Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kas77c5mDL.exe

Overview

General Information

Sample name:kas77c5mDL.exe
renamed because original name is a hash value
Original sample name:8059579bea79e8c443e2195994c51bfe.exe
Analysis ID:1521402
MD5:8059579bea79e8c443e2195994c51bfe
SHA1:d51b187147993d7fe5d20cb7ff02d8285e021860
SHA256:cbd39ae2915c2b2a99fbd27afff7480aec76d595d88c34def92e4a66bbf396e2
Tags:exeuser-abuse_ch
Infos:

Detection

Score:7
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • kas77c5mDL.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\kas77c5mDL.exe" MD5: 8059579BEA79E8C443E2195994C51BFE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: kas77c5mDL.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: kas77c5mDL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: kas77c5mDL.exe
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00644900 FindFirstFileW,GetLastError,FindClose,0_2_00644900
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00643E40 FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_00643E40
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00504FC0 FindClose,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,0_2_00504FC0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00527D60 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,0_2_00527D60
Source: kas77c5mDL.exeString found in binary or memory: http://schemas.micr
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00573140 NtdllDefWindowProc_W,0_2_00573140
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0051E1A0 NtdllDefWindowProc_W,0_2_0051E1A0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_004F82C0 NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,0_2_004F82C0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_004FB360 NtdllDefWindowProc_W,0_2_004FB360
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0050A430 NtdllDefWindowProc_W,DeleteCriticalSection,0_2_0050A430
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_004F8970 NtdllDefWindowProc_W,0_2_004F8970
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_004FB9C0 NtdllDefWindowProc_W,0_2_004FB9C0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_004F7AF0 NtdllDefWindowProc_W,NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W,0_2_004F7AF0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00502A80 NtdllDefWindowProc_W,0_2_00502A80
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_004FAB70 NtdllDefWindowProc_W,0_2_004FAB70
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00502BF0 NtdllDefWindowProc_W,0_2_00502BF0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0050FE20 NtdllDefWindowProc_W,0_2_0050FE20
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_005DCE20 NtdllDefWindowProc_W,0_2_005DCE20
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_004E14900_2_004E1490
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0064C0300_2_0064C030
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0073302F0_2_0073302F
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_005240E00_2_005240E0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_005011100_2_00501110
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_005031300_2_00503130
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_006211100_2_00621110
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_006A61E00_2_006A61E0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_005161C00_2_005161C0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_007211E00_2_007211E0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_006A41C00_2_006A41C0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_006A52700_2_006A5270
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_006A72300_2_006A7230
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0072837E0_2_0072837E
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0069E3500_2_0069E350
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_005113100_2_00511310
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_005293300_2_00529330
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_006A64200_2_006A6420
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0071840E0_2_0071840E
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_005105400_2_00510540
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_005275300_2_00527530
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_004E35300_2_004E3530
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_006A57900_2_006A5790
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_006A38C00_2_006A38C0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0051F8B00_2_0051F8B0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0069D8900_2_0069D890
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0072D9610_2_0072D961
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0050E9100_2_0050E910
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_005179900_2_00517990
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_006A3A700_2_006A3A70
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00520AF00_2_00520AF0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00510AB00_2_00510AB0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0065AB600_2_0065AB60
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0069FB100_2_0069FB10
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00521C000_2_00521C00
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0052DC200_2_0052DC20
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0069DCA00_2_0069DCA0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_006B2D300_2_006B2D30
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_006A6D100_2_006A6D10
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0053EDF00_2_0053EDF0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_006A3DB00_2_006A3DB0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00577DB00_2_00577DB0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00535E300_2_00535E30
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: String function: 0070B8BD appears 46 times
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: String function: 004E93B0 appears 108 times
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: String function: 0070B8C9 appears 31 times
Source: kas77c5mDL.exeBinary or memory string: OriginalFileName vs kas77c5mDL.exe
Source: kas77c5mDL.exe, 00000000.00000000.1686997293.000000000086D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSetup.exe@ vs kas77c5mDL.exe
Source: kas77c5mDL.exe, 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSetup.exe@ vs kas77c5mDL.exe
Source: kas77c5mDL.exeBinary or memory string: OriginalFileNameSetup.exe@ vs kas77c5mDL.exe
Source: kas77c5mDL.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: clean7.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00647B80 FormatMessageW,GetLastError,0_2_00647B80
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0053BD00 GetDiskFreeSpaceExW,0_2_0053BD00
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_004EA7E0 LoadResource,LockResource,SizeofResource,0_2_004EA7E0
Source: kas77c5mDL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\kas77c5mDL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeFile read: C:\Users\user\Desktop\kas77c5mDL.exeJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: lpk.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\kas77c5mDL.exeSection loaded: wintypes.dllJump to behavior
Source: kas77c5mDL.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: kas77c5mDL.exeStatic file information: File size 15059585 > 1048576
Source: kas77c5mDL.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2c2000
Source: kas77c5mDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kas77c5mDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kas77c5mDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kas77c5mDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kas77c5mDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kas77c5mDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: kas77c5mDL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: kas77c5mDL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: kas77c5mDL.exe
Source: kas77c5mDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kas77c5mDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kas77c5mDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kas77c5mDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kas77c5mDL.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0064E070 InitializeCriticalSection,EnterCriticalSection,GetCurrentProcess,GetCurrentThread,SymSetOptions,LoadLibraryA,GetProcAddress,SymInitialize,StackWalk,GetModuleHandleW,SymCleanup,LeaveCriticalSection,0_2_0064E070
Source: kas77c5mDL.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0071044E push ecx; ret 0_2_00710461
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_004FF8A0 push ecx; mov dword ptr [esp], ecx0_2_004FF8A1
Source: C:\Users\user\Desktop\kas77c5mDL.exeAPI coverage: 3.5 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00644900 FindFirstFileW,GetLastError,FindClose,0_2_00644900
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00643E40 FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_00643E40
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00504FC0 FindClose,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,0_2_00504FC0
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00527D60 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLastError,0_2_00527D60
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_007149B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007149B3
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0063E400 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,0_2_0063E400
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0064E070 InitializeCriticalSection,EnterCriticalSection,GetCurrentProcess,GetCurrentThread,SymSetOptions,LoadLibraryA,GetProcAddress,SymInitialize,StackWalk,GetModuleHandleW,SymCleanup,LeaveCriticalSection,0_2_0064E070
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0070F32D mov esi, dword ptr fs:[00000030h]0_2_0070F32D
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0071C8BC mov ecx, dword ptr fs:[00000030h]0_2_0071C8BC
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_00729E5A mov eax, dword ptr fs:[00000030h]0_2_00729E5A
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_004F20A0 GetProcessHeap,HeapFree,0_2_004F20A0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_007149B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007149B3
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0070FE1E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0070FE1E
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0063F600 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,0_2_0063F600
Source: C:\Users\user\Desktop\kas77c5mDL.exeCode function: 0_2_0063E310 GetLocalTime,0_2_0063E310

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS Memory3
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS4
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
kas77c5mDL.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://schemas.micrkas77c5mDL.exefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1521402
    Start date and time:2024-09-28 08:43:48 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 3m 22s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:1
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:kas77c5mDL.exe
    renamed because original name is a hash value
    Original Sample Name:8059579bea79e8c443e2195994c51bfe.exe
    Detection:CLEAN
    Classification:clean7.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated

    Warnings

    • Report size getting too big, too many NtSetInformationFile calls found.
    • VT rate limit hit for: kas77c5mDL.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):7.805394793430661
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:kas77c5mDL.exe
    File size:15'059'585 bytes
    MD5:8059579bea79e8c443e2195994c51bfe
    SHA1:d51b187147993d7fe5d20cb7ff02d8285e021860
    SHA256:cbd39ae2915c2b2a99fbd27afff7480aec76d595d88c34def92e4a66bbf396e2
    SHA512:1c6e33e8b15108602f32f937436cdc68b7c41795caad2fd6d401a18521d112f7259a751a56882305d01da30bf4e17f1ddff5a934f36ee9f42cf76b40f97dbb06
    SSDEEP:393216:OX9lzMRum1QuPC0GxzYbTm6w99th6XKsJSl7Vs4VsZKc8jXj:09lzMRum1Qz0GxzYbFwhkPMLs46Kp
    TLSH:64E6F130764AC86BD56611B01A2C9AAB922CAD360F615CC7B3DC7D5E17B4DC31633E2B
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................3...!...3.......".......".......".......3.......3.......3.......3...................k.....A.......)............

    File Icon

    Icon Hash:f0f0d3f4f09a9c90

    Static PE Info

    General

    Entrypoint:0x630270
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
    Time Stamp:0x666AD704 [Thu Jun 13 11:24:52 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:63ed59597dad42eeec3f01fae0ba2a2e

    Authenticode Signature

    Signature Valid:
    Signature Issuer:
    Signature Validation Error:
    Error Number:
    Not Before, Not After
      Subject Chain
        Version:
        Thumbprint MD5:
        Thumbprint SHA-1:
        Thumbprint SHA-256:
        Serial:

        Entrypoint Preview

        Instruction
        call 00007FA2D4ACF58Bh
        jmp 00007FA2D4ACED4Dh
        push ebp
        mov ebp, esp
        and dword ptr [00781D64h], 00000000h
        sub esp, 24h
        or dword ptr [0077E068h], 01h
        push 0000000Ah
        call dword ptr [006C327Ch]
        test eax, eax
        je 00007FA2D4ACF082h
        and dword ptr [ebp-10h], 00000000h
        xor eax, eax
        push ebx
        push esi
        push edi
        xor ecx, ecx
        lea edi, dword ptr [ebp-24h]
        push ebx
        cpuid
        mov esi, ebx
        pop ebx
        nop
        mov dword ptr [edi], eax
        mov dword ptr [edi+04h], esi
        mov dword ptr [edi+08h], ecx
        xor ecx, ecx
        mov dword ptr [edi+0Ch], edx
        mov eax, dword ptr [ebp-24h]
        mov edi, dword ptr [ebp-20h]
        mov dword ptr [ebp-0Ch], eax
        xor edi, 756E6547h
        mov eax, dword ptr [ebp-18h]
        xor eax, 49656E69h
        mov dword ptr [ebp-04h], eax
        mov eax, dword ptr [ebp-1Ch]
        xor eax, 6C65746Eh
        mov dword ptr [ebp-08h], eax
        xor eax, eax
        inc eax
        push ebx
        cpuid
        mov esi, ebx
        pop ebx
        nop
        lea ebx, dword ptr [ebp-24h]
        mov dword ptr [ebx], eax
        mov eax, dword ptr [ebp-04h]
        or eax, dword ptr [ebp-08h]
        or eax, edi
        mov dword ptr [ebx+04h], esi
        mov dword ptr [ebx+08h], ecx
        mov dword ptr [ebx+0Ch], edx
        jne 00007FA2D4ACEF15h
        mov eax, dword ptr [ebp-24h]
        and eax, 0FFF3FF0h
        cmp eax, 000106C0h
        je 00007FA2D4ACEEF5h
        cmp eax, 00020660h
        je 00007FA2D4ACEEEEh
        cmp eax, 00020670h
        je 00007FA2D4ACEEE7h
        cmp eax, 00030650h
        je 00007FA2D4ACEEE0h
        cmp eax, 00030660h
        je 00007FA2D4ACEED9h
        cmp eax, 00030670h

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x37c4d80x3c.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x38d0000x2f100.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x336e6900x2678
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3bd0000x30444.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x319f000x70.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x319f800x18.rdata
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2e93700x40.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x2c30000x330.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x37996c0x240.rdata
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x2c1e3a0x2c2000b0bf24b6d523cfb564d7e0757a952805unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x2c30000xba7920xba800f919d87d6ee082679f915cffdf67e52fFalse0.3259061348022788data5.066879645655034IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x37e0000xda000x360038e6c63fe869f0b839b0076fb92be91cFalse0.2349537037037037DOS executable (block device driver)4.452574671822254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .didat0x38c0000x70c0x80080d6f41695e44fa54ad8cb4e873973eeFalse0.4150390625data4.58561996007191IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x38d0000x2f1000x2f200c9456624283aedddaa976bf6c6000fdbFalse0.1833347148541114data5.520234813725192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x3bd0000x304440x3060011770f190b22ba27774a243769ef29f1False0.4781774870801034data6.5706317076247105IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_BITMAP0x38d9100x13eDevice independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colorsEnglishUnited States0.25471698113207547
        RT_BITMAP0x38da500x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.03017241379310345
        RT_BITMAP0x38e2780x48a8Device independent bitmap graphic, 290 x 16 x 32, image size 0EnglishUnited States0.11881720430107527
        RT_BITMAP0x392b200xa6aDevice independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/mEnglishUnited States0.21680420105026257
        RT_BITMAP0x39358c0x152Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colorsEnglishUnited States0.5295857988165681
        RT_BITMAP0x3936e00x828Device independent bitmap graphic, 32 x 16 x 32, image size 0EnglishUnited States0.4875478927203065
        RT_ICON0x393f080x3864PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.971737323358271
        RT_ICON0x39776c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08703319502074688
        RT_ICON0x399d140x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.16463414634146342
        RT_ICON0x39adbc0x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.18565573770491803
        RT_ICON0x39b7440x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3262411347517731
        RT_DIALOG0x39bbac0xacdataEnglishUnited States0.7151162790697675
        RT_DIALOG0x39bc580xccdataEnglishUnited States0.6911764705882353
        RT_DIALOG0x39bd240x1b4dataEnglishUnited States0.5458715596330275
        RT_DIALOG0x39bed80x136dataEnglishUnited States0.6064516129032258
        RT_DIALOG0x39c0100x4cdataEnglishUnited States0.8289473684210527
        RT_STRING0x39c05c0x234dataEnglishUnited States0.4645390070921986
        RT_STRING0x39c2900x182dataEnglishUnited States0.5103626943005182
        RT_STRING0x39c4140x50dataEnglishUnited States0.7375
        RT_STRING0x39c4640x9adataEnglishUnited States0.37662337662337664
        RT_STRING0x39c5000x2f6dataEnglishUnited States0.449868073878628
        RT_STRING0x39c7f80x5c0dataEnglishUnited States0.3498641304347826
        RT_STRING0x39cdb80x434dataEnglishUnited States0.32899628252788105
        RT_STRING0x39d1ec0x100dataEnglishUnited States0.5703125
        RT_STRING0x39d2ec0x484dataEnglishUnited States0.39186851211072665
        RT_STRING0x39d7700x1eadataEnglishUnited States0.44081632653061226
        RT_STRING0x39d95c0x18adataEnglishUnited States0.5228426395939086
        RT_STRING0x39dae80x216Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.46254681647940077
        RT_STRING0x39dd000x624dataEnglishUnited States0.3575063613231552
        RT_STRING0x39e3240x660dataEnglishUnited States0.3474264705882353
        RT_STRING0x39e9840x41adataEnglishUnited States0.38095238095238093
        RT_GROUP_ICON0x39eda00x14dataEnglishUnited States1.05
        RT_VERSION0x39edb40x324dataEnglishUnited States0.4427860696517413
        RT_HTML0x39f0d80x3835ASCII text, with very long lines (443), with CRLF line terminatorsEnglishUnited States0.08298005420807561
        RT_HTML0x3a29100x1316ASCII text, with CRLF line terminatorsEnglishUnited States0.18399508800654932
        RT_HTML0x3a3c280x8c77HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.08081426068578103
        RT_HTML0x3ac8a00x6acdHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10679931238798873
        RT_HTML0x3b33700x679HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.34339167169583584
        RT_HTML0x3b39ec0x104aHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.2170263788968825
        RT_HTML0x3b4a380x15b1HTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.17612101566720692
        RT_HTML0x3b5fec0x2099exported SGML document, ASCII text, with very long lines (659), with CRLF line terminatorsEnglishUnited States0.13732774116237267
        RT_HTML0x3b80880x368dHTML document, ASCII text, with CRLF line terminatorsEnglishUnited States0.10834228428213391
        RT_HTML0x3bb7180x1d7ASCII text, with CRLF line terminatorsEnglishUnited States0.6008492569002123
        RT_MANIFEST0x3bb8f00x80fXML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.40814348036839554

