationByHandle.KERNEL32(00000000,00000006,00000000,00000008,00000000,00000005), ref: 0024C794
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,?,?,?,00000000), ref: 0024C7C7
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000006,00000000,00000008,00000000,00000005), ref: 0024C7F4
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,00000006,00000000,00000008,00000000,00000005), ref: 0024C803
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0024C850
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorHandleLast$File$CloseInformation$Create
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4230017884-0
                                                                                                                                                                                                    • Opcode ID: 135af8752139fb9fa3ea98aa1ab062d161c2f38a7621b02874c684c3d2cc651a
                                                                                                                                                                                                    • Instruction ID: 8f9b2fd912b547c8876fc926a4f8d765a85df35a5afdf1d69139203f9cc72580
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 135af8752139fb9fa3ea98aa1ab062d161c2f38a7621b02874c684c3d2cc651a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B8115B05293419FEB68CF18C881B6ABBE8AFC5304F24955DFC894B2C2D775C824CB52
                                                                                                                                                                                                    Function 00233270 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 261COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000), ref: 0023336A
                                                                                                                                                                                                    • GetEnvironmentVariableW.KERNEL32(?,?,?,00000000), ref: 00233375
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000200,?,00000000,00000000), ref: 00233380
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000200,?,00000000,00000000), ref: 00233391
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$EnvironmentVariable
                                                                                                                                                                                                    • String ID: environment variable not foundenvironment variable was not valid unicode: $$
                                                                                                                                                                                                    • API String ID: 2691138088-3686192654
                                                                                                                                                                                                    • Opcode ID: e4e490372d5509cb4eb5e525a418d43c40cc460195f92ec25f143494414d2927
                                                                                                                                                                                                    • Instruction ID: 7ae8c980aceebf934df59eb5ede196bb8c794dd07cba0a0fbcfa3fbc1af2539c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e4e490372d5509cb4eb5e525a418d43c40cc460195f92ec25f143494414d2927
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D91D1B1A14301AFDB10DF50DC82B6EB7E8AF94714F048818FD59A7292E771DF648B92
                                                                                                                                                                                                    Function 0025E230 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 164networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • TcpListenerUdpSocketlibrary\std\src\..\..\backtrace\src\symbolize\gimli\lru.rs, xrefs: 0025E391
                                                                                                                                                                                                    • assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 0025E361
                                                                                                                                                                                                    • socketOwnedSocketlibrary\std\src\os\windows\process.rs, xrefs: 0025E44D
                                                                                                                                                                                                    • addrlinenolibrary\std\src\..\..\backtrace\src\symbolize\mod.rs, xrefs: 0025E431
                                                                                                                                                                                                    • assertion failed: len >= mem::size_of::<c::sockaddr_in>()library\std\src\sys_common\net.rs, xrefs: 0025E372
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLastgetsockname
                                                                                                                                                                                                    • String ID: TcpListenerUdpSocketlibrary\std\src\..\..\backtrace\src\symbolize\gimli\lru.rs$addrlinenolibrary\std\src\..\..\backtrace\src\symbolize\mod.rs$assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()library\std\src\sys_common\net.rs$socketOwnedSocketlibrary\std\src\os\windows\process.rs
                                                                                                                                                                                                    • API String ID: 566540725-3069411103
                                                                                                                                                                                                    • Opcode ID: 762f47cac3c6342133f0d35b938652fb7e1f8d3d126cecdfa2d48cf3fa799e7c
                                                                                                                                                                                                    • Instruction ID: 9fbe06010d07d7f50f090a00fd1696e9500b672c439326459a99afb42d8ec0e1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 762f47cac3c6342133f0d35b938652fb7e1f8d3d126cecdfa2d48cf3fa799e7c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C512330C14B44AADB26DF54D842AFFB7F4FF8A315F004609F8896B181E7749695CB92
                                                                                                                                                                                                    Function 0025A0A0 Relevance: 10.7, APIs: 7, Instructions: 245COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000), ref: 0025A115
                                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00000000,00000002,00000000,00000000), ref: 0025A121
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 0025A12C
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000000,00000000,?,00000000,00000002,00000000,00000000), ref: 0025A13D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$FullNamePath
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2482867836-0
                                                                                                                                                                                                    • Opcode ID: 6ac88be32af5d6b0a9c33bb638d11e11f5582406c6843662e36ecd47572879b2
                                                                                                                                                                                                    • Instruction ID: 5f4621b1147436a2b6261b0f6874dfa8b2f571336bc9b9a7568f6b50e79d0e87
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ac88be32af5d6b0a9c33bb638d11e11f5582406c6843662e36ecd47572879b2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C81A3B1E20205AFDB109F94DC87FBEB7B5AF59314F184125EC04AB382E7719D248B66
                                                                                                                                                                                                    Function 00286750 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 234COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memset.MSVCRT ref: 0028697B
                                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,+NaNinf00e00E0assertion failed: ndigits > 0,?,assertion failed: parts.len() >= 6,00000022,003285F0,assertion failed: buf[0] > b'0',0000001F,003285BC,assertion failed: !buf.is_empty(),00000021,003285AC), ref: 0028699C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • assertion failed: parts.len() >= 6, xrefs: 0028687D
                                                                                                                                                                                                    • eEe-E--+NaNinf00e00E0assertion failed: ndigits > 0, xrefs: 002867F1
                                                                                                                                                                                                    • assertion failed: buf[0] > b'0', xrefs: 0028686C
                                                                                                                                                                                                    • .0., xrefs: 002867AF
                                                                                                                                                                                                    • assertion failed: !buf.is_empty(), xrefs: 0028685B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                                    • String ID: .0.$assertion failed: !buf.is_empty()$assertion failed: buf[0] > b'0'$assertion failed: parts.len() >= 6$eEe-E--+NaNinf00e00E0assertion failed: ndigits > 0
                                                                                                                                                                                                    • API String ID: 1297977491-168991425
                                                                                                                                                                                                    • Opcode ID: e8f9da418839025f3f8c4ae6f9c1dba20385b1981cbab8935e71309703bbee04
                                                                                                                                                                                                    • Instruction ID: aad17d1bd136ddeab263ed0b5dfd68a13d4a7f5a6e987a5ceeffcdff33f1e5b9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e8f9da418839025f3f8c4ae6f9c1dba20385b1981cbab8935e71309703bbee04
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69814D75A222319BD720AF08C848BAEB7E9FF80710F168169D8495B2D1C7F6DCA5C781
                                                                                                                                                                                                    Function 00246360 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 195COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0(?), ref: 002463C1
                                                                                                                                                                                                    • WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0(00000004,?,00000004,000000FF), ref: 00246420
                                                                                                                                                                                                    • WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?), ref: 00246509
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Address$Wake$SingleWait
                                                                                                                                                                                                    • String ID: called `Result::unwrap()` on an `Err` value
                                                                                                                                                                                                    • API String ID: 2488680809-2333694755
                                                                                                                                                                                                    • Opcode ID: 7fae9d26d554c6e9ea8c385fd26120b49b10edd2847e19e960cfb1e219a18f92
                                                                                                                                                                                                    • Instruction ID: d3508c84c9e3b6ee4d3c2d02c6e2a72c61b32936915d41b7ef8f02355c921d14
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7fae9d26d554c6e9ea8c385fd26120b49b10edd2847e19e960cfb1e219a18f92
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F1619E309203565BCF259F648C0ABEFBBF8AF06714F14440AF495A3282D771A965CBE3
                                                                                                                                                                                                    Function 00252590 Relevance: 10.7, APIs: 7, Instructions: 180COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 002527F0: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,00000000,?,002525A9,?), ref: 00252802
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002525C0
                                                                                                                                                                                                      • Part of subcall function 0020E2A0: CloseHandle.KERNEL32(?,000000FF), ref: 0020E2B3
                                                                                                                                                                                                      • Part of subcall function 0020E2A0: CloseHandle.KERNEL32(?,?,000000FF), ref: 0020E2BB
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle$CreateEvent
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1371578007-0
                                                                                                                                                                                                    • Opcode ID: f5d3158d2f5567d7d0e53a1e79cc3f361e245f2bb47352cdc558e0ad307ff00f
                                                                                                                                                                                                    • Instruction ID: ae70baf45afef757e97795a5b12597c0c571141ed1b18697520e240431997fc1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f5d3158d2f5567d7d0e53a1e79cc3f361e245f2bb47352cdc558e0ad307ff00f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 82612674E20319CBDF14DF94C880AEEFBB5AF5A311F244419E805B7291DB70A86DCB65
                                                                                                                                                                                                    Function 002A95E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 002A69E0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000014,7772E820), ref: 002A69F0
                                                                                                                                                                                                      • Part of subcall function 002A82F0: WaitForMultipleObjects.KERNEL32 ref: 002A835A
                                                                                                                                                                                                    • ResetEvent.KERNEL32 ref: 002A964C
                                                                                                                                                                                                      • Part of subcall function 002A6D50: TlsGetValue.KERNEL32 ref: 002A6D62
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32 ref: 002A968B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ValueWait$EventMultipleObjectObjectsResetSingle
                                                                                                                                                                                                    • String ID: (
                                                                                                                                                                                                    • API String ID: 2327612466-3887548279
                                                                                                                                                                                                    • Opcode ID: 6f9839d125be8fef084681cd9597d352e844b5bdfd3803e10d9dfb61ae9cb78e
                                                                                                                                                                                                    • Instruction ID: d5629d44cb9d5e01aaaab05823c804e51f2e3d341312392c0f9bb94a1f4ed651
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f9839d125be8fef084681cd9597d352e844b5bdfd3803e10d9dfb61ae9cb78e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7951A7715383128BD7206F67894936EB6E8AF83B45F19482DE98483250DF75CCE4CBA3
                                                                                                                                                                                                    Function 002503A0 Relevance: 10.6, APIs: 7, Instructions: 65networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WSASocketW.WS2_32(00000002,0023E889,00000000,00000000,00000000,00000081), ref: 002503CC
                                                                                                                                                                                                    • WSAGetLastError.WS2_32(?,?,?,?,0023E889,?,?,00000001), ref: 002503E3
                                                                                                                                                                                                    • WSASocketW.WS2_32(00000002,0023E889,00000000,00000000,00000000,00000001), ref: 00250400
                                                                                                                                                                                                    • SetHandleInformation.KERNEL32(00000000,00000001,00000000,00000002,0023E889,00000000,00000000,00000000,00000001,?,?,?,?,0023E889,?,?), ref: 00250411
                                                                                                                                                                                                    • WSAGetLastError.WS2_32(00000002,0023E889,00000000,00000000,00000000,00000001,?,?,?,?,0023E889,?,?,00000001), ref: 00250427
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000,00000002,0023E889,00000000,00000000,00000000,00000001,?,?,?,?,0023E889,?,?), ref: 00250437
                                                                                                                                                                                                    • closesocket.WS2_32(00000000), ref: 00250446