        Imports

        DLLImport
        KERNEL32.dllWriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, CreateProcessW, GetLastError, GetExitCodeProcess, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetWindowsDirectoryW, CreateDirectoryW, GetTempPathW, GetTempFileNameW, MoveFileW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, GetLogicalDriveStringsW, GetDriveTypeW, GetDiskFreeSpaceExW, Sleep, LoadLibraryExW, FreeLibrary, GetCurrentProcess, WideCharToMultiByte, GetSystemDirectoryW, GetCurrentProcessId, DecodePointer, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, CreateNamedPipeW, GetExitCodeThread, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, CompareStringW, FindNextFileW, GetFileSize, GetFileAttributesW, GetShortPathNameW, GetFinalPathNameByHandleW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, CreateSemaphoreW, ReleaseSemaphore, GlobalMemoryStatus, GetModuleHandleA, GetProcessAffinityMask, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, OutputDebugStringW, GetLocalTime, FlushFileBuffers, LocalFree, LocalAlloc, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, FormatMessageW, ConnectNamedPipe, CloseHandle, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, TerminateThread, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, FormatMessageA, GetLocaleInfoEx, FindFirstFileExW, MoveFileExW, QueryPerformanceCounter, QueryPerformanceFrequency, WakeAllConditionVariable, SleepConditionVariableSRW, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, SetFilePointerEx, GetFileSizeEx, ReadConsoleW, GetTimeZoneInformation, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, WriteConsoleW, GetEnvironmentStringsW, CreateFileW
        imagehlp.dllSymGetModuleBase, SymFunctionTableAccess, SymGetLineFromAddr, SymSetSearchPath, SymCleanup, SymInitialize, SymSetOptions, StackWalk

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:02:44:40
        Start date:28/09/2024
        Path:C:\Users\user\Desktop\kas77c5mDL.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\kas77c5mDL.exe"
        Imagebase:0x4e0000
        File size:15'059'585 bytes
        MD5 hash:8059579BEA79E8C443E2195994C51BFE
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:0.9%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:11.7%
          Total number of Nodes:368
          Total number of Limit Nodes:12
          execution_graph 48091 50d450 54 API calls 2 library calls 48259 710270 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 48092 52c850 9 API calls 2 library calls 48264 4e9240 49 API calls 2 library calls 48099 4fb450 11 API calls std::_Throw_Cpp_error 48269 52d670 115 API calls 2 library calls 48270 4eb260 HeapSize 48271 4ef660 SetEvent 48108 4fb860 18 API calls 48274 4f5e60 58 API calls 3 library calls 48110 533060 5 API calls std::_Throw_Cpp_error 48281 64ce50 59 API calls 2 library calls 48282 6a9e50 57 API calls 2 library calls 48284 4ff670 RtlAllocateHeap RaiseException 48289 66d620 100 API calls 48115 4e1000 48 API calls __floor_pentium4 48290 4f0200 LoadLibraryW GetProcAddress 48291 4ff200 GetLastError 48121 52ec00 297 API calls 48293 4e8a10 14 API calls ___std_exception_destroy 48122 4fd410 DeleteCriticalSection std::_Throw_Cpp_error 48294 4f6e10 62 API calls 2 library calls 48124 501030 CloseHandle 48296 50ce30 75 API calls 2 library calls 48297 515230 55 API calls 48126 72e415 58 API calls __cftof 48127 4e3020 56 API calls 48129 4ecc20 5 API calls __floor_pentium4 48300 4e2220 181 API calls __floor_pentium4 48138 51ecd0 102 API calls __floor_pentium4 48305 4efac0 112 API calls std::_Throw_Cpp_error 48309 5d26c0 52 API calls std::_Facet_Register 48310 4e12d0 50 API calls 47744 7294d3 47750 7294e0 __dosmaperr 47744->47750 47745 729520 47752 714df1 14 API calls __dosmaperr 47745->47752 47746 72950b RtlAllocateHeap 47747 72951e 47746->47747 47746->47750 47750->47745 47750->47746 47751 7252ab EnterCriticalSection LeaveCriticalSection std::_Facet_Register 47750->47751 47751->47750 47752->47747 48148 4f04e0 55 API calls 48154 501090 54 API calls 47847 62b6a0 47848 62b70a 47847->47848 47849 62b6ad MultiByteToWideChar 47847->47849 47862 4eace0 RtlAllocateHeap RaiseException 47848->47862 47849->47848 47850 62b6c5 47849->47850 47852 62b6e0 MultiByteToWideChar 47850->47852 47861 4eaef0 49 API calls 47850->47861 47855 62b6f7 47852->47855 47856 62b719 47852->47856 47853 62b711 47857 4eb0f0 2 API calls 47856->47857 47860 62b723 47857->47860 47858 62b7c5 47860->47858 47863 719afd 14 API calls ___free_lconv_mon 47860->47863 47861->47852 47862->47853 47863->47858 48156 539c90 58 API calls 2 library calls 48165 52e880 67 API calls 4 library calls 48167 4f6490 61 API calls 48323 50aab0 InitializeCriticalSection EnterCriticalSection LeaveCriticalSection QueryPerformanceCounter 48169 51e8b0 CoUninitialize 48325 510ab0 95 API calls 2 library calls 48171 4f20a0 51 API calls std::_Throw_Cpp_error 48328 4fe6a0 LeaveCriticalSection 48330 4fbea0 EnterCriticalSection GetCurrentThreadId LeaveCriticalSection 48334 51bea0 62 API calls 2 library calls 48173 5308a0 49 API calls 48335 5382a0 84 API calls 2 library calls 48337 4eb2b0 HeapDestroy std::_Throw_Cpp_error 48342 51e750 59 API calls 48345 53c750 89 API calls __floor_pentium4 48349 4fb740 10 API calls 48350 50a340 12 API calls __floor_pentium4 48182 4e1150 65 API calls 48184 508170 76 API calls 48185 508570 78 API calls 48354 525370 63 API calls 2 library calls 48188 719558 GetStringTypeW 48189 4eb160 HeapFree 48195 527d60 74 API calls 2 library calls 47720 70fd30 47723 70f8b3 47720->47723 47725 70f8b8 47723->47725 47726 70f8d2 47725->47726 47728 70f8d4 std::_Facet_Register 47725->47728 47731 719af2 47725->47731 47738 7252ab EnterCriticalSection LeaveCriticalSection std::_Facet_Register 47725->47738 47739 711511 47728->47739 47730 710680 47737 72822b __dosmaperr 47731->47737 47732 728269 47743 714df1 14 API calls __dosmaperr 47732->47743 47734 728254 RtlAllocateHeap 47735 728267 47734->47735 47734->47737 47735->47725 47737->47732 47737->47734 47742 7252ab EnterCriticalSection LeaveCriticalSection std::_Facet_Register 47737->47742 47738->47725 47740 711558 RaiseException 47739->47740 47741 71152b 47739->47741 47740->47730 47741->47740 47742->47737 47743->47735 48196 50e910 104 API calls 2 library calls 48200 51e900 50 API calls 48201 53bd00 49 API calls __floor_pentium4 48364 6a8f30 54 API calls __floor_pentium4 48203 4fe110 49 API calls 4 library calls 48366 4fcf10 InitializeCriticalSectionAndSpinCount GetLastError 48204 503130 22 API calls 2 library calls 48206 527530 115 API calls 3 library calls 48370 529330 71 API calls 2 library calls 48372 4ef720 49 API calls std::_Throw_Cpp_error 48209 51b920 75 API calls 48211 51cd20 91 API calls __floor_pentium4 48375 520720 54 API calls 2 library calls 48378 502fd0 7 API calls __floor_pentium4 48384 4e2fc0 58 API calls 48218 509dc0 74 API calls 3 library calls 48385 5067c0 67 API calls 48386 506fc0 69 API calls 48219 5161c0 64 API calls 2 library calls 48387 53dfc0 76 API calls __floor_pentium4 48388 4fabd0 83 API calls 5 library calls 48224 50b9f0 58 API calls std::_Throw_Cpp_error 48390 502bf0 24 API calls ___std_exception_copy 48227 52d5f0 49 API calls 48393 523ff0 57 API calls __floor_pentium4 48229 5075e0 51 API calls 4 library calls 48403 6a4ba0 51 API calls 2 library calls 47864 5c4190 47865 5c41c7 47864->47865 47871 5c4207 47864->47871 47866 70fcc5 3 API calls 47865->47866 47867 5c41d1 47866->47867 47867->47871 47872 70fc34 48 API calls 47867->47872 47869 5c41f3 47873 70fc74 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 47869->47873 47872->47869 47873->47871 48406 4f9380 9 API calls 48243 53dd80 6 API calls __floor_pentium4 48413 5227b0 54 API calls __floor_pentium4 48418 4f57a0 83 API calls 47753 620590 47760 620b40 47753->47760 47756 620b40 68 API calls 47757 6205f0 47756->47757 47776 4fa110 26 API calls 47757->47776 47759 620618 47761 620b6f 47760->47761 47764 62059f 47760->47764 47775 620bd5 47761->47775 47777 70fcc5 AcquireSRWLockExclusive 47761->47777 47763 70fcc5 3 API calls 47766 620bef 47763->47766 47764->47756 47765 620b8e 47765->47775 47782 5c55b0 GetSystemDirectoryW 47765->47782 47766->47764 47767 620bfb GetProcAddress 47766->47767 47805 70fc74 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 47767->47805 47770 620bab 47803 70fc34 48 API calls 47770->47803 47771 620c29 47771->47764 47773 620bc4 47804 70fc74 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 47773->47804 47775->47763 47775->47764 47776->47759 47778 70fcd9 47777->47778 47779 70fcde ReleaseSRWLockExclusive 47778->47779 47806 70fd14 SleepConditionVariableSRW 47778->47806 47779->47765 47783 5c5600 47782->47783 47802 5c56c0 47782->47802 47783->47802 47807 4eb480 47783->47807 47787 5c571d 47787->47770 47788 5c561a 47792 5c5650 47788->47792 47793 5c5642 47788->47793 47789 5c5725 47836 4eb0f0 47789->47836 47791 5c572f 47791->47770 47834 4eaf60 49 API calls 4 library calls 47792->47834 47833 4ea920 58 API calls 47793->47833 47795 5c564e 47822 4f35d0 47795->47822 47798 5c5688 47799 4f35d0 49 API calls 47798->47799 47800 5c56ae 47799->47800 47801 5c56c4 LoadLibraryExW 47800->47801 47800->47802 47801->47802 47835 70f86a 5 API calls ___raise_securityfailure 47802->47835 47803->47773 47804->47775 47805->47771 47806->47778 47808 4eb50c 47807->47808 47809 4eb4b8 47807->47809 47811 70fcc5 3 API calls 47808->47811 47821 4eb597 47808->47821 47810 70fcc5 3 API calls 47809->47810 47812 4eb4c2 47810->47812 47813 4eb526 47811->47813 47812->47808 47814 4eb4ce GetProcessHeap 47812->47814 47813->47821 47842 70fc34 48 API calls 47813->47842 47840 70fc34 48 API calls 47814->47840 47817 4eb4fb 47841 70fc74 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 47817->47841 47818 4eb586 47843 70fc74 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 47818->47843 47821->47788 47821->47789 47825 4f35f8 ___crtLCMapStringW 47822->47825 47829 4f3663 std::locale::_Locimp::_Locimp 47822->47829 47823 4eb0f0 2 API calls 47824 4f36b0 47823->47824 47824->47798 47825->47829 47831 4f3642 std::locale::_Setgloballocale 47825->47831 47844 4eaef0 49 API calls 47825->47844 47827 4f3691 47827->47798 47829->47823 47829->47827 47830 4f367f 47846 714baf 48 API calls __cftof 47830->47846 47831->47829 47845 714df1 14 API calls __dosmaperr 47831->47845 47833->47795 47834->47795 47835->47787 47837 4eb0fe 47836->47837 47838 711511 Concurrency::cancel_current_task RaiseException 47837->47838 47839 4eb10b RtlAllocateHeap 47838->47839 47839->47791 47840->47817 47841->47808 47842->47818 47843->47821 47844->47831 47845->47830 47846->47829 48253 5285a0 62 API calls __floor_pentium4 47874 71c98d 47877 71c7b1 47874->47877 47878 71c7f0 47877->47878 47879 71c7de 47877->47879 47889 71c65a 47878->47889 47904 71c879 GetModuleHandleW 47879->47904 47882 71c7e3 47882->47878 47905 71c8de GetModuleHandleExW 47882->47905 47884 71c82d 47887 71c842 47890 71c666 __Getcoll 47889->47890 47911 724261 EnterCriticalSection 47890->47911 47892 71c670 47912 71c6c6 47892->47912 47897 71c848 48085 71c8bc 47897->48085 47900 71c866 47902 71c8de std::locale::_Setgloballocale 3 API calls 47900->47902 47901 71c856 GetCurrentProcess TerminateProcess 47901->47900 47903 71c86e ExitProcess 47902->47903 47904->47882 47906 71c91d GetProcAddress 47905->47906 47907 71c93e 47905->47907 47906->47907 47910 71c931 47906->47910 47908 71c944 FreeLibrary 47907->47908 47909 71c7ef 47907->47909 47908->47909 47909->47878 47910->47907 47911->47892 47913 71c6d2 __Getcoll 47912->47913 47914 71c739 47913->47914 47919 71c67d 47913->47919 47923 725d33 47913->47923 47915 71c756 47914->47915 47927 726001 47914->47927 47918 726001 std::locale::_Setgloballocale 48 API calls 47915->47918 47918->47919 47920 71c69b 47919->47920 48084 7242b1 LeaveCriticalSection 47920->48084 47922 71c689 47922->47884 47922->47897 47924 725d3f __EH_prolog3 47923->47924 47931 725a8b 47924->47931 47926 725d66 std::locale::_Setgloballocale 47926->47914 47928 726028 47927->47928 47929 72600f 47927->47929 47928->47915 47929->47928 47946 4e1490 47929->47946 47932 725a97 __Getcoll 47931->47932 47939 724261 EnterCriticalSection 47932->47939 47934 725aa5 47940 725c43 47934->47940 47938 725ac3 47938->47926 47939->47934 47941 725ab2 47940->47941 47942 725c62 47940->47942 47944 725ada LeaveCriticalSection std::_Lockit::~_Lockit 47941->47944 47942->47941 47945 7281f1 14 API calls __dosmaperr 47942->47945 47944->47938 47945->47941 47979 4e8880 47946->47979 47948 4e14ed 47949 4e8880 48 API calls 47948->47949 47950 4e1535 47949->47950 47951 4e8880 48 API calls 47950->47951 47952 4e1577 47951->47952 47953 4e8880 48 API calls 47952->47953 47954 4e15b9 47953->47954 47955 4e8880 48 API calls 47954->47955 47956 4e15fb 47955->47956 47957 4e8880 48 API calls 47956->47957 47958 4e163d 47957->47958 47959 4e8880 48 API calls 47958->47959 47960 4e167f 47959->47960 47961 4e8880 48 API calls 47960->47961 47962 4e16b5 47961->47962 47963 4e8880 48 API calls 47962->47963 47964 4e16e8 47963->47964 47965 4e8880 48 API calls 47964->47965 47966 4e171b 47965->47966 47967 4e8880 48 API calls 47966->47967 47968 4e174e 47967->47968 47969 70f8b3 std::_Facet_Register 16 API calls 47968->47969 47970 4e1799 47969->47970 47986 5019c0 47970->47986 47972 4e17fc 48011 5396c0 47972->48011 47974 4e1807 48015 70fc34 48 API calls 47974->48015 47976 4e1829 48016 70f86a 5 API calls ___raise_securityfailure 47976->48016 47978 4e1843 47978->47929 47980 4e891f 47979->47980 47985 4e8895 std::locale::_Locimp::_Locimp 47979->47985 48017 4e8e40 48 API calls std::_Throw_Cpp_error 47980->48017 47985->47948 47987 501a57 std::_Throw_Cpp_error 47986->47987 47988 5019dd 47986->47988 47987->47972 47989 501a9d 47988->47989 47990 5019f4 47988->47990 47991 501a1b 47988->47991 48018 4e8dc0 47989->48018 47990->47989 47993 70f8b3 std::_Facet_Register 16 API calls 47990->47993 47994 70f8b3 std::_Facet_Register 16 API calls 47991->47994 47996 501a05 47991->47996 47993->47996 47994->47996 47995 501aa2 47998 501b1f 47995->47998 47999 501b49 47995->47999 48000 501c9b 47995->48000 47996->47987 48034 714bbf 48 API calls 2 library calls 47996->48034 47998->47972 48002 70f8b3 std::_Facet_Register 16 API calls 47999->48002 48046 70c927 48 API calls 2 library calls 48000->48046 48004 501b6b 48002->48004 48035 4e7da0 48004->48035 48006 501b83 48010 501c1b 48006->48010 48042 4f53f0 48006->48042 48008 501bed 48045 501df0 48 API calls std::_Throw_Cpp_error 48008->48045 48010->47972 48012 5396e7 48011->48012 48013 5396d5 48011->48013 48012->47974 48013->48012 48060 5396f0 48013->48060 48015->47976 48016->47978 48021 4e8dcb std::_Facet_Register 48018->48021 48019 711511 Concurrency::cancel_current_task RaiseException 48019->48021 48020 4e8e1b 48023 4e8e29 48020->48023 48025 70f8b3 std::_Facet_Register 16 API calls 48020->48025 48021->48018 48021->48019 48021->48020 48022 4e8dfd 48021->48022 48024 70f8b3 std::_Facet_Register 16 API calls 48022->48024 48023->47995 48026 4e8e03 48024->48026 48027 4e8e25 48025->48027 48028 4e8e0c 48026->48028 48029 4e8e16 48026->48029 48027->47995 48028->47995 48047 714afb 48 API calls __cftof 48029->48047 48031 714bce 48048 714bdc 11 API calls std::locale::_Setgloballocale 48031->48048 48033 714bdb 48036 4e7dc7 48035->48036 48041 4e7dd2 std::locale::_Locimp::_Locimp 48036->48041 48049 4e8e40 48 API calls std::_Throw_Cpp_error 48036->48049 48041->48006 48050 735eb0 48042->48050 48044 4f5412 48044->48008 48045->48010 48047->48031 48048->48033 48051 735ebd 48050->48051 48053 7370f7 __floor_pentium4 48050->48053 48052 735eee 48051->48052 48051->48053 48056 735f38 48052->48056 48058 736f03 15 API calls __dosmaperr 48052->48058 48057 737139 __floor_pentium4 48053->48057 48059 72d5f7 20 API calls 2 library calls 48053->48059 48056->48044 48057->48044 48058->48056 48059->48057 48061 539726 48060->48061 48062 539756 48061->48062 48063 539783 48061->48063 48064 5398df 48061->48064 48062->48013 48066 70f8b3 std::_Facet_Register 16 API calls 48063->48066 48082 70c927 48 API calls 2 library calls 48064->48082 48068 5397a6 48066->48068 48069 4e7da0 48 API calls 48068->48069 48070 5397bc 48069->48070 48071 4f53f0 21 API calls 48070->48071 48074 539855 48070->48074 48072 53982b 48071->48072 48075 5398f0 48072->48075 48074->48013 48076 539934 48075->48076 48077 539ac9 48075->48077 48079 5019c0 48 API calls 48076->48079 48083 70c927 48 API calls 2 library calls 48077->48083 48081 539958 48079->48081 48081->48074 48084->47922 48090 729e5a 6 API calls std::locale::_Setgloballocale 48085->48090 48087 71c8c1 48088 71c8c6 GetPEB 48087->48088 48089 71c852 48087->48089 48088->48089 48089->47900 48089->47901 48090->48087 48256 4eb1b0 HeapReAlloc