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$Socket$HandleInformationclosesocket
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3114377017-0
                                                                                                                                                                                                    • Opcode ID: 81ad3a217a5e93e07ae17fa3f306bf76d5498596ad451f06f19f4abb31d4762f
                                                                                                                                                                                                    • Instruction ID: cdde290d350aa1c5bafb936bb3e70719105bf1625895a2cc10dc28293edd9da5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 81ad3a217a5e93e07ae17fa3f306bf76d5498596ad451f06f19f4abb31d4762f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76110670230341BBEB305E248DC2F1676D8DB41B50F30486BFA99EB2C1D6F4A8648B28
                                                                                                                                                                                                    Function 0023E220 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 277COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: freeaddrinfo
                                                                                                                                                                                                    • String ID: assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()library\std\src\sys_common\net.rs
                                                                                                                                                                                                    • API String ID: 2731292433-513854611
                                                                                                                                                                                                    • Opcode ID: 4281c34f8725670cd9e182292b323acbbdebabc975f191a6cfe97bf95ce2f513
                                                                                                                                                                                                    • Instruction ID: fc958cfae63fb839144f8a7b186848b6c6a08faffbebc7bcfec23e6f1a152cd3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4281c34f8725670cd9e182292b323acbbdebabc975f191a6cfe97bf95ce2f513
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0BC16BB5E10215CFCB18CF48D490AAEBBB1FF89304F16806EE805AB392D7719D45CBA4
                                                                                                                                                                                                    Function 0024E190 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateSymbolicLinkW.KERNEL32({$,00000000,-00000002,?,?,?,?,0024E17B,00000000,?,00000000,00000000,?,00000000,00000000), ref: 0024E247
                                                                                                                                                                                                    • GetLastError.KERNEL32({$,00000000,-00000002,?,?,?,?,0024E17B,00000000,?,00000000,00000000,?,00000000,00000000), ref: 0024E255
                                                                                                                                                                                                    • CreateSymbolicLinkW.KERNEL32(00000000,00000000,?,{$,00000000,-00000002,?,?,?,?,0024E17B,00000000,?,00000000,00000000,?), ref: 0024E268
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,{$,00000000,-00000002,?,?,?,?,0024E17B,00000000,?,00000000,00000000,?), ref: 0024E271
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateErrorLastLinkSymbolic
                                                                                                                                                                                                    • String ID: {$
                                                                                                                                                                                                    • API String ID: 191780330-1700199076
                                                                                                                                                                                                    • Opcode ID: 7c7179d733266c1e405f60b6e60e406e7f1ce5a2ade1fc9c9036a895c68fe891
                                                                                                                                                                                                    • Instruction ID: 19a81f0a38e22f199af0dd843b850115f2f4877343673f502901fc0bf239297b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7c7179d733266c1e405f60b6e60e406e7f1ce5a2ade1fc9c9036a895c68fe891
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E31BEB1D1020AABEF04DF94DC41AEEBBB5BF58300F148429EC59A7341E771A920CBA1
                                                                                                                                                                                                    Function 00259580 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0025958F
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,000000FF), ref: 0025959A
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,000000FF), ref: 002595A7
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00259601
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle$ErrorLastObjectSingleWait
                                                                                                                                                                                                    • String ID: SystemTime
                                                                                                                                                                                                    • API String ID: 1454876536-2656138
                                                                                                                                                                                                    • Opcode ID: 8f2d00a611169d8d31906210224ec86fb1a2d1d17bf5e93f9ecf4985720d9014
                                                                                                                                                                                                    • Instruction ID: 34bd9b39d9774f7f7ad0087ac01a0a71ddff7ad9d4d3bdaa3b2fb8c4c039c7ab
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f2d00a611169d8d31906210224ec86fb1a2d1d17bf5e93f9ecf4985720d9014
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D3210875D01208BBDB01BBA4DC46AEF7778AF0A328F040115F91877182EB3556698BE2
                                                                                                                                                                                                    Function 00248350 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 467COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memcpy.MSVCRT(00000001,?,?), ref: 0024839A
                                                                                                                                                                                                    • memcpy.MSVCRT(00000001,00000000,?), ref: 00248437
                                                                                                                                                                                                      • Part of subcall function 001FE250: GetProcessHeap.KERNEL32(?), ref: 00249460
                                                                                                                                                                                                      • Part of subcall function 001FE250: HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 00249469
                                                                                                                                                                                                    • memcpy.MSVCRT(00000001,?,?), ref: 0024852D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memcpy$Heap$FreeProcess
                                                                                                                                                                                                    • String ID: PATHlibrary\std\src\sys_common\process.rs$assertion failed: self.height > 0
                                                                                                                                                                                                    • API String ID: 2997710474-3507162100
                                                                                                                                                                                                    • Opcode ID: 77f32be5adfa55955adaacaf183a58a8f31398262807d6b0074a740a3f4852be
                                                                                                                                                                                                    • Instruction ID: 35c1ff278a9c43c730ded5476a0b2ff47957dacb60cbdee5109b9a69c755d3c3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 77f32be5adfa55955adaacaf183a58a8f31398262807d6b0074a740a3f4852be
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3712DF70D20B199BDB15DFA4CC81BEEB7B9BF59304F148169E808BB242EB309951CF50
                                                                                                                                                                                                    Function 00284710 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 258COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                                    • String ID: }e($}e(