          Executed Functions

          Function 0063F600 Relevance: 16.6, APIs: 11, Instructions: 119memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetCurrentProcess.KERNEL32 ref: 0063F652
          • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0063F65F
          • GetLastError.KERNEL32 ref: 0063F669
          • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00781CB5), ref: 0063F68D
          • GetLastError.KERNEL32 ref: 0063F697
          • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00781CB5,00781CB5,00781CB5), ref: 0063F6BD
          • AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0063F6F4
          • EqualSid.ADVAPI32(00000000,?), ref: 0063F703
          • FreeSid.ADVAPI32(?), ref: 0063F712
          • CloseHandle.KERNEL32(00000000), ref: 0063F74C
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
          • String ID:
          • API String ID: 695978879-0
          • Opcode ID: 8f157594633e2eedc3530727b39a0c443c54fcd5914f356738025698173c5354
          • Instruction ID: a3abb74ca0a161043f0eda89a9e4c8d7564f6be6e1984b94a807adce21cfa410
          • Opcode Fuzzy Hash: 8f157594633e2eedc3530727b39a0c443c54fcd5914f356738025698173c5354
          • Instruction Fuzzy Hash: E3413A71D00619EBEF10DFA0DC59BEEBBB9FF09714F108129E411B22A0D7795A08CBA5
          Function 004E1490 Relevance: 13.9, Strings: 11, Instructions: 186COMMON
          Download Yara Rule