                                                                                                                                                                                                    • API String ID: 368790112-3877462219
                                                                                                                                                                                                    • Opcode ID: 0d290825372d1a5e30dc3fbcb170023c7602667aa6cda0abb65090b42a14d945
                                                                                                                                                                                                    • Instruction ID: 1d9fddf86059679e68d92684aa5d6e9383d42b6b21e85fcce76aa0c135327c42
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d290825372d1a5e30dc3fbcb170023c7602667aa6cda0abb65090b42a14d945
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41912979A1122A8BDB24EF58DCC07AEB3B5BF88300F154569D819EB3C1D7349D508F90
                                                                                                                                                                                                    Function 001F5324 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 196COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • Internal buffer state failure~\.cargo\registry\src\index.crates.io-1949cf8c6b5b557f\murmur3-0.5.2\src\murmur3_32.rs, xrefs: 001F54F1
                                                                                                                                                                                                    • EN1, xrefs: 001F54EA
                                                                                                                                                                                                    • hQ1, xrefs: 001F54A5
                                                                                                                                                                                                    • @M1, xrefs: 001F549A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: @M1$EN1$Internal buffer state failure~\.cargo\registry\src\index.crates.io-1949cf8c6b5b557f\murmur3-0.5.2\src\murmur3_32.rs$hQ1
                                                                                                                                                                                                    • API String ID: 0-3637710505
                                                                                                                                                                                                    • Opcode ID: e6337607a7a1f514b692b0624c3d61a33b3bd353f0e9caa4300dcdd9e67b2a76
                                                                                                                                                                                                    • Instruction ID: d2bd6f52a6789cbbf95e879f8a33615c390c8ee3b7a15dd13eeba90e7ce11a22
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e6337607a7a1f514b692b0624c3d61a33b3bd353f0e9caa4300dcdd9e67b2a76
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC61FBB2E006189FCB04CF58DC51BBE7BB2BF89324F094169EA1997392D7359945CB90
                                                                                                                                                                                                    Function 002350AE Relevance: 7.6, APIs: 5, Instructions: 149COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 997462416779d11ae10a43ab7d4cac28b83f914000ce9a0c54f5b35bebb23b35
                                                                                                                                                                                                    • Instruction ID: 940883ce38310a92dae6152762c88d6e007e40a443b7feb062a99c8d13763898
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 997462416779d11ae10a43ab7d4cac28b83f914000ce9a0c54f5b35bebb23b35
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B5113B1E247598FCB00DFA4DC81BEEBBB0AF46300F184049E948BB242E7359815CBA1
                                                                                                                                                                                                    Function 002302D0 Relevance: 7.6, APIs: 6, Instructions: 104COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(00000000,?,00000000,00350058,?,?,?,?,?,?,?,?,?,?,00000001), ref: 002302F4
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(00000000,00000000,?,00000000,00350058,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00230317
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(00000000,00000000,00000000,?,00000000,00350058,?,?,?,?,?,?,?,?,?,?), ref: 0023032D
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00350058), ref: 00230361
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,?,00000000,00350058), ref: 00230376
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,?,00000000,00350058), ref: 00230399
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Value
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3702945584-0
                                                                                                                                                                                                    • Opcode ID: 9736f954ace6e08081a681b180df334ab36e7912a4b653777dcca9972d1ea2b2
                                                                                                                                                                                                    • Instruction ID: 6a499ea086878a8e416d565beeb6b5c685139b649844c20371c77f6089ac93f6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9736f954ace6e08081a681b180df334ab36e7912a4b653777dcca9972d1ea2b2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 93318FF4A702055BAA14EB68DCD2D7F73A8EB44341F480060FC05E7352DA72EE258AB3
                                                                                                                                                                                                    Function 002A8620 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 90COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • calloc.MSVCRT ref: 002A8648
                                                                                                                                                                                                    • free.MSVCRT ref: 002A86D7
                                                                                                                                                                                                    • free.MSVCRT ref: 002A86FF
                                                                                                                                                                                                      • Part of subcall function 002A9470: calloc.MSVCRT ref: 002A94A2
                                                                                                                                                                                                      • Part of subcall function 002A9470: CreateSemaphoreA.KERNEL32 ref: 002A94F8
                                                                                                                                                                                                      • Part of subcall function 002A9470: CreateSemaphoreA.KERNEL32 ref: 002A951F
                                                                                                                                                                                                      • Part of subcall function 002A9470: InitializeCriticalSection.KERNEL32 ref: 002A953E
                                                                                                                                                                                                      • Part of subcall function 002A9470: InitializeCriticalSection.KERNEL32 ref: 002A9549
                                                                                                                                                                                                      • Part of subcall function 002A9470: InitializeCriticalSection.KERNEL32 ref: 002A9554
                                                                                                                                                                                                    • free.MSVCRT ref: 002A8747
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalInitializeSectionfree$CreateSemaphorecalloc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3430360044-3916222277
                                                                                                                                                                                                    • Opcode ID: 7c7c0541aae3a9993defe68905c02274730ffd7a2e58aa1a6a661b71b853b83b
                                                                                                                                                                                                    • Instruction ID: e68ad5ff8db674b1e2dc37582bfc6db793d11d7833d1304f9e6307da826d4403
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7c7c0541aae3a9993defe68905c02274730ffd7a2e58aa1a6a661b71b853b83b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A5314DB56197018FD700AF26D88432BBBE5EF85314F15886EE5888B301DB75C869CFD2
                                                                                                                                                                                                    Function 0025D2C0 Relevance: 7.6, APIs: 5, Instructions: 74COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(003500E4,?,?,002496F6,003500E8,00000000), ref: 0025D2EC
                                                                                                                                                                                                    • WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(003500EC,?,?,002496F6,003500E8,00000000), ref: 0025D32A
                                                                                                                                                                                                    • WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0(003500E8,?,002496F6,003500E8,00000000), ref: 0025D33E
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(?,00000001,00000000,?,?,?,0031D44C,00000024,0031D470,?,?,002496F6,003500E8,00000000), ref: 0025D36F
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(?,00000000,?,00000001,00000000,?,?,?,0031D44C,00000024,0031D470,?,?,002496F6,003500E8,00000000), ref: 0025D382
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressWake$SingleValue
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1317188499-0
                                                                                                                                                                                                    • Opcode ID: 96c1a290749f8b1d28ffd85193a563c677104f4a6f60ea9d20fae32750b28c82
                                                                                                                                                                                                    • Instruction ID: 25df54236b333756b3085b45bbcd747a7e03bfc7cf3d72459f32330e5596e44d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96c1a290749f8b1d28ffd85193a563c677104f4a6f60ea9d20fae32750b28c82
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 14217871111216ABDF365F58A801B9A77A8DF4932BF00443DF94ED7241CF34A856CBD9
                                                                                                                                                                                                    Function 0024C1D0 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0024C080: NtOpenFile.NTDLL(00000000,?,?,00000103,00000007,?), ref: 0024C0F7
                                                                                                                                                                                                    • SetFileInformationByHandle.KERNEL32(?,00000015,00000013,00000004), ref: 0024C212
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000015,00000013,00000004), ref: 0024C21B
                                                                                                                                                                                                    • SetFileInformationByHandle.KERNEL32(?,00000004,00000001,00000001,?,00000015,00000013,00000004), ref: 0024C23C
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,00000015,00000013,00000004), ref: 0024C248
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000004,00000001,00000001,?,00000015,00000013,00000004), ref: 0024C265
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileHandle$ErrorInformationLast$CloseOpen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1689364314-0
                                                                                                                                                                                                    • Opcode ID: b79ccbc9543e70f309300c1fa5a0497ca0ee9464cb26cf698f68fbcf3bb9e4e1
                                                                                                                                                                                                    • Instruction ID: d1a64e1fe2d74060ca33a0800830b064c8fe82da96141db1b9da077b766325c4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b79ccbc9543e70f309300c1fa5a0497ca0ee9464cb26cf698f68fbcf3bb9e4e1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7711E971F2110AABEF64E9DC8C81BBF62ACDB86B44F304025FE04D6181D9F1CC6187A2
                                                                                                                                                                                                    Function 002527F0 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,00000000,?,002525A9,?), ref: 00252802
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000001,00000000,?,?,00000000,?,002525A9,?), ref: 0025284B
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,00000001,00000001,00000000,?,?,00000000,?,002525A9,?), ref: 0025285E
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,002525A9,?), ref: 00252879
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,?,?,002525A9,?), ref: 0025287F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle$CreateErrorEventLast
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3743700123-0
                                                                                                                                                                                                    • Opcode ID: 4be6ed29eab0f114c089709e88fcc92a5cff926ba1b3cbeb02a079c22a189033
                                                                                                                                                                                                    • Instruction ID: 115e37ce5aede2cc821f5f1bf2bf312f084e3f95c6673d818baac5c098af6862
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4be6ed29eab0f114c089709e88fcc92a5cff926ba1b3cbeb02a079c22a189033
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 35110870A20702AFE310AF65DC82B15B7E8AF47714F044126F7089F2D2EBB1A464CBB1
                                                                                                                                                                                                    Function 002455E0 Relevance: 7.6, APIs: 5, Instructions: 51synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • TerminateProcess.KERNEL32(?,00000001,00000000,?,?,?,?,?), ref: 00245603
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000001,00000000,?,?,?,?,?), ref: 00245611
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000000,?,00000001,00000000,?,?,?,?,?), ref: 00245620
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00000000,?,00000001,00000000,?,?,?,?,?), ref: 00245647
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$ObjectProcessSingleTerminateWait
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 536955195-0
                                                                                                                                                                                                    • Opcode ID: 25a8aaf39ca2f70561c3e3ef9cfea3edae8c9d3b2d333671584e5bae49a495be
                                                                                                                                                                                                    • Instruction ID: b34eb06b74aaf9280f3274b3dc21db6b7581862fd073ae92c571c338ff135cee
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 25a8aaf39ca2f70561c3e3ef9cfea3edae8c9d3b2d333671584e5bae49a495be
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F001A7702207256BEB245E558C81B7EBBACDF46750F550025FD84C7243DA71DC618EA2
                                                                                                                                                                                                    Function 00259680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,0024676B,?,00000000,00000000), ref: 002596B9
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,0024676B,?,00000000,00000000), ref: 00259793
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,00000000,0031BA84), ref: 002597F8
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • called `Result::unwrap()` on an `Err` value, xrefs: 002597B5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseErrorFrequencyHandleLastPerformanceQuery
                                                                                                                                                                                                    • String ID: called `Result::unwrap()` on an `Err` value
                                                                                                                                                                                                    • API String ID: 4077432747-2333694755
                                                                                                                                                                                                    • Opcode ID: b4e814770195ddf6316daee5e6d7a616d2d93f3fb28b272e6dcdd14605ae57fa
                                                                                                                                                                                                    • Instruction ID: 8ea8dd5e6b99e1baa69819aa2299f6bbade9c0a1a1d02e044c123dcc88c3451d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b4e814770195ddf6316daee5e6d7a616d2d93f3fb28b272e6dcdd14605ae57fa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0941D772A143056FCB08EF28CC41A6BF7E9EFC9750F05892DF888D7251E73199548B92
                                                                                                                                                                                                    Function 0025A740 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32), ref: 0025A748
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 0025A757
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                                                                                                                    • String ID: GetTempPath2W$kernel32