          Control-flow Graph

          Strings
          • AI_CF_FRAME_BASE_COLOR, xrefs: 004E14CC
          • AI_CF_MINBTN_COLORS, xrefs: 004E1696
          • AI_CF_CLOSEBTN_BASE_COLOR, xrefs: 004E158E
          • AI_CF_FRAME_BORDER1_COLORS, xrefs: 004E15D0
          • AI_CF_CLOSEBTN_BORDER_COLORS, xrefs: 004E172F
          • AI_CF_FRAME_CAPTION2_COLORS, xrefs: 004E150A
          • AI_CF_FRAME_BORDER3_COLORS, xrefs: 004E1665
          • AI_CF_CLOSEBTN_COLORS, xrefs: 004E16FC
          • AI_CF_FRAME_BORDER2_COLORS, xrefs: 004E1612
          • AI_CF_MINBTN_BORDER_COLORS, xrefs: 004E16C9
          • AI_CF_MINBTN_BASE_COLOR, xrefs: 004E154C
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: AI_CF_CLOSEBTN_BASE_COLOR$AI_CF_CLOSEBTN_BORDER_COLORS$AI_CF_CLOSEBTN_COLORS$AI_CF_FRAME_BASE_COLOR$AI_CF_FRAME_BORDER1_COLORS$AI_CF_FRAME_BORDER2_COLORS$AI_CF_FRAME_BORDER3_COLORS$AI_CF_FRAME_CAPTION2_COLORS$AI_CF_MINBTN_BASE_COLOR$AI_CF_MINBTN_BORDER_COLORS$AI_CF_MINBTN_COLORS
          • API String ID: 0-1938184520
          • Opcode ID: 52790bc3e01e4aa19fc33436af58f61c32bbd9c8af8553ac02d0fcb5c96d5be7
          • Instruction ID: f90a5489febb6807c400a8f0d5bdc403ece8d18695cb770818b545ad2d545b3d
          • Opcode Fuzzy Hash: 52790bc3e01e4aa19fc33436af58f61c32bbd9c8af8553ac02d0fcb5c96d5be7
          • Instruction Fuzzy Hash: 61A12B70D4539CDAEB50DB61C9497DDBBB0BB15308F548289E4483B2C2DBF91A889B91
          Function 00644900 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 175 644900-64493a 176 644944-644947 175->176 177 64493c-64493f 175->177 179 644a12 176->179 180 64494d-64494f 176->180 178 644a17-644a32 call 70f86a 177->178 179->178 182 644955-644959 180->182 183 644a33-644a3f call 4eb0f0 180->183 185 64496d-644970 182->185 186 64495b-64495e 182->186 185->183 190 644976-64497b 185->190 186->183 188 644964-644969 186->188 188->190 191 64496b 188->191 190->179 192 644981-6449c1 call 711cc0 FindFirstFileW 190->192 191->192 195 6449e0-6449e6 GetLastError 192->195 196 6449c3-6449de 192->196 197 6449e8-6449fb 195->197 196->197 198 6449fd-644a04 FindClose 197->198 199 644a0e-644a10 197->199 198->199 199->178
          APIs
          • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 0064499F
          • FindClose.KERNEL32(00000000), ref: 006449FE
            • Part of subcall function 004EB0F0: RtlAllocateHeap.NTDLL(?,00000000,?,33F38F03,00000000,007386D0,000000FF,?,?,008592EC,?,?,004E11F6,80004005,33F38F03), ref: 004EB13A
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Find$AllocateCloseFileFirstHeap
          • String ID:
          • API String ID: 1673784098-0
          • Opcode ID: c2736a2d40f8038602efcf6004078727513f45083990df4c488bc8d45e19c11a
          • Instruction ID: 8ce9646754569ad6b528bdab1ab41d072b9b90ad7d7c98b357bdc14ea3430165
          • Opcode Fuzzy Hash: c2736a2d40f8038602efcf6004078727513f45083990df4c488bc8d45e19c11a
          • Instruction Fuzzy Hash: 7C310430905218DFDB28DF04C88ABAAB7B5FF44314F20825DE919A7780EB345E84CB84
          Function 004F3870 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 263libraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W), ref: 004F3967
          • GetProcAddress.KERNEL32(00000000), ref: 004F396E
          • CreateDirectoryW.KERNEL32(?,?,S-1-5-32-544,10000000,00000001,S-1-5-18,10000000,00000001), ref: 004F3A67
            • Part of subcall function 0070FCC5: AcquireSRWLockExclusive.KERNEL32(00861A40,?,?,?,004EB526,00862654,33F38F03,?,?,00738C4D,000000FF,?,004E1179,33F38F03), ref: 0070FCD0
            • Part of subcall function 0070FCC5: ReleaseSRWLockExclusive.KERNEL32(00861A40,?,?,?,004EB526,00862654,33F38F03,?,?,00738C4D,000000FF,?,004E1179,33F38F03), ref: 0070FD0A
          • GetWindowsDirectoryW.KERNEL32(?,00000104,33F38F03), ref: 004F39B4
          • GetTempPathW.KERNEL32(00000104,?,33F38F03), ref: 004F3A8A
            • Part of subcall function 0070FC74: AcquireSRWLockExclusive.KERNEL32(00861A40,?,?,004EB597,00862654,007A1290), ref: 0070FC7E
            • Part of subcall function 0070FC74: ReleaseSRWLockExclusive.KERNEL32(00861A40,?,?,004EB597,00862654,007A1290), ref: 0070FCB1
            • Part of subcall function 0070FC74: WakeAllConditionVariable.KERNEL32(00861A3C,?,?,004EB597,00862654,007A1290), ref: 0070FCBC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ExclusiveLock$AcquireDirectoryRelease$AddressConditionCreateHandleModulePathProcTempVariableWakeWindows
          • String ID: GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$\SystemTemp\
          • API String ID: 846588460-595641723
          • Opcode ID: fb0060844e451620a41ec8f6027c6fcba060f9f25b8da901989e564b12146dea
          • Instruction ID: e587dbd0da19cef306c10f06bb0cbb749f1295091273b0b2629b5f4be8891658
          • Opcode Fuzzy Hash: fb0060844e451620a41ec8f6027c6fcba060f9f25b8da901989e564b12146dea
          • Instruction Fuzzy Hash: 30A1C5B1D00258EBDB20DF94DC49BEEB7B4FB04314F1042AAE509A7291DBB86F44CB95
          Function 005C55B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 135 5c55b0-5c55fa GetSystemDirectoryW 136 5c5700 135->136 137 5c5600-5c5605 135->137 138 5c5702-5c5724 call 70f86a 136->138 137->136 139 5c560b-5c5614 call 4eb480 137->139 144 5c561a-5c5640 139->144 145 5c5725-5c5735 call 4eb0f0 139->145 150 5c5650-5c5653 144->150 151 5c5642-5c564e call 4ea920 144->151 153 5c5656-5c565f 150->153 156 5c5672-5c568a call 4f35d0 151->156 153->153 155 5c5661-5c566d call 4eaf60 153->155 155->156 160 5c568c-5c568e 156->160 161 5c5690-5c5692 156->161 162 5c56a4-5c56be call 4f35d0 call 710f6f 160->162 163 5c5695-5c569e 161->163 169 5c56c4-5c56cf LoadLibraryExW 162->169 170 5c56c0-5c56c2 162->170 163->163 164 5c56a0-5c56a2 163->164 164->162 171 5c56d1-5c56e6 169->171 170->171 172 5c56fc-5c56fe 171->172 173 5c56e8-5c56f8 171->173 172->138 173->172
          APIs
          • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 005C55F2
            • Part of subcall function 004EB480: GetProcessHeap.KERNEL32 ref: 004EB4D5
            • Part of subcall function 004EA920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,004E1269,http://,?,00000000,0073B3FF,000000FF,?,80004005,33F38F03), ref: 004EA943
          • LoadLibraryExW.KERNEL32(?,00000000,00000000,-00000010), ref: 005C56C9
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: DirectoryFindHeapLibraryLoadProcessResourceSystem
          • String ID: UxTheme.dll
          • API String ID: 2891229163-352951104
          • Opcode ID: 75c287a1b8599c3918d83ea1637425afb39ef69772415cd98f9e74f9e3e4f108
          • Instruction ID: b7946b4d79f2b6527504cd5195864eda290ba02b484368caeedd2a4eaad620e0
          • Opcode Fuzzy Hash: 75c287a1b8599c3918d83ea1637425afb39ef69772415cd98f9e74f9e3e4f108
          • Instruction Fuzzy Hash: F141EF756006099FCB18DFA8CC55BBE77A4FF44310F54862EE916972C0EB78AA44CA94
          Function 0071C848 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          APIs
          • GetCurrentProcess.KERNEL32(?,?,0071C842,00000016,007149B2,?,?,33F38F03,007149B2,?), ref: 0071C859
          • TerminateProcess.KERNEL32(00000000,?,0071C842,00000016,007149B2,?,?,33F38F03,007149B2,?), ref: 0071C860
          • ExitProcess.KERNEL32 ref: 0071C872
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Process$CurrentExitTerminate
          • String ID:
          • API String ID: 1703294689-0
          • Opcode ID: 6091665f9ad3a87b701d36577ccf567eb4234272fe55a900493cd66d54292bfd
          • Instruction ID: 58b62b4e6a323a7a4e8f351c113b2d1e5e7a6368d3f7dda04c3ce258a225f644
          • Opcode Fuzzy Hash: 6091665f9ad3a87b701d36577ccf567eb4234272fe55a900493cd66d54292bfd
          • Instruction Fuzzy Hash: 6FD09E31040104ABCF122FA5DD4EA997F26AF85391B008024B905460B1CF3DDA92DB44
          Function 0062B6A0 Relevance: 2.6, APIs: 2, Instructions: 133COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 207 62b6a0-62b6ab 208 62b70a-62b716 call 4eace0 207->208 209 62b6ad-62b6c3 MultiByteToWideChar 207->209 209->208 210 62b6c5-62b6d6 209->210 212 62b6e0-62b6f5 MultiByteToWideChar 210->212 213 62b6d8-62b6db call 4eaef0 210->213 216 62b6f7-62b707 212->216 217 62b719-62b75d call 4eb0f0 212->217 213->212 220 62b7ce-62b7ed 217->220 221 62b75f-62b767 217->221 222 62b769 221->222 223 62b7be-62b7c8 call 719afd 221->223 225 62b770-62b79c 222->225 223->220 226 62b7b5-62b7bc 225->226 227 62b79e-62b7b2 225->227 226->223 226->225 227->226
          APIs
          • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,?,?,0065B772,?,?,?), ref: 0062B6B8
          • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,?,0065B772,?,?,?), ref: 0062B6EA
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ByteCharMultiWide
          • String ID:
          • API String ID: 626452242-0
          • Opcode ID: 89383f62d30c07dbbfe9630574eae790729eb44a6530d7ee1bcbffa302824660
          • Instruction ID: bc6167f92cefbbebd3e0237098bb38b673bf199447c64926ca2807b157cb285a
          • Opcode Fuzzy Hash: 89383f62d30c07dbbfe9630574eae790729eb44a6530d7ee1bcbffa302824660
          • Instruction Fuzzy Hash: 1741DD716006169FDB14CF69DC89B6AF7A5FF84721F20862EE525973D0DB34A900CB90
          Function 007294D3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 231 7294d3-7294de 232 7294e0-7294ea 231->232 233 7294ec-7294f2 231->233 232->233 234 729520-72952b call 714df1 232->234 235 7294f4-7294f5 233->235 236 72950b-72951c RtlAllocateHeap 233->236 240 72952d-72952f 234->240 235->236 237 7294f7-7294fe call 7278c0 236->237 238 72951e 236->238 237->234 244 729500-729509 call 7252ab 237->244 238->240 244->234 244->236
          APIs
          • RtlAllocateHeap.NTDLL(00000008,0000000D,00000001,?,00727F17,00000001,00000364,00000001,00000005,000000FF,?,00710E44,0000000B,00000009,?), ref: 00729514
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: d0b7df3148f7ff3b5da03605a6f267fb3042fbeb2073f24af9bc9a0cb8ac2b76
          • Instruction ID: 55b4e4d9f914fa302d3d64606b1b8fe638703467a1921b68bf1b03c2504d2bf8
          • Opcode Fuzzy Hash: d0b7df3148f7ff3b5da03605a6f267fb3042fbeb2073f24af9bc9a0cb8ac2b76
          • Instruction Fuzzy Hash: 9DF0B431B05534A79F226A77BC09B9B3798EF41760F1D4015FE04D60C4EA28ED21C2E1
          Function 004EB0F0 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 247 4eb0f0-4eb14e call 4eb0e0 call 711511 RtlAllocateHeap
          APIs
            • Part of subcall function 00711511: RaiseException.KERNEL32(E06D7363,00000001,00000003,00000009,?,?,?,0070C946,00000009,00858654,00000000,00000009), ref: 00711571
          • RtlAllocateHeap.NTDLL(?,00000000,?,33F38F03,00000000,007386D0,000000FF,?,?,008592EC,?,?,004E11F6,80004005,33F38F03), ref: 004EB13A
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AllocateExceptionHeapRaise
          • String ID:
          • API String ID: 3789339297-0
          • Opcode ID: 7564574a1d0f98b6ad5125f7b4e4311970bec933ec38a42a3b3ef82bb188b092
          • Instruction ID: 1de6b86a1bd6bf4776fb2330df2b4be348a78a56d2ef517a48040547c9baab57
          • Opcode Fuzzy Hash: 7564574a1d0f98b6ad5125f7b4e4311970bec933ec38a42a3b3ef82bb188b092
          • Instruction Fuzzy Hash: 31F02771504608FFCB05CF44CC07F57BBA8F704B10F00862DF919C6690EB79A914CA44
          Function 0072822B Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 252 72822b-728237 253 728269-728274 call 714df1 252->253 254 728239-72823b 252->254 261 728276-728278 253->261 256 728254-728265 RtlAllocateHeap 254->256 257 72823d-72823e 254->257 258 728240-728247 call 7278c0 256->258 259 728267 256->259 257->256 258->253 264 728249-728252 call 7252ab 258->264 259->261 264->253 264->256
          APIs
          • RtlAllocateHeap.NTDLL(00000000,00000001,00000009,?,00710E44,0000000B,00000009,?,?,?,004F22FC,0000000D,0000000D), ref: 0072825D
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: 170ecabbab55f9f9b1e9bf93a1007e084c1174eb7c76b764608448ece9d1261e
          • Instruction ID: b01df4e3cf2125df339dc8976518d0fa7fc12afa664be593739a68a883c4867b
          • Opcode Fuzzy Hash: 170ecabbab55f9f9b1e9bf93a1007e084c1174eb7c76b764608448ece9d1261e
          • Instruction Fuzzy Hash: 75E0E531146A31DBDAA42669BC08B5B76C8BB823B0F050110FC04A20C1DE2ECC0082E2
          Function 00725D33 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 267 725d33-725d61 call 710471 call 725a8b 271 725d66-725d6b call 71044e 267->271
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: H_prolog3
          • String ID:
          • API String ID: 431132790-0
          • Opcode ID: 59ae46170a308bba5321c1fa79b4e89c95b872365b997d95df3747946e8fd8fb
          • Instruction ID: 373de0d69706807f5de074f7ae81999744b612467a8a8bd2899cfbe90f2da00c
          • Opcode Fuzzy Hash: 59ae46170a308bba5321c1fa79b4e89c95b872365b997d95df3747946e8fd8fb
          • Instruction Fuzzy Hash: C4E09276D0010DDEDB00DFD4C496BDFBBBCAB04300F504126A605E6141D67857848BD1