                                                                                                                                                                                                    • API String ID: 1646373207-407914046
                                                                                                                                                                                                    • Opcode ID: fadaf8fbab27e4866bc093a0ffe01ea9760bcc7a5bf5d165acb4db1896fc23b6
                                                                                                                                                                                                    • Instruction ID: 27e2c08de8d8c8166939cb15fe34ae1aee48564b4e985d52eab1dc36d90d8886
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fadaf8fbab27e4866bc093a0ffe01ea9760bcc7a5bf5d165acb4db1896fc23b6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A0D05E30398305AB974D67652E9B77A77D89A4E351300063DEE00C2641E931F825859D
                                                                                                                                                                                                    Function 00218680 Relevance: 6.7, APIs: 5, Instructions: 420COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3859560861-0
                                                                                                                                                                                                    • Opcode ID: d4487b1d364b909ce9ece69a1dfcbd51feeca3f3031dd99c8691f668fb39c7c0
                                                                                                                                                                                                    • Instruction ID: 3b6ec7a43d0ed38488c758351adbf9ab1566b21bb6b0474efc98991965c410e8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d4487b1d364b909ce9ece69a1dfcbd51feeca3f3031dd99c8691f668fb39c7c0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E22E875D10A19CBCB14CF54C890AEEF7B5FF99304F1486AAD819AB311DB30AA95CF90
                                                                                                                                                                                                    Function 00218602 Relevance: 6.7, APIs: 5, Instructions: 418COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3859560861-0
                                                                                                                                                                                                    • Opcode ID: 4824b42a6ac744b2b02baa38f1a4bf65810f45f063e5377d4268d964aeb768c5
                                                                                                                                                                                                    • Instruction ID: e1ea392e44bcfd9165cc08b75843d221749b78dfad4401ef4849c8abf48075e5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4824b42a6ac744b2b02baa38f1a4bf65810f45f063e5377d4268d964aeb768c5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2822F875D10A1ACBCB14CF54C890AEEF7B5FF99304F1486AAD8196B311DB30AA95CF90
                                                                                                                                                                                                    Function 0021867E Relevance: 6.7, APIs: 5, Instructions: 406COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3859560861-0
                                                                                                                                                                                                    • Opcode ID: 39890928101324a9ccebe26de27779a05baf9decc67d5371b204742efa0cbc9f
                                                                                                                                                                                                    • Instruction ID: 28e2b90b84576a805c750bfcc74fa1445fed222f71ca2f8550ddc0548cb922e6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39890928101324a9ccebe26de27779a05baf9decc67d5371b204742efa0cbc9f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8022E875D10A19CBCB14CF54C890AEEF7B5FF99304F1486AAD819AB311DB30AA95CF90
                                                                                                                                                                                                    Function 0021865D Relevance: 6.7, APIs: 5, Instructions: 405COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3859560861-0
                                                                                                                                                                                                    • Opcode ID: 76703f28b1d522db08b38e1def9b4ac2788e459f03e655317148785c2119912d
                                                                                                                                                                                                    • Instruction ID: aee1e2040e978c07b1e4628dd999392e1c536dc2101fe6c9112474dfd20b3472
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 76703f28b1d522db08b38e1def9b4ac2788e459f03e655317148785c2119912d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F22F874D10A19CBCB14CF54C880AEEF7B5FF99304F1486AAD8196B311DB30AA95CF90
                                                                                                                                                                                                    Function 001FE270 Relevance: 6.3, APIs: 5, Instructions: 60memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcessHeap.KERNEL32(?,?,?,?,0027D75B,00000000,?,?,?,?,0024C5DB,0024C5DA,?,?,00000000,00326A0C), ref: 00249494
                                                                                                                                                                                                    • HeapReAlloc.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,0027D75B,00000000,?,?,?,?,0024C5DB,0024C5DA), ref: 0024949E
                                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000000,?,?,?,?,?,00326A0C,?,?,?,00000000,?,?), ref: 002494E1
                                                                                                                                                                                                    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,00326A0C,?,?,?,00000000,?,?), ref: 002494EC
                                                                                                                                                                                                    • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,00326A0C,?,?,?,00000000), ref: 002494F5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$Process$AllocFreememcpy
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3405790324-0
                                                                                                                                                                                                    • Opcode ID: 46882976521753e962c88f999377f3c58e74f38a72441a89e94f0b68cf1a7511
                                                                                                                                                                                                    • Instruction ID: 33c8660c0a6e8d5dbad26c3f7e88d34d2d620f64792647bafb258cfea43032ed
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 46882976521753e962c88f999377f3c58e74f38a72441a89e94f0b68cf1a7511
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F41173716243156BD7109E68C885B5BB7ECEFC5314F118529FC0897201EA70AD258AA5
                                                                                                                                                                                                    Function 0027E090 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 200COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,001FB0EA,?,?,001FB0EA,00000000,?,?), ref: 0027E0D2
                                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,?,?,?,?,?,?,00000000,?,$l2,$l2,001FB0EA,00000000,?,?), ref: 0027E1D2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                    • String ID: $l2$$l2
                                                                                                                                                                                                    • API String ID: 3510742995-331498824
                                                                                                                                                                                                    • Opcode ID: 5796f47874d3374714e37b341c7fdb3b397e0b65d8c955dd733bf6adfaee13ae
                                                                                                                                                                                                    • Instruction ID: a29bbce602b4e84a0754c54c35099c69352b4e6bce76ccfd07dca4be297682d4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5796f47874d3374714e37b341c7fdb3b397e0b65d8c955dd733bf6adfaee13ae
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F45198B0D102156FDF00AFA9DC86EBB7BBCEF49314F15C465F80C97252E67199218BA1
                                                                                                                                                                                                    Function 002814A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memcpy.MSVCRT(00000001,?,?), ref: 002814F7
                                                                                                                                                                                                    • memcpy.MSVCRT(00000001,?,?), ref: 00281551