          Non-executed Functions

          Function 004E3530 Relevance: 172.0, Strings: 135, Instructions: 3218COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: 100$10000$100000$12000$120000$150$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$Patch$PatchFiles$PatchSize$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$~
          • API String ID: 0-3331281799
          • Opcode ID: 26859dd462051a91695eb1636d32b9c419978707c7baea07600b1ce69e780cb4
          • Instruction ID: 2f722273c28c45a8cc9f0926044ffa49e6771d8b0ca069f8c5eb1b57005b0b1d
          • Opcode Fuzzy Hash: 26859dd462051a91695eb1636d32b9c419978707c7baea07600b1ce69e780cb4
          • Instruction Fuzzy Hash: 707319A0E457C8A6D341DBA19D1675E3A60BB63309F26634DF3412B3E2DFF80A8487D5
          Function 0065AB60 Relevance: 46.3, APIs: 7, Strings: 19, Instructions: 819libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0065AE8A
          • GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D), ref: 0065AFAF
            • Part of subcall function 004EB480: GetProcessHeap.KERNEL32 ref: 004EB4D5
          • GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D), ref: 0065B0B6
            • Part of subcall function 004EA920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,004E1269,http://,?,00000000,0073B3FF,000000FF,?,80004005,33F38F03), ref: 004EA943
          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D), ref: 0065B1F1
          • LoadLibraryW.KERNEL32(shfolder.dll), ref: 0065B362
          • GetProcAddress.KERNEL32(?,SHGetFolderPathW), ref: 0065B3A2
            • Part of subcall function 0064ED10: LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,0065B47B,?), ref: 0064ED2F
            • Part of subcall function 0064ED10: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0064ED45
            • Part of subcall function 0064ED10: FreeLibrary.KERNEL32(00000000), ref: 0064ED88
          • GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104), ref: 0065B5C0
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: DirectoryLibrary$AddressLoadProcWindows$EnvironmentFileFindFreeHeapModuleNameProcessResourceSystemVariable
          • String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$kys$shfolder.dll$uys
          • API String ID: 1933822427-1922339803
          • Opcode ID: a82ac7b6451f78944daf37cd88aa0feeee4db3029fc085871fac66eb2e299674
          • Instruction ID: d9fb159b6692e0635965748c319a21989a35194aa2c599cdfd34e01d5f9645a4
          • Opcode Fuzzy Hash: a82ac7b6451f78944daf37cd88aa0feeee4db3029fc085871fac66eb2e299674
          • Instruction Fuzzy Hash: F462E330A002198BDB24DF24CC55BFAB7B3FF94315F1442A9E90697391EB369E49CB94
          Function 0063E400 Relevance: 40.8, APIs: 14, Strings: 9, Instructions: 524fileCOMMON
          Download Yara Rule
          APIs
          • CreateFileW.KERNEL32(008633AC,C0000000,00000003,00000000,00000004,00000080,00000000,33F38F03,00000000,00000025,00863388), ref: 0063E475
          • GetLastError.KERNEL32 ref: 0063E49D
          • OutputDebugStringW.KERNEL32(00000000,00000020), ref: 0063E522
          • OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 0063E652
          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 0063E6EE
          • WriteFile.KERNEL32(00000000,00000007,?,00000002,00000000,?,0000001D), ref: 0063E865
          • FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 0063E86E
            • Part of subcall function 004EB480: GetProcessHeap.KERNEL32 ref: 004EB4D5
          • WriteFile.KERNEL32(00000000,?,00000000,00000002,00000000,007D2DEC,00000002), ref: 0063E924
          • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 0063E92D
          • WriteFile.KERNEL32(00000000,?,00000000,00000002,00000000,007D2DEC,00000002), ref: 0063E9D9
          • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 0063E9E2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: File$BuffersFlushWrite$DebugOutputString$CreateErrorHeapLastPointerProcess
          • String ID: LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86$-}
          • API String ID: 2331954151-2479626318
          • Opcode ID: ade9da5c56e567da97d6f44eef42a26f3a6de1430d05971eea4a4280b1114193
          • Instruction ID: 416febf1bdbc5a838a0ee5c00ea772b16c80be2c0dce63d82cf26954bb7cb426
          • Opcode Fuzzy Hash: ade9da5c56e567da97d6f44eef42a26f3a6de1430d05971eea4a4280b1114193
          • Instruction Fuzzy Hash: BC12BF71A012499BDB04DF68CC45BADBBB6FF84324F148259F825A73D1DB39AE01CB94
          Function 0064E070 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 308libraryloaderthreadCOMMON
          Download Yara Rule
          APIs
          • InitializeCriticalSection.KERNEL32(0086648C,33F38F03), ref: 0064E0E3
          • EnterCriticalSection.KERNEL32(0086648C,33F38F03), ref: 0064E0F8
          • GetCurrentProcess.KERNEL32 ref: 0064E105
          • GetCurrentThread.KERNEL32 ref: 0064E113
          • SymSetOptions.IMAGEHLP(80000016), ref: 0064E141
          • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 0064E1B8
          • GetProcAddress.KERNEL32(00000000), ref: 0064E1BF
          • SymInitialize.IMAGEHLP(00000000,00000000,00000001,007CEF70,00000000), ref: 0064E205
          • StackWalk.IMAGEHLP(0000014C,?,?,?,?,00000000,00000000,*** Stack Trace (x86) ***,0000001F,?,?,?), ref: 0064E341
          • GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?), ref: 0064E3FA
          • SymCleanup.IMAGEHLP(00000000,?), ref: 0064E513
          • LeaveCriticalSection.KERNEL32(0086648C,?), ref: 0064E53E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: CriticalSection$CurrentInitialize$AddressCleanupEnterHandleLeaveLibraryLoadModuleOptionsProcProcessStackThreadWalk
          • String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
          • API String ID: 4282195395-80696534
          • Opcode ID: 63254b31ff31e75029216198aa76bc13ea95db67c1f376aebb461f619378fd3f
          • Instruction ID: ac48e82fbdb86853083fa9fc3b174d6ae83ebf70e2007a74c5bf242f28cb34a5
          • Opcode Fuzzy Hash: 63254b31ff31e75029216198aa76bc13ea95db67c1f376aebb461f619378fd3f
          • Instruction Fuzzy Hash: D0D1AA70D006A89ADF24DF64CC49BEEBBB5BF05305F1042DAE409A7291DBB96B84CF54
          Function 0052DC20 Relevance: 23.8, APIs: 4, Strings: 9, Instructions: 1069stringsleepCOMMON
          Download Yara Rule
          APIs
          • lstrcmpiW.KERNEL32(?,?,msix,00000004,?,?,?,?, ?(-|/)+q,007D4E06,?,?,?), ref: 0052E083
          • lstrcmpiW.KERNEL32(?,?,msixbundle,0000000A,msix,00000004,?,?,?,?, ?(-|/)+q,007D4E06,?,?,?), ref: 0052E203
          • std::_Throw_Cpp_error.LIBCPMT ref: 0052E85B
            • Part of subcall function 004EB480: GetProcessHeap.KERNEL32 ref: 004EB4D5
          • Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?, ?(-|/)+q,007D4E06,?,?,?), ref: 0052E7B7
            • Part of subcall function 00647B80: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,33F38F03,?,00000000), ref: 00647BCB
            • Part of subcall function 00647B80: GetLastError.KERNEL32(?,00000000), ref: 00647BD5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: lstrcmpi$Cpp_errorErrorFormatHeapLastMessageProcessSleepThrow_std::_
          • String ID: ?(-|/)+q$Launch failed. Error:$Launching file:$Return code of launched file:$appx$hp"d$msix$msixbundle$p|
          • API String ID: 1375998155-2306896406
          • Opcode ID: d996c1589adb5ea6d4f08be0dcdbba0604ca595747866abf35a3746ef0c28499
          • Instruction ID: 8fc049138548e439873877b9ca108db53c3027b72cea08dad6f1eebc52f991ba
          • Opcode Fuzzy Hash: d996c1589adb5ea6d4f08be0dcdbba0604ca595747866abf35a3746ef0c28499
          • Instruction Fuzzy Hash: 4BA2CE71D00268CFDB24DF68C8457ADBBB1BF46314F24829DE819A72C1DB74AE85CB91
          Function 00529330 Relevance: 21.9, APIs: 8, Strings: 4, Instructions: 872COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ExclusiveLockRelease
          • String ID: Component$Key$Text$UIText
          • API String ID: 1766480654-1667094980
          • Opcode ID: 09bd4ceb6472dea4d884cab621b3cb880e2369776eb690d9c38cb248ebecc0e2
          • Instruction ID: 56674044a9ab5bb557d3ea95a5280a494d4991d447d5929a10c273d933eb794c
          • Opcode Fuzzy Hash: 09bd4ceb6472dea4d884cab621b3cb880e2369776eb690d9c38cb248ebecc0e2
          • Instruction Fuzzy Hash: B572DFB1E00218DFDB04DFA8D849B9EBBB5FF85314F20825AE415AB3D1D775AA05CB90
          Function 00527530 Relevance: 21.5, APIs: 2, Strings: 10, Instructions: 510libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00527A97
          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00527B11
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc
          • String ID: CustomAction$EmbeddedUIInstallHandleAccessServer$HI}$SELECT `Data` FROM `Binary` WHERE `Name` = '$Source$Target$Type$`Action`= '$invalid stoi argument$stoi argument out of range
          • API String ID: 2574300362-4216227222
          • Opcode ID: 87c6fea4094bb4304625465b58adee73ae62b25db5b7c0df2fd1a7b1362d9ad2
          • Instruction ID: 1720072c57f8dbf9aec77b7f11eb04c282221a41a1eb8a6a692a5d6a79b5e4aa
          • Opcode Fuzzy Hash: 87c6fea4094bb4304625465b58adee73ae62b25db5b7c0df2fd1a7b1362d9ad2
          • Instruction Fuzzy Hash: 2522C171D00268DFDB14DBA4DC59BEEBBB1BF49304F24419EE405B7281DB786A84CBA1
          Function 00521C00 Relevance: 20.7, Strings: 16, Instructions: 738COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: = "$ AND $"', '$' AND `Control_`='$') TEMPORARY$', '$'vs$0C}$1vs$ControlEvent$Control_Default$Dialog$EndDialog$INSERT INTO `ControlEvent` (`Dialog_`, `Control_`,`Event`,`Argument`, `Condition`, `Ordering`) VALUES ('$`Dialog_`='$dC}
          • API String ID: 0-444084208
          • Opcode ID: 8c4948454b6fed04a58fc4bcdda94987a42980997563f0ccda6c2f08793fde7d
          • Instruction ID: d8992fa0a258874b947d9d23c6cb95b00e96943c6b98382418027b002b2c726f
          • Opcode Fuzzy Hash: 8c4948454b6fed04a58fc4bcdda94987a42980997563f0ccda6c2f08793fde7d
          • Instruction Fuzzy Hash: 9D625871D00268EFDB24DB64CC58BEDBBB1BF59304F24869DE009A7291DB74AA84CF51
          Function 00504FC0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 397fileCOMMON
          Download Yara Rule
          APIs
          • FindClose.KERNEL32(00000000), ref: 0050501F
          • FindFirstFileW.KERNEL32(33F38F03,?,*.*,00000000), ref: 00505279
          • GetFullPathNameW.KERNEL32(33F38F03,00000000,00000000,00000000), ref: 00505293
          • GetFullPathNameW.KERNEL32(33F38F03,00000000,?,00000000), ref: 005052D0
          • FindClose.KERNEL32(00000000), ref: 00505334
          • SetLastError.KERNEL32(0000007B), ref: 0050533E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Find$CloseFullNamePath$ErrorFileFirstLast
          • String ID: *.*$\\?\$\\?\UNC\
          • API String ID: 1191132616-1700010636
          • Opcode ID: ff060d51b93dd2a3ab324ec9dc116bb6c9ba354e953ec39dcfba1f5fe9dc0145
          • Instruction ID: b2e838b01fce4f72173998436cfbd0610ddf8ffe596a5d5b32c562819453a325
          • Opcode Fuzzy Hash: ff060d51b93dd2a3ab324ec9dc116bb6c9ba354e953ec39dcfba1f5fe9dc0145
          • Instruction Fuzzy Hash: 2EE1CF30A01A068BDF14DF28C899BAFBBA1FF44315F144569E9159B3E1EB35A941CF90
          Function 00511310 Relevance: 13.3, Strings: 10, Instructions: 811COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: $AI_DynInstances$AI_GenNewCompGuids$AI_MajorUpgrades$InstanceId$Manufacturer$OldProductCode$ProductCode$ProductVersion$UpgradeCode
          • API String ID: 0-614494711
          • Opcode ID: fbe63c986768e4bfff6810bb773c6561860b2c661a2df4e3a845490c4cd5150c
          • Instruction ID: e43e5350baffdf434919700c7c0762571fca24f3aa230ce352d6c8952fc7cbad
          • Opcode Fuzzy Hash: fbe63c986768e4bfff6810bb773c6561860b2c661a2df4e3a845490c4cd5150c
          • Instruction Fuzzy Hash: 1162F371D00298CBDF18DB64C854BEEBBB5BF45304F28868DE506B7281DB786E85CB94
          Function 00520AF0 Relevance: 10.9, Strings: 8, Instructions: 946COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: ' AND `Control_`='$AiTabPage$ControlEvent$Dialog$SpawnDialog$Title$`Dialog_`='$dC}
          • API String ID: 0-1276874308
          • Opcode ID: 04d3092e719cf2088646d11269df8607ded1c9cfac366e38aa452ab08ac65fbc
          • Instruction ID: fa1aab1eb0ca49666e3982e4a9bfd8eb05c301ef2dc7f3bd8db52ed53afb50a5
          • Opcode Fuzzy Hash: 04d3092e719cf2088646d11269df8607ded1c9cfac366e38aa452ab08ac65fbc
          • Instruction Fuzzy Hash: A8827D71D00258DFCB24DF64C888BEEBBB5BF59304F24829DE405A7391DB74AA85CB94
          Function 0073302F Relevance: 10.3, APIs: 1, Strings: 4, Instructions: 1511COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: __floor_pentium4
          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
          • API String ID: 4168288129-2761157908
          • Opcode ID: 353779b50aab43bd6bb5b34d6327cc3d9a8f1698b1f68fc1b81cb75076660d61
          • Instruction ID: 4461920e66503bb2fbe6bccb63b548ab403f5299bea903ea49e7fe65e0c950d4
          • Opcode Fuzzy Hash: 353779b50aab43bd6bb5b34d6327cc3d9a8f1698b1f68fc1b81cb75076660d61
          • Instruction Fuzzy Hash: EAD23B71E086298FEB39CE28DD44BEAB7B5EB44305F1441EAD44DE7241E739AE818F41
          Function 004F7AF0 Relevance: 9.5, APIs: 6, Instructions: 453nativememoryCOMMON
          Download Yara Rule
          APIs
          • NtdllDefWindowProc_W.NTDLL(00000000,?,33F38F03,80070216,33F38F03,00000000,?,?,?,80070216,33F38F03,?), ref: 004F7D6A
          • NtdllDefWindowProc_W.NTDLL(00000000,?,33F38F03,80070216,?,?,80070216,33F38F03,?), ref: 004F7DA3
          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004F7E5F
          • GlobalLock.KERNEL32(00000000), ref: 004F7E6D
          • GlobalUnlock.KERNEL32(?), ref: 004F7EBF
          • NtdllDefWindowProc_W.NTDLL(00000000,?,33F38F03,00000000), ref: 004F7F9B
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: GlobalNtdllProc_Window$AllocLockUnlock
          • String ID:
          • API String ID: 3978880103-0
          • Opcode ID: 3423d5664b7785a61c2229a2f9d6e34da77252dcd91137f172d38219aef39dc1
          • Instruction ID: 8497f2ae2ef24ff7416365330532acb4c60636ec3616d3fa5bf639e8144c2f98
          • Opcode Fuzzy Hash: 3423d5664b7785a61c2229a2f9d6e34da77252dcd91137f172d38219aef39dc1
          • Instruction Fuzzy Hash: 77F19D71A042099BDB10DF68CC84BBFBBB9EF45314F14816AFA11A7391DB7C9D018BA5
          Function 00643E40 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 424fileCOMMON
          Download Yara Rule
          APIs
          • FindFirstFileW.KERNEL32(00000000,00000000,00000000), ref: 00644062
          • FindFirstFileW.KERNEL32(?,00000000,0000002A), ref: 00644106
          • FindClose.KERNEL32(00000000), ref: 00644130
          • FindClose.KERNEL32(00000000), ref: 00644189
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Find$CloseFileFirst
          • String ID: D|
          • API String ID: 2295610775-597101621
          • Opcode ID: 39f2f431908092cbaa40222aaa878705c66f85287fdfca89900fbf6ca76a18fb
          • Instruction ID: 235713f9b447d3bea3ba59119213f5de2a465a35be6d6cdcd48a102e5d2b75fc
          • Opcode Fuzzy Hash: 39f2f431908092cbaa40222aaa878705c66f85287fdfca89900fbf6ca76a18fb
          • Instruction Fuzzy Hash: B7D1EF71A042099FDB14DF69CC49BAEB7F5FF84324F10862EE915D7380DBB99A048B90
          Function 0070F32D Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
          Download Yara Rule
          APIs
          • IsProcessorFeaturePresent.KERNEL32(0000000C,0070F249,00000000,?,0070F3E1,?), ref: 0070F32F
          • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,0070F3E1,?), ref: 0070F356
          • HeapAlloc.KERNEL32(00000000,?,0070F3E1,?), ref: 0070F35D
          • InitializeSListHead.KERNEL32(00000000,?,0070F3E1,?), ref: 0070F36A
          • GetProcessHeap.KERNEL32(00000000,00000000,?,0070F3E1,?), ref: 0070F37F
          • HeapFree.KERNEL32(00000000,?,0070F3E1,?), ref: 0070F386
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
          • String ID:
          • API String ID: 1475849761-0
          • Opcode ID: bbd3b9a2b24676147dbc6434e08b9d0d5d1410da08834dcf030117164f6d89e9
          • Instruction ID: 16854a14ccf1d8632b0012cc5faef6fb8668e938e77f9862213e3e74ebca9bab
          • Opcode Fuzzy Hash: bbd3b9a2b24676147dbc6434e08b9d0d5d1410da08834dcf030117164f6d89e9
          • Instruction Fuzzy Hash: E8F04F75601201DBDB309F79EC09B17BAE9BFDA722F058528F985D3290EB78C5418B61
          Function 00510AB0 Relevance: 8.1, Strings: 6, Instructions: 569COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: AI_EXIST_INSTANCES$AI_EXIST_NEW_INSTANCES$MultipleInstances$MultipleInstancesProps$T9}$`8}
          • API String ID: 0-2002633168
          • Opcode ID: 131e292d2bf2c00b5e32e91b1e824051aaf524ad3ffd6307a3adbfe29128b877
          • Instruction ID: d149b39046d97b2bc70fdf03141c121fa6657613021942b63e4c0c56da1abbca
          • Opcode Fuzzy Hash: 131e292d2bf2c00b5e32e91b1e824051aaf524ad3ffd6307a3adbfe29128b877
          • Instruction Fuzzy Hash: BB32AF70D002489FEF14DFA4C899BEEBBB1BF45314F248259E505A72D1DBB86AC4CB91
          Function 00621110 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 389COMMON
          Download Yara Rule
          APIs
          • MulDiv.KERNEL32(?,00000000), ref: 0062148C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
          • API String ID: 0-2319862951
          • Opcode ID: 61cfc181ee0f7fc88f1ce9b59ed52158ea9e9677bddda4979dc1e798c539c630
          • Instruction ID: df3271dff231cce53685987c21eaeb494bbf186673ee068c6ca7348fd76e13ac
          • Opcode Fuzzy Hash: 61cfc181ee0f7fc88f1ce9b59ed52158ea9e9677bddda4979dc1e798c539c630
          • Instruction Fuzzy Hash: 26E1CF71A00659AFDB18CF24CC59BEEB7B2FF89300F108249E556A72D1DB786A45CF90
          Function 004F82C0 Relevance: 6.4, APIs: 4, Instructions: 411memorynativeCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 004F87A0: EnterCriticalSection.KERNEL32(008686D4,33F38F03,00000000,?,?,?,?,?,?,004F7F05,0073BECD,000000FF), ref: 004F87DD
            • Part of subcall function 004F87A0: LoadCursorW.USER32(00000000,00007F00), ref: 004F8858
            • Part of subcall function 004F87A0: LoadCursorW.USER32(00000000,00007F00), ref: 004F8900
          • NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004F7F05,00000000), ref: 004F84BA
          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004F85A7
          • GlobalLock.KERNEL32(00000000), ref: 004F85B5
          • GlobalUnlock.KERNEL32(?), ref: 004F8607
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Global$CursorLoad$AllocCriticalEnterLockNtdllProc_SectionUnlockWindow
          • String ID:
          • API String ID: 2093629019-0
          • Opcode ID: 8b8cb4b5ddee22f0c53f21a574d91fdd5a66857c7db74f22a57a0bcc81e80b69
          • Instruction ID: d671b08c5b99a59e00cc30ad8d7d90e015d4bc5c096cb99fb04b464320b368a0
          • Opcode Fuzzy Hash: 8b8cb4b5ddee22f0c53f21a574d91fdd5a66857c7db74f22a57a0bcc81e80b69
          • Instruction Fuzzy Hash: B4E19171A00219DBDB10DFA4CC48BAFBBB8BF45714F14415AEA11AB390DB799E01CBA5
          Function 0072837E Relevance: 6.3, APIs: 4, Instructions: 337COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: _strrchr
          • String ID:
          • API String ID: 3213747228-0
          • Opcode ID: 4e55e8fb791256f58a0161955466ccc8dc34cd2f4d15baedb9354ee0ca05f2e9
          • Instruction ID: 1ca5dd8f4c139d10a21b50f61e111d2efb133674756ac078100a03333b527057
          • Opcode Fuzzy Hash: 4e55e8fb791256f58a0161955466ccc8dc34cd2f4d15baedb9354ee0ca05f2e9
          • Instruction Fuzzy Hash: 04B18E71D062659FDB15CF68D881BFEBBA5EF55300F188169E400AB342DA3EDD01CBA2
          Function 005240E0 Relevance: 5.5, Strings: 4, Instructions: 542COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: Arm64$Intel$Intel64$x64
          • API String ID: 0-2017237515
          • Opcode ID: 5366fca36693d141c7d418fa6ef915bacf3014c3b6ab6fd751de129567211d5a
          • Instruction ID: 840c94fc605114efae7e27972cfa85a657ddc60391f2443865a883ed59fd33b5
          • Opcode Fuzzy Hash: 5366fca36693d141c7d418fa6ef915bacf3014c3b6ab6fd751de129567211d5a
          • Instruction Fuzzy Hash: B4127B71A002699FDB24CFA9D854BBEBBB1FF5A304F144619E451AB2C0D778A944CFA0
          Function 006A3A70 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 272COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: /Kim
          • API String ID: 0-585551710
          • Opcode ID: 8f0a8f1138e43934e359642af1da320504e4a6d4d9971cda8cd1b41d531ccd88
          • Instruction ID: c0bd76cf73a7d0d624b724ea3a407fb2573c37b5c30ebb59f72081ad01a91515
          • Opcode Fuzzy Hash: 8f0a8f1138e43934e359642af1da320504e4a6d4d9971cda8cd1b41d531ccd88
          • Instruction Fuzzy Hash: E1811672B087548FC718DE2D88417AAFBD3EBD6350F19462EF449CB351D6348E068BA2
          Function 006A3DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 246COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: __aulldvrm
          • String ID: /Kim
          • API String ID: 1302938615-585551710
          • Opcode ID: 534275400d921f8f9aa830bfaeedbdd7d15a1a0464bfd6b1b98f5dc6ab122a9c
          • Instruction ID: ceb951d3a84b4838513cc48752f67ef16f8ee209289274ba3abe3eddaa267c0f
          • Opcode Fuzzy Hash: 534275400d921f8f9aa830bfaeedbdd7d15a1a0464bfd6b1b98f5dc6ab122a9c
          • Instruction Fuzzy Hash: 14811572B097444FC708DE2D8C406AAFBE3EBDA350F154A2EF448C7352D6748E069B92
          Function 0053BD00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193COMMON
          Download Yara Rule
          APIs
          • GetDiskFreeSpaceExW.KERNEL32(-00000030,?,?,00000000), ref: 0053BE49
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: DiskFreeSpace
          • String ID: OutOfDiskSpace$PrimaryVolumePath
          • API String ID: 1705453755-3793120454
          • Opcode ID: ea4191edb373135c52c01411a2c1af22b5a166bd1d35671e3b8de54d5f57a1df
          • Instruction ID: ed16d1247040ff92656986ed49769f6b40317f5906df35218adb1a01be23de55
          • Opcode Fuzzy Hash: ea4191edb373135c52c01411a2c1af22b5a166bd1d35671e3b8de54d5f57a1df
          • Instruction Fuzzy Hash: 1481BD71A10258EFCB15DF64CC81BADBBB5BF49304F14829AE54AA7281DF386E44CF91
          Function 0051F8B0 Relevance: 5.4, Strings: 4, Instructions: 378COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: <> "$ = "$Hide$Show
          • API String ID: 0-289022205
          • Opcode ID: 7af7a9c2752d98717d59dcd5d92770df4a36775c354f3f2e0b3a59767245ebe9
          • Instruction ID: 42283a987e55aefe4bf4b74be3d917146370ec92b08952ff78ec48d1952fc15c
          • Opcode Fuzzy Hash: 7af7a9c2752d98717d59dcd5d92770df4a36775c354f3f2e0b3a59767245ebe9
          • Instruction Fuzzy Hash: A2022870D00299DFDB24DF64C855BADBBB1BF55308F1086EAE409A7291DB746E84CF90
          Function 00510540 Relevance: 5.3, Strings: 4, Instructions: 337COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: MultipleInstances$MultipleInstancesProps$OldProductCode$ProductCode
          • API String ID: 0-469785651
          • Opcode ID: 37a71b2fa232178403a17af1b95471b158de93c5dce1ae4e2f04ab67e66bac05
          • Instruction ID: e1c3991b9a6e221be2c4c10ba5b40b1a3c85c9ba569e8b80584324df28904337
          • Opcode Fuzzy Hash: 37a71b2fa232178403a17af1b95471b158de93c5dce1ae4e2f04ab67e66bac05
          • Instruction Fuzzy Hash: 1AC1E375A00202DBEB18DF58C8946FABBB2FF85314B15555DE8166B2C1DBB0EDC2CB90
          Function 006A41C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: inf$nan$nan(ind)$nan(snan)
          • API String ID: 0-3276396208
          • Opcode ID: 48af553d3dba5987e3778ba48f25b651a17e5f96f6c7a3fc6c01282bbacddda5
          • Instruction ID: a752fa11bdfb8e88565991e4b9fd912df8767c2cf8cd68eec9e0c52c4478840f
          • Opcode Fuzzy Hash: 48af553d3dba5987e3778ba48f25b651a17e5f96f6c7a3fc6c01282bbacddda5
          • Instruction Fuzzy Hash: 2F810531B052418BD714EE2D9C413AAB7D2EFD6310F588A3EF895C7385DA74DD0A8B92
          Function 0064C030 Relevance: 5.1, APIs: 3, Instructions: 604COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f2c2bcc0d3766f3a2f79d9d9db04e4fe4113cadcac7a561e5829a7e36f55f421
          • Instruction ID: ac6a1ee2f0f8c75282e95781682effd2ff70fc0b49f991b0e4025d64c571376a
          • Opcode Fuzzy Hash: f2c2bcc0d3766f3a2f79d9d9db04e4fe4113cadcac7a561e5829a7e36f55f421
          • Instruction Fuzzy Hash: 8D22B071D05209DBCB14DFA8C845BEEBBF6FF44314F14462DE805A7391EBB4AA448B91
          Function 00527D60 Relevance: 4.9, APIs: 3, Instructions: 411COMMON
          Download Yara Rule
          APIs
          • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,33F38F03), ref: 00527E1C
          • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 00527E41
          • GetLastError.KERNEL32 ref: 00527E4B
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: DriveLogicalStrings$ErrorLast
          • String ID:
          • API String ID: 573936702-0
          • Opcode ID: e837627056f324ea7e712d9635ad897488bdc194f3ee517ae5a0997b5b05fe6d
          • Instruction ID: 7728be081334fab2a34f11af6e7610fd5ecfc63eb9c317a17ff32ea965d7397e
          • Opcode Fuzzy Hash: e837627056f324ea7e712d9635ad897488bdc194f3ee517ae5a0997b5b05fe6d
          • Instruction Fuzzy Hash: 8EF1BF71900268DFDF24DFA4C848BEEBBB5FF49304F10459EE415A7281DB34AA48CBA1
          Function 007149B3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 00714AAB
          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 00714AB5
          • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000001), ref: 00714AC2
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled$DebuggerPresent
          • String ID:
          • API String ID: 3906539128-0
          • Opcode ID: 3577eb7759f984bc625c54c4140744f54f3e1cd970cadabf1220aacea6988811
          • Instruction ID: b0d70213c2b8ceb697f9835eb5f6e311f5043c85fc962495d541e7fa764ea611
          • Opcode Fuzzy Hash: 3577eb7759f984bc625c54c4140744f54f3e1cd970cadabf1220aacea6988811
          • Instruction Fuzzy Hash: F5319375941218ABCB21DF68D8897CDBBB8BF08310F5042EAE41CA6291E7749FD58F45
          Function 004EA7E0 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
          Download Yara Rule
          APIs
          • LoadResource.KERNEL32(00000000,00000000,33F38F03,00000001,00000000,?,00000000,00738480,000000FF,?,004EA78C,?,?,?,http://,00738B50), ref: 004EA80B
          • LockResource.KERNEL32(00000000,?,004EA78C,?,?,?,http://,00738B50,000000FF,?,004EA930,00000000,?,?,004E1269,http://), ref: 004EA816
          • SizeofResource.KERNEL32(00000000,00000000,?,004EA78C,?,?,?,http://,00738B50,000000FF,?,004EA930,00000000,?,?,004E1269), ref: 004EA824
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Resource$LoadLockSizeof
          • String ID:
          • API String ID: 2853612939-0
          • Opcode ID: dd98ce13b54e62c0d9964e0815c77d9ef4c12d990b850006dde53435d83ddb52
          • Instruction ID: 0c4a9402d4069c097b0915d5ad5395d6a20c3fd7a4c54983a6f1dc816f25a8d7
          • Opcode Fuzzy Hash: dd98ce13b54e62c0d9964e0815c77d9ef4c12d990b850006dde53435d83ddb52
          • Instruction Fuzzy Hash: 7F11C432A046549BD7249F5ADC45A67B7E8FB89711F044D2BED5AD3240E639A8008694
          Function 006B2D30 Relevance: 4.1, Strings: 3, Instructions: 314COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: ) AND ( $Show$gfff
          • API String ID: 0-344708357
          • Opcode ID: 6b26e23a41edeec95add43766ee9bd398d82e42c961300943c70df1ac6dbd590
          • Instruction ID: f292392229d4c3146ff151572005356872b83c03c1d1a650ee2fa837ad4aa326