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                                    • String ID: @k2$@k2
                                                                                                                                                                                                    • API String ID: 3510742995-1906436157
                                                                                                                                                                                                    • Opcode ID: 0f1a1f291d117636aa6fdf88d2e8f33141252188f59d155acd5fe2ccd283237e
                                                                                                                                                                                                    • Instruction ID: 6282cbc28aaee77fbe739659cff57635a7442944549afd8b6de488dc29a6a595
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f1a1f291d117636aa6fdf88d2e8f33141252188f59d155acd5fe2ccd283237e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC5174B5E112199FCF10EF94DC81EAEB7B8AF49300F144029E919B7381E7719925CBA1
                                                                                                                                                                                                    Function 00259180 Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?), ref: 002591F2
                                                                                                                                                                                                    • ReadConsoleW.KERNEL32(?,0031CF04,00000001,00000000,?,00000000,?), ref: 00259202
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,0031CF04,00000001,00000000,?,00000000,?), ref: 00259212
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,0031CF04,00000001,00000000,?,00000000,?), ref: 00259287
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$ConsoleRead
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2254617233-0
                                                                                                                                                                                                    • Opcode ID: 2025726e823ca91363ef9315d138912482a9b3810094392d83a646e3b554153a
                                                                                                                                                                                                    • Instruction ID: 14e869b2059a7ed39995d42e9b931b9a4288baef02044f3cbf5724b6a51af89e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2025726e823ca91363ef9315d138912482a9b3810094392d83a646e3b554153a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C141B371A2021AFBDF10EFA4C881BEF77A8AF49311F048069ED09A7241D77199A5C7A5
                                                                                                                                                                                                    Function 001F1001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __p__commode__p__fmode__set_app_type
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3338496922-0
                                                                                                                                                                                                    • Opcode ID: 748b9c94a9c23ba5fd3ebb93512af291cd46b2f79c8f2c697dd628368fef7dac
                                                                                                                                                                                                    • Instruction ID: cc89463bc2098fd4e2909df40b602dccc074fcbe432080fa4a8720db58ef1d2d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 748b9c94a9c23ba5fd3ebb93512af291cd46b2f79c8f2c697dd628368fef7dac
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3A21DF70510306DBC719EF20D8093BA73F4BF45344F958A68E1194B666EF3B98CACB96
                                                                                                                                                                                                    Function 00235430 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • UnlockFile.KERNEL32(?,00000000,00000000,000000FF,000000FF), ref: 00235446
                                                                                                                                                                                                    • UnlockFile.KERNEL32(?,00000000,00000000,000000FF,000000FF,?,00000000,00000000,000000FF,000000FF), ref: 00235458
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,00000000,000000FF,000000FF,?,00000000,00000000,000000FF,000000FF), ref: 00235461
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,00000000,000000FF,000000FF), ref: 00235472
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorFileLastUnlock
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3655728120-0
                                                                                                                                                                                                    • Opcode ID: cd91cb9532f03e2d504fe89ff3b9144a8d410329774d4e8a71c7d3a3d2a98376
                                                                                                                                                                                                    • Instruction ID: b66264be79c417ae606a31bb4c748e14bc2803ac868e2c6221e495047f80a7e0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cd91cb9532f03e2d504fe89ff3b9144a8d410329774d4e8a71c7d3a3d2a98376
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B3F02470228362BBDB205F688C01F1677D48B43731F304719FBB8AB2C1DAB5A8908761
                                                                                                                                                                                                    Function 00245670 Relevance: 6.0, APIs: 4, Instructions: 39synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0024568B
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00245696
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,000000FF), ref: 0024569F
                                                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 002456BB
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2321548817-0
                                                                                                                                                                                                    • Opcode ID: 69a56f6582363e804a401e43d8be51aba516ca54cd33ddb105b77b7c2e86dab8
                                                                                                                                                                                                    • Instruction ID: 4a138a7b0c24ba6c2c16278181eaec2a7a7ef4f0d6e3dd05751680d14fa8ee15
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 69a56f6582363e804a401e43d8be51aba516ca54cd33ddb105b77b7c2e86dab8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CF04FB0510756ABDB10DF59C840B5AF7FCEF45320F554019EDA897281E775E860CBA1
                                                                                                                                                                                                    Function 00246730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • QueryPerformanceCounter.KERNEL32 ref: 0024674D
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0024678B
                                                                                                                                                                                                      • Part of subcall function 00259680: QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,0024676B,?,00000000,00000000), ref: 002596B9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • called `Result::unwrap()` on an `Err` value, xrefs: 002467AD
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: PerformanceQuery$CounterErrorFrequencyLast
                                                                                                                                                                                                    • String ID: called `Result::unwrap()` on an `Err` value
                                                                                                                                                                                                    • API String ID: 158728112-2333694755
                                                                                                                                                                                                    • Opcode ID: 02333792d9af99af01f11909591b37630b5f715cfb5ecf17f213101d73820e4e
                                                                                                                                                                                                    • Instruction ID: 98ebb66292204c14f57ba24d8745864dfbe123ae6f58aff07bbeadb9ddacad30
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 02333792d9af99af01f11909591b37630b5f715cfb5ecf17f213101d73820e4e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00219376A04301BBCB00AF59D805A9BBBF4EF89720F00882DF99C87251E731D964CB92
                                                                                                                                                                                                    Function 002A5610 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: fprintf
                                                                                                                                                                                                    • String ID: %p not found?!?!
                                                                                                                                                                                                    • API String ID: 383729395-11085004
                                                                                                                                                                                                    • Opcode ID: a9998995349707a0349b0eb20dbb034ab13131f6236402920d4e46890cb9b34a
                                                                                                                                                                                                    • Instruction ID: 52a871b2988c127260fb894c13a6c806e18ed43a2c1c5c8a2d2de80fee08fdb5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a9998995349707a0349b0eb20dbb034ab13131f6236402920d4e46890cb9b34a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66115270524B218FCB50AF3594C466BB7E8AF06B90F86442DD9898B211DF74D8A0CF52
                                                                                                                                                                                                    Function 00230690 Relevance: 5.1, APIs: 4, Instructions: 146COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(?,00000001,?,?,?,?,?,?,?,00000000,00000000,00000000,?,00230600,00000000,00245A7E), ref: 002306B2
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00000000,00000000,00000000,?,00230600,00000000), ref: 002306C6
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,00000000,00000000,00000000,?,00230600), ref: 002306DC
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(00000000,-00000007,?,?,00000001), ref: 0023076E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Value
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3702945584-0
                                                                                                                                                                                                    • Opcode ID: 8e3b770496a6980d9991e1e279d6706c151afbd0474a88f38d245f1a84c49c85
                                                                                                                                                                                                    • Instruction ID: 6302e249b43fc67775ad2d1fcd66b90bb711584081aead87744a68b9c32d70a6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e3b770496a6980d9991e1e279d6706c151afbd0474a88f38d245f1a84c49c85
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE51D8F0D202059BEF04DF94D891BEEBBB8AF44305F040015E804BB282DB769965CFB1
                                                                                                                                                                                                    Function 00264060 Relevance: 5.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(-00000001,?,?,00000008,00000018), ref: 00264075
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(00000000,?,00000000,?,?,?,00000008,00000018), ref: 002640C5
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000008,00000018), ref: 002640D1
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(00000000,?,?,?,00000008,00000018), ref: 00264100
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Value
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3702945584-0
                                                                                                                                                                                                    • Opcode ID: 936c5fc94ea8a7fc2084f0410540c796d1eeeddcc2188046331691e3aae30274
                                                                                                                                                                                                    • Instruction ID: 8288e6e27d5122ba8e3aa529d75401026d59ddfd50fe996ecc8373073dba8a5b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 936c5fc94ea8a7fc2084f0410540c796d1eeeddcc2188046331691e3aae30274
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28215772D302258FDB10BF689C42A6FB7A8EF52310F154452FA489B292DF719D748BE1
                                                                                                                                                                                                    Function 002474D0 Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,?), ref: 0024750E
                                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,?), ref: 00247552
                                                                                                                                                                                                    • GetProcessHeap.KERNEL32 ref: 0024755D
                                                                                                                                                                                                    • HeapFree.KERNEL32(00000000,00000000,?), ref: 00247566
                                                                                                                                                                                                      • Part of subcall function 0025A950: GetProcessHeap.KERNEL32(?,0024942C,?,?,?,?,?,?,?,?,?,?,?,?,80000000,?), ref: 0025A953
                                                                                                                                                                                                      • Part of subcall function 0025A950: HeapAlloc.KERNEL32(00000000,?,?,?,0024942C), ref: 0025A963
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$Processmemcpy$AllocFree
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1904491526-0
                                                                                                                                                                                                    • Opcode ID: 73df4b082369a9695a373649fd978ccbebfab89fba2fcdb34035ad8a3d1ba8fe
                                                                                                                                                                                                    • Instruction ID: 998f32ab7f19367be4c861df4efa82abe48e44ddd581881186dee88178b62329
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 73df4b082369a9695a373649fd978ccbebfab89fba2fcdb34035ad8a3d1ba8fe
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1511A3B2A143115BCB10AF699C86A5FB7A9AFC9710F558139FC0897201EB30DC248AA2
                                                                                                                                                                                                    Function 00230440 Relevance: 5.1, APIs: 4, Instructions: 62COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(?,?,?,0022FE9D,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0023044F
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(00000000,0022FE9D,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0023048A
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(00000000,00000000,0022FE9D,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0023049F
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(00000000,00000000,00000000,0022FE9D,?,?,?,?,?,?,?,?,?,?,00000001), ref: 002304B1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Value
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3702945584-0
                                                                                                                                                                                                    • Opcode ID: 4ed631fe08c9d6048969614b376876f05fcdd8bc54f9a7f45e92d157aaafe02a
                                                                                                                                                                                                    • Instruction ID: 4a2e2302a3d8e87ef0c8f5d3c44e508987c8a4a2f2de307bbfd88766243da88f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ed631fe08c9d6048969614b376876f05fcdd8bc54f9a7f45e92d157aaafe02a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A0145E4BB0205579E14B6A8ACD2E6A7389D680353F040432EF09C7661DD22DE688AB2
                                                                                                                                                                                                    Function 002404D0 Relevance: 5.0, APIs: 4, Instructions: 28COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.1534072745.00000000001F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001F0000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534051776.00000000001F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534155505.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534177540.00000000002B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534247310.0000000000351000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534266348.0000000000352000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.1534287934.0000000000355000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1f0000_uo9m.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2962429428-0
                                                                                                                                                                                                    • Opcode ID: a322bf90f38147dd208aabad70a575d61a942dd54d757470b5a91c8da1f53763
                                                                                                                                                                                                    • Instruction ID: 5f7a317e0d379b8a5e51111784cc98346e3a1fe6fe2ba0cc44862375a11d7d21
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a322bf90f38147dd208aabad70a575d61a942dd54d757470b5a91c8da1f53763
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8AF0C0311102149BDF196F08D8C5B567769EB41366F1480A1EE046A156CB7ADCB1CFB1