          • Opcode Fuzzy Hash: 6b26e23a41edeec95add43766ee9bd398d82e42c961300943c70df1ac6dbd590
          • Instruction Fuzzy Hash: 01D17AB1900258CFDB24DF69C855BEEBBB1BF44304F14869EE409A7381DB74AE85CB91
          Function 0063E310 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON
          Download Yara Rule
          APIs
          • GetLocalTime.KERNEL32(00000025), ref: 0063E36F
            • Part of subcall function 004EB480: GetProcessHeap.KERNEL32 ref: 004EB4D5
          Strings
          • %04d-%02d-%02d %02d-%02d-%02d, xrefs: 0063E3BD
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: HeapLocalProcessTime
          • String ID: %04d-%02d-%02d %02d-%02d-%02d
          • API String ID: 1554148984-3768011868
          • Opcode ID: 1d0f1634a1f087116885bd75537d6e116d0a4e93c07b390d0917e551e572ee11
          • Instruction ID: 5a7ca6731deef5271a9d41cc1510042d0be64a749934cd5f218440142ac5c230
          • Opcode Fuzzy Hash: 1d0f1634a1f087116885bd75537d6e116d0a4e93c07b390d0917e551e572ee11
          • Instruction Fuzzy Hash: 67216FB1D042089FDB14DF9AD845BEEF7F8EB4C711F10411AF911A7280EB786940CBA5
          Function 007211E0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6ed0104802fbfa4fc137a9360367adbe82a7941c77344acee60aa26efc5252df
          • Instruction ID: 92a9e02f134df4ecbe66cdcff93434666aad085719b1816e3180c21ed166a5cd
          • Opcode Fuzzy Hash: 6ed0104802fbfa4fc137a9360367adbe82a7941c77344acee60aa26efc5252df
          • Instruction Fuzzy Hash: 00F15171E002299FDF14CFA9D8806ADB7B1FF98314F558269E819E7381D7349D41CB90
          Function 005161C0 Relevance: 3.2, Strings: 2, Instructions: 650COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ExclusiveLock$AcquireRelease$ConditionVariableWake__cftof
          • String ID: AiFeatIco$Icon
          • API String ID: 3145379705-1280411655
          • Opcode ID: 1ba8d849248f27273bf035add3ccda8e9d62bfb1f29a278f703503513158fe20
          • Instruction ID: 268156a2c1de040904516a8e0fa6c9009440281981e1727cae044beb303c841d
          • Opcode Fuzzy Hash: 1ba8d849248f27273bf035add3ccda8e9d62bfb1f29a278f703503513158fe20
          • Instruction Fuzzy Hash: 87525A70900258DFEB24DF68CD58BEEBBB1FB88304F144699E459AB291DB746E84CF50
          Function 00647B80 Relevance: 3.1, APIs: 2, Instructions: 145windowCOMMON
          Download Yara Rule
          APIs
          • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,33F38F03,?,00000000), ref: 00647BCB
          • GetLastError.KERNEL32(?,00000000), ref: 00647BD5
            • Part of subcall function 004EB0F0: RtlAllocateHeap.NTDLL(?,00000000,?,33F38F03,00000000,007386D0,000000FF,?,?,008592EC,?,?,004E11F6,80004005,33F38F03), ref: 004EB13A
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AllocateErrorFormatHeapLastMessage
          • String ID:
          • API String ID: 4114510652-0
          • Opcode ID: 54506f8a228d5de4d60f187571e255908e2362f8f68216774b2d7129802d948a
          • Instruction ID: 9ca1c3a032c46f6e84a8117ab87a4004c2ffa015456584a0e955beac9789298f
          • Opcode Fuzzy Hash: 54506f8a228d5de4d60f187571e255908e2362f8f68216774b2d7129802d948a
          • Instruction Fuzzy Hash: 6241E1B1A042099FDB14CFA9D8457AEF7B5FF84718F10416EE915A7380DB799A008B94
          Function 0071840E Relevance: 2.9, Strings: 2, Instructions: 388COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: 0$YTq
          • API String ID: 0-3538664247
          • Opcode ID: b5fe9272405faf34994c6fa74437f70c47cb8afb79c4d391a0fd9fc532f7a9e8
          • Instruction ID: a5651b054790961ff74e546ba3fccf41498e0070fff929766204e1a403c8cd71
          • Opcode Fuzzy Hash: b5fe9272405faf34994c6fa74437f70c47cb8afb79c4d391a0fd9fc532f7a9e8
          • Instruction Fuzzy Hash: 97E19D706006068FCBA4CF6CC580AEAB7F1FF49314B244659D8569B2D1DF38ED86CB52
          Function 004F20A0 Relevance: 2.6, APIs: 2, Instructions: 79memoryCOMMON
          Download Yara Rule
          APIs
          • GetProcessHeap.KERNEL32(?,?,33F38F03), ref: 004F2114
          • HeapFree.KERNEL32(00000000,?,?,33F38F03), ref: 004F211A
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Heap$FreeProcess
          • String ID:
          • API String ID: 3859560861-0
          • Opcode ID: 3cf5d84f4bbe0705dd2c01a364b7f1fe44477b630d0a6f6a29fd6a0764d6f0dc
          • Instruction ID: 4e9936c63081544bf55cc24acf65d941a2be294bd9ae4baf06eff674a76d24ad
          • Opcode Fuzzy Hash: 3cf5d84f4bbe0705dd2c01a364b7f1fe44477b630d0a6f6a29fd6a0764d6f0dc
          • Instruction Fuzzy Hash: 2321D171904708DBD7158F68CA40BABB7A8FB51330F10476BEB25973D0D778AE058AA9
          Function 00577DB0 Relevance: 2.0, Strings: 1, Instructions: 729COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ExceptionRaise__floor_pentium4
          • String ID: unordered_map/set too long
          • API String ID: 996205981-306623848
          • Opcode ID: ce44faf3cd8a333cceaa3c0905b7fee38d1992a42c3d56864fd41833f8a2ed3c
          • Instruction ID: 0d5b7a829831319ea7f2d4313d6e2026f9672cefe7f30c77c377b6c20e6f3b24
          • Opcode Fuzzy Hash: ce44faf3cd8a333cceaa3c0905b7fee38d1992a42c3d56864fd41833f8a2ed3c
          • Instruction Fuzzy Hash: 2D42C271A006099FCB14DF68D985AADFBF5FF48310F14C66AE819EB381DB74A941CB90
          Function 0069DCA0 Relevance: 1.8, Strings: 1, Instructions: 561COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: gfff
          • API String ID: 0-1553575800
          • Opcode ID: e6c3bd28e360644ff9ca0b0d92023b8f6aa519daa6ada97420fbb7929fce51c2
          • Instruction ID: 6df72d1bc34d9eb4ccdf44cf70069254d95103d35f76203073229918beb15ec6
          • Opcode Fuzzy Hash: e6c3bd28e360644ff9ca0b0d92023b8f6aa519daa6ada97420fbb7929fce51c2
          • Instruction Fuzzy Hash: 8512BF75A083018FCB08CF29C89066FBBEABBD9344F14893EF49A97751D631D946CB52
          Function 006A7230 Relevance: 1.8, Strings: 1, Instructions: 540COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: gfff
          • API String ID: 0-1553575800
          • Opcode ID: d76fe5fb8f8b11512092ca51a0936c1ce2d9c8767673a4432c032eb2b5d7e284
          • Instruction ID: ac1926054554ba420f0029253f313668996cb940e56a5eef31da7519dc9ae98b
          • Opcode Fuzzy Hash: d76fe5fb8f8b11512092ca51a0936c1ce2d9c8767673a4432c032eb2b5d7e284
          • Instruction Fuzzy Hash: 071225216083018BCB18BA2CDD9537DBBE7EB96300F15453DED86C73A2E639DD448B55
          Function 0072D961 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000000), ref: 0072DB8E
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ExceptionRaise
          • String ID:
          • API String ID: 3997070919-0
          • Opcode ID: 3fc4cfcb773921014ab2e840b5f0357f8b3e48bd8b0703f516c3b00a686fd1de
          • Instruction ID: 79613e8b2d898d1b05fa9678cf78321ed6edd329a40da0d029cf68571116da72
          • Opcode Fuzzy Hash: 3fc4cfcb773921014ab2e840b5f0357f8b3e48bd8b0703f516c3b00a686fd1de
          • Instruction Fuzzy Hash: 48B13A716106148FD725CF28D48ABA57BA0FF45365F258658E8DACF2A1C339ED91CB40
          Function 0050E910 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID: p|
          • API String ID: 1279760036-2000032371
          • Opcode ID: 6c551951bb1b636c94df1a8cc4c84b4bba69c45de3b6efe2f2862a99bcd074d9
          • Instruction ID: 810706a50fbabc4db62c3fcd115e1610233024af58000a5726a73b0ca7257c9f
          • Opcode Fuzzy Hash: 6c551951bb1b636c94df1a8cc4c84b4bba69c45de3b6efe2f2862a99bcd074d9
          • Instruction Fuzzy Hash: 5812BF71A00209AFDB14DFA8CC85BEEBBB5FF48310F240619F915AB2D1DB75A940CB94
          Function 00501110 Relevance: 1.7, Strings: 1, Instructions: 425COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current
          • API String ID: 0-2431777889
          • Opcode ID: 2b7e052ea591b9609726d44a7b7b1b798eca32b2dcf4d0382d4f3ba3a0467b6c
          • Instruction ID: 74b66de70618c231c175b93a26e7cc8c384206f6877a2bf6202cb56bf5fcf405
          • Opcode Fuzzy Hash: 2b7e052ea591b9609726d44a7b7b1b798eca32b2dcf4d0382d4f3ba3a0467b6c
          • Instruction Fuzzy Hash: 59F1CD71D002489BDB14DF68CC85BEEBBB5FF48304F24825DE815A76C1DB78AA84CB95
          Function 0050A430 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
          Download Yara Rule
          APIs
          • DeleteCriticalSection.KERNEL32(?,33F38F03,?,?,?,?,0073EDC4,000000FF), ref: 0050A4C3
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: CriticalDeleteSection
          • String ID:
          • API String ID: 166494926-0
          • Opcode ID: 6d2e45d33f4a1a6e879dc28813752a60cdae6cc0cd6f3cea58eaa8475ee5e166
          • Instruction ID: 4e733b21a13de3a630fde803c0484684b6bb4d53e59deb64065c596bc08ceb53
          • Opcode Fuzzy Hash: 6d2e45d33f4a1a6e879dc28813752a60cdae6cc0cd6f3cea58eaa8475ee5e166
          • Instruction Fuzzy Hash: AF318B70604746EBDF10DF28CD08B5ABFA8BB05310F148269E854A77D1D7B5EA14CB91
          Function 0050FE20 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
          Download Yara Rule
          APIs
          • NtdllDefWindowProc_W.NTDLL(?,?,00000000,00000000,005154FA,?,?,?), ref: 0050FE70
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: NtdllProc_Window
          • String ID:
          • API String ID: 4255912815-0
          • Opcode ID: f057960460544b2ab07e6b955afdb5e3797fbd15a330a7d4b68530ad7924199e
          • Instruction ID: 1581a6ec0d2b96beaf7c7fd4540e59e4935b203ab663402d0ecdf573ff6fffd3
          • Opcode Fuzzy Hash: f057960460544b2ab07e6b955afdb5e3797fbd15a330a7d4b68530ad7924199e
          • Instruction Fuzzy Hash: F5F08C30008146DFE7A09B14E898A6DBFAAFB59346F8845F6E588C59B2C3758E45DF10
          Function 006A61E0 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID: 0e+00
          • API String ID: 0-2793203700
          • Opcode ID: 6f4b7381b8964677c4a10c89188512f4dca86da976c21b1532af25c8cf9ea6a6
          • Instruction ID: e38b4f9b078c8cc0a3067c310bab86baccc8c857e3cdf2058ff5f368ab951e83
          • Opcode Fuzzy Hash: 6f4b7381b8964677c4a10c89188512f4dca86da976c21b1532af25c8cf9ea6a6
          • Instruction Fuzzy Hash: DD61C172B083098BC7189E6DDD8136AF7E1EBC9320F08863DF949CB351E675D9498B81
          Function 0053EDF0 Relevance: .8, Instructions: 793COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ad5a1ee13edee7381e4be750b90520284d6759dfb7cf64fa9d9f5a706189eb6e
          • Instruction ID: 84707d94b84d2dd5dbd869753d87e8f6acbe62afe0b33110bd97738a0fdc2f83
          • Opcode Fuzzy Hash: ad5a1ee13edee7381e4be750b90520284d6759dfb7cf64fa9d9f5a706189eb6e
          • Instruction Fuzzy Hash: 2172AD70D0021ACBDB28DF64C945BEDBBB5BF54304F2081E9E519A7292EB746E84DF90
          Function 00503130 Relevance: .6, Instructions: 596COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: 296a1937d54a2adc2dbdba11ea322bf948be81c2ff28a1be141b1ddb32a8a0e6
          • Instruction ID: 888bcde1f6385d973bb291b0d23311f5a8ccc81539b25abe1c52ced47d98e4a2
          • Opcode Fuzzy Hash: 296a1937d54a2adc2dbdba11ea322bf948be81c2ff28a1be141b1ddb32a8a0e6
          • Instruction Fuzzy Hash: 24328E71A042059FCB15CF68D984AAEBBF9FF88300F11855EF855A73A0DB34EA45CB91
          Function 0069E350 Relevance: .6, Instructions: 554COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: afab56af616526cd4d29da7eb66942f5a84fb7c6e169710ec051d95580e030c9
          • Instruction ID: f3b068e73ab16bfa75e86034b05a086409b2399bce7da4d45be8def37f163dd3
          • Opcode Fuzzy Hash: afab56af616526cd4d29da7eb66942f5a84fb7c6e169710ec051d95580e030c9
          • Instruction Fuzzy Hash: 4D021632B083164FCB18CE2DC8916AEFBD6ABD8310F494A2DE895C7751E675DC49CB81
          Function 006A6420 Relevance: .4, Instructions: 409COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 00c27cba60c268bfa4d5844cc2f31508ce26f17ee60b5552d3371e2bbf066920
          • Instruction ID: c30426ba14911d87e37e1e4826aaa5d09e22c5d69de26bd4e3913817b1246595
          • Opcode Fuzzy Hash: 00c27cba60c268bfa4d5844cc2f31508ce26f17ee60b5552d3371e2bbf066920
          • Instruction Fuzzy Hash: 4FD111B5B043118FC714DF2CC88066ABBE6ABDA304F58863EF899C7355E674DC058B92
          Function 00535E30 Relevance: .4, Instructions: 403COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c5d6592bc3759a1117ca0afaf8875fde800d6961f0fb8469ff76745489f1db0f
          • Instruction ID: 4712c0b248b4c31cfdf971d7ecfd3b0143d6a16cb1a6eaf033351aa8e4034a6e
          • Opcode Fuzzy Hash: c5d6592bc3759a1117ca0afaf8875fde800d6961f0fb8469ff76745489f1db0f
          • Instruction Fuzzy Hash: 81E16676A183559FC700CF69C48162AFBE1FBC9754F4A4A6DE999A7340D730ED08CB82
          Function 006A5790 Relevance: .3, Instructions: 309COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ddb9ba56e2e81bcb9c1ac6de31303a51ec23172c2a70721f1dc3431981540659
          • Instruction ID: 36ca05a284e0597dc0a70a938e30b7c67212aa36ad8234afb83f0e904f4e76ca
          • Opcode Fuzzy Hash: ddb9ba56e2e81bcb9c1ac6de31303a51ec23172c2a70721f1dc3431981540659
          • Instruction Fuzzy Hash: 2AA19571E005199FCB08DF68CD85AAEBBF6FF89310F148229E915EB385D734AD018B90
          Function 00517990 Relevance: .3, Instructions: 288COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8bf4c389e0de7b63b50b9a760587c88597f9fed1a7400e2852c524e2650b430d
          • Instruction ID: 158f3418ad0adfb49158744a4e00b2e87f9a454f38b1f1db76f02ad44bc34edf
          • Opcode Fuzzy Hash: 8bf4c389e0de7b63b50b9a760587c88597f9fed1a7400e2852c524e2650b430d
          • Instruction Fuzzy Hash: 5DC1A271A0420A8FDF18CF58C895AEDBFF5FF58304F188569E855AF285D734A981CB90
          Function 0069D890 Relevance: .3, Instructions: 285COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d3f74fdbb53eec522143c3c9663faba9b44f6a34bb2bc0c461b0cd360f6cd2b4
          • Instruction ID: ea65adc5dad2aa2869c28da09a3cce192de9208d038179bf26a14105bb1cad49
          • Opcode Fuzzy Hash: d3f74fdbb53eec522143c3c9663faba9b44f6a34bb2bc0c461b0cd360f6cd2b4
          • Instruction Fuzzy Hash: 8191A272B043154BD748DE6DCD9136AF6E6ABC8310F1D853EF94AC73A1E678DC048682
          Function 006A5270 Relevance: .2, Instructions: 224COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: df9d9e76541fde14abfd6c826fae817b314fa2db75b4df0d29166167c11a058e
          • Instruction ID: 226ce38e4b3043793b955beb17b38bcbf6f0b5ba74046485997d7d7c6fcc1f3f
          • Opcode Fuzzy Hash: df9d9e76541fde14abfd6c826fae817b314fa2db75b4df0d29166167c11a058e
          • Instruction Fuzzy Hash: 8D71F672B087058FD704DE2DC84166BBBD2EFD9360F184A2DE495D7381E679DD098B82
          Function 006A6D10 Relevance: .2, Instructions: 151COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 34df979d8fc1f70b79bcaa02ffad8574f7fd1dbae2c071cf3b2ffa91c0d82131
          • Instruction ID: d69a9f4276ba6df82b7ac1d47df1a2c6e2f26f61f786060df2a43f0f12d58f7e
          • Opcode Fuzzy Hash: 34df979d8fc1f70b79bcaa02ffad8574f7fd1dbae2c071cf3b2ffa91c0d82131
          • Instruction Fuzzy Hash: 1151A372B093058BC714EE1CD98422AF7E2BBC9340F458A3DF85997391E674DD058B86
          Function 004F8970 Relevance: .1, Instructions: 140COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c47ceca8bf3e8c6036886bd9789d31c7c98cd69e142707afb4db56e2ec27f93a
          • Instruction ID: 09f1c18976dc57ba48cb129e31bfa0e23a18b1877901c6fcbabee0bb1bf54711
          • Opcode Fuzzy Hash: c47ceca8bf3e8c6036886bd9789d31c7c98cd69e142707afb4db56e2ec27f93a
          • Instruction Fuzzy Hash: 9971F7B1801B48CFE761CF78C94478ABBF0BB05324F148A5DD4A99B3D1D3B96648CB91
          Function 006A38C0 Relevance: .1, Instructions: 138COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6e177a4c1cc67787cea26447c92176ebf5f60c597775cd3a29226c2552ea574d
          • Instruction ID: b09ecb5936b9ad1c223d7e93b4b323853068f22f36025f830f65e742423b6aa4
          • Opcode Fuzzy Hash: 6e177a4c1cc67787cea26447c92176ebf5f60c597775cd3a29226c2552ea574d
          • Instruction Fuzzy Hash: FA418F213092618FDB1C9E1E44566FBBBD2EF97200B54066FF0C6CB342F6959E078B91
          Function 0069FB10 Relevance: .1, Instructions: 131COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3df38120d07f50712051e133723fa68914e9b0fb51013d3591732d4bd57f0e45
          • Instruction ID: 4fd171752f51cfa30a0f3e9be86735662c0779ff0106fd3e9e584df039dbdf75
          • Opcode Fuzzy Hash: 3df38120d07f50712051e133723fa68914e9b0fb51013d3591732d4bd57f0e45
          • Instruction Fuzzy Hash: 17317B21309246CBCF0C8F1998656FBBBDAEBA5310B45497FE4C2CB742DB5498078391
          Function 00502BF0 Relevance: .1, Instructions: 103COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c7acb26df16441bd333936fdecf9d056bec22144b492e8798d3c802018761f20
          • Instruction ID: 346a9f8bdc3c335900663374c49735c04d80cb2d7628783708909b4e4bf6520f
          • Opcode Fuzzy Hash: c7acb26df16441bd333936fdecf9d056bec22144b492e8798d3c802018761f20
          • Instruction Fuzzy Hash: 94416DB0600656EFEB10DF65D94875AFBE4FF04314F108269E4149BBD1DBBAE914CB90
          Function 005DCE20 Relevance: .1, Instructions: 86COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2908135feb7788b7ed4803f301559fb4099ba64aa7cb499528e051d9374a6216
          • Instruction ID: 0e7a3680abee141bb80611d2c8c547d531a8e514f7964a3f71766b4e1fcdcf3c
          • Opcode Fuzzy Hash: 2908135feb7788b7ed4803f301559fb4099ba64aa7cb499528e051d9374a6216
          • Instruction Fuzzy Hash: E64126B0905B89EED704CF69C10878AFBF0BF19318F20825EC4589B781D3B9A618CBD0
          Function 00573140 Relevance: .1, Instructions: 82COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9ac683e887a7840fc047d477284f273329fede2cdcb21fe768a65ccd53222eae
          • Instruction ID: 8d15d93077dac2aebf1086e68015812e3892ad6db4d4b765b2b54608829bb054
          • Opcode Fuzzy Hash: 9ac683e887a7840fc047d477284f273329fede2cdcb21fe768a65ccd53222eae
          • Instruction Fuzzy Hash: 10316B71A04205DFCF10DF58D984B9ABBF5FB44320F258269E824AB3D1C775AE04DB90
          Function 00502A80 Relevance: .1, Instructions: 69COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 0fdefc622bb65cd53b76dee24f689cae0498f9d3942b989e5e94d6b025ffb478
          • Instruction ID: ef303a9f2b90746aa75022275ed1efc69491684417c3d2e94255cee185ba6687
          • Opcode Fuzzy Hash: 0fdefc622bb65cd53b76dee24f689cae0498f9d3942b989e5e94d6b025ffb478
          • Instruction Fuzzy Hash: CA31D0B0405B84CEE321CF29C658347BFF0BB15718F108A5DD4E65BB91C3BAA648CB91
          Function 004FB360 Relevance: .1, Instructions: 59COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: be1a9aa779d54df8a1aaf4abb8b9755ad77414a45c2fcc7732382c702d350e6d
          • Instruction ID: b43485efa2bb46cad46249a8957d35e140f7cd484d1f3d4038b05a499abda10d
          • Opcode Fuzzy Hash: be1a9aa779d54df8a1aaf4abb8b9755ad77414a45c2fcc7732382c702d350e6d
          • Instruction Fuzzy Hash: CE215CB1904348DFDB01CF58C90479ABBF4FB59318F21829ED414AB392D3BA9A06CB90
          Function 004FB9C0 Relevance: .1, Instructions: 59COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 5f2ccec081f34f3292ac90fa9eb9eaec1b320ab65d07217b4e065be723c793c4
          • Instruction ID: 3f2d9c049f7e7f946419c6144c7b9328d2ebfe7402360832fb1635ef671afb02
          • Opcode Fuzzy Hash: 5f2ccec081f34f3292ac90fa9eb9eaec1b320ab65d07217b4e065be723c793c4
          • Instruction Fuzzy Hash: 8C215CB1904348DFDB01CF58C90479ABBF4FB59318F21829ED414AB392D3BA9A06CB90
          Function 0051E1A0 Relevance: .0, Instructions: 37COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 78721013364e4006402839a77cc6acdbe5c6dc5a7b96c29443662def415bfc22
          • Instruction ID: b909276f17e84e4b4adfba92293d79f148f09f44a54288ff768aa0277938236b
          • Opcode Fuzzy Hash: 78721013364e4006402839a77cc6acdbe5c6dc5a7b96c29443662def415bfc22
          • Instruction Fuzzy Hash: 0C110CB1904208DFD740CF58D944749BBF4FB08328F2086AEE8189B781D3BA9A06CF84
          Function 004FAB70 Relevance: .0, Instructions: 28COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7970f67d872dfe0f17fbd4959f98a72785ec3689ca25ad54b151dca725fd5e71
          • Instruction ID: e0cf9d5f8eeae677d572aa8cbda3c9ad6c74440eb6c4b7f39fcc10181a0916c1
          • Opcode Fuzzy Hash: 7970f67d872dfe0f17fbd4959f98a72785ec3689ca25ad54b151dca725fd5e71
          • Instruction Fuzzy Hash: 79F01D70004B119BDB615B28EE04FA2BBE1BB04721B158B1AE5EA827E0CB64E8509B04
          Function 00729E5A Relevance: .0, Instructions: 22COMMONLIBRARYCODE
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
          • Instruction ID: eba9bdf16ad7a1517b818966e1af734418830b2d91211e9883da57c01f528f07
          • Opcode Fuzzy Hash: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
          • Instruction Fuzzy Hash: 58E08C72911278EBCB14DBDCE90898AF3ECFB85B50F1A009AB601E3110C274DE04C7D0
          Function 0071C8BC Relevance: .0, Instructions: 12COMMONLIBRARYCODE
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 368173e5bd919caad5c593be1080eb9ff5bee38a2b6786a592e7c025f46cf6ff
          • Instruction ID: bff83aecd9940e90f22adc70569cc0394f24557c4c0c574dcca34572d6018a58
          • Opcode Fuzzy Hash: 368173e5bd919caad5c593be1080eb9ff5bee38a2b6786a592e7c025f46cf6ff
          • Instruction Fuzzy Hash: A1C08C748C0D44EACF2A891882F13F43354A392B82F84048CC5030BA82C61EDCCBD700
          Function 005435B0 Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 433libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,?,?,?,?,?,?,?,?,33F38F03,0073E925,000000FF,?,00543995), ref: 00543621
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00543627
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,33F38F03,0073E925,000000FF,?,00543995,33F38F03,33F38F03), ref: 0054366F
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00543675
          • InterlockedPushEntrySList.KERNEL32(008626C8,008627F8,33F38F03,?), ref: 00543AB2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc$EntryInterlockedListPush
          • String ID: $.dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|$p|
          • API String ID: 3070229537-926204297
          • Opcode ID: 5fb4ed9c86829e206fd5cb086a5a302134ec7cef360e97bba791f3b843bec004
          • Instruction ID: 8ea99863913bc488c911b9a19dcdcd3eb5a39523ab1344729822ccba98f03ea6
          • Opcode Fuzzy Hash: 5fb4ed9c86829e206fd5cb086a5a302134ec7cef360e97bba791f3b843bec004
          • Instruction Fuzzy Hash: E8F19CB1D00219EFDB15DFA4C849BEEBBB4FF44718F14456AE411A72A1DBB86A04CB90
          Function 005613E0 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 427libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,00000000,?,?,?,?,?,?,?,?,?,?,?,33F38F03), ref: 00561465
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0056146B
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,?,?,?,?,33F38F03,0073A355,000000FF), ref: 005614B3
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 005614B9
          • InterlockedPushEntrySList.KERNEL32(008626C8,008628F0,33F38F03,00000000), ref: 005618F2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc$EntryInterlockedListPush
          • String ID: !$.dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 3070229537-1554633292
          • Opcode ID: 45dd7bee7bf0afeec27da5b2eabf32efe43118c03076684bd36f22eae108ee64
          • Instruction ID: ffaac748aabffc466e312de12acdd122e42ced984d5e5aa07d7090b45164f84a
          • Opcode Fuzzy Hash: 45dd7bee7bf0afeec27da5b2eabf32efe43118c03076684bd36f22eae108ee64
          • Instruction Fuzzy Hash: B1F1BEB0D00619EFDB14DFA4CC45BBEBBB4FF44714F18852AE411A7291DB786A04CB95
          Function 0055F8B0 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 427libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,00000000,?,?,?,?,?,?,?,?,?,?,?,33F38F03), ref: 0055F935
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0055F93B
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,?,?,?,?,33F38F03,0073A355,000000FF), ref: 0055F983
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0055F989
          • InterlockedPushEntrySList.KERNEL32(008626C8,00862888,33F38F03,00000000), ref: 0055FDC2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc$EntryInterlockedListPush
          • String ID: $$.dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 3070229537-729226044
          • Opcode ID: 57c128ebd24747ff5f6fe0baf7a8beb7b766ceed3876b59a0630e7a49801cb5c
          • Instruction ID: 56c82ce3a563bf7e38cecfeb796c7c4d446dfd442e42d9924f41d20775416180
          • Opcode Fuzzy Hash: 57c128ebd24747ff5f6fe0baf7a8beb7b766ceed3876b59a0630e7a49801cb5c
          • Instruction Fuzzy Hash: 82F1C0B1D04209EFDF14DFA8CC55BAEBBB4FF44714F10856AE811A7291DB786A08CB91
          Function 00561A30 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 427libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,00000000,?,?,?,?,?,?,?,?,?,?,?,33F38F03), ref: 00561AB5
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00561ABB
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,?,?,?,?,33F38F03,0073A355,000000FF), ref: 00561B03
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00561B09
          • InterlockedPushEntrySList.KERNEL32(008626C8,00862908,33F38F03,00000000), ref: 00561F42
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc$EntryInterlockedListPush
          • String ID: $$.dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 3070229537-729226044
          • Opcode ID: 1e2b7559ff62a941548747b18a3f77456aeadbb80ad6ab87964b6cde99c29d44
          • Instruction ID: b36e5c5fc7109c8d69fca7759133cd937dd06d73e1c76467bea40bcefbe3c032
          • Opcode Fuzzy Hash: 1e2b7559ff62a941548747b18a3f77456aeadbb80ad6ab87964b6cde99c29d44
          • Instruction Fuzzy Hash: 91F1ADB1D00609EFDB14DFA4C849BBEBBB4FF44714F14856AE811A7291DBB86A04CB94
          Function 00560DB0 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 427libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,00000000,?,?,?,?,?,?,?,?,?,?,?,33F38F03), ref: 00560E35
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00560E3B
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,?,?,?,?,33F38F03,0073A355,000000FF), ref: 00560E83
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00560E89
          • InterlockedPushEntrySList.KERNEL32(008626C8,008628D8,33F38F03,00000000), ref: 005612C2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc$EntryInterlockedListPush
          • String ID: $.dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 3070229537-2633021910
          • Opcode ID: 0142277050137c6b41e3f4456540724bf91da5fa313938896b2112a86cf93142
          • Instruction ID: 5d04e1c3d0fa146b040b3b5732d893a7d4b4d620546bb9ade6b4f12616b22cea
          • Opcode Fuzzy Hash: 0142277050137c6b41e3f4456540724bf91da5fa313938896b2112a86cf93142
          • Instruction Fuzzy Hash: 60F1CFB0D00609EFDF14DFA4CC49BAEBBB4FF44714F14862AE411A7291DBB86A44CB95
          Function 00507690 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 429libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00507715
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0050771B
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,007D2B9C,33F38F03,33F38F03), ref: 00507763
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00507769
          • InterlockedPushEntrySList.KERNEL32(008626C8,00862700,33F38F03), ref: 00507BA6
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc$EntryInterlockedListPush
          • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 3070229537-2713993708
          • Opcode ID: d517ffdc276c3569db309b58d4ccdd94dd4000d1a7408c0c8565d04b90dc748f
          • Instruction ID: 9f8d50275fea929e4f3173927e3c94d42bc129bc76494b6a2ca0c690812c99c0
          • Opcode Fuzzy Hash: d517ffdc276c3569db309b58d4ccdd94dd4000d1a7408c0c8565d04b90dc748f
          • Instruction Fuzzy Hash: F2F18CB1D0421DEFDB14DFA8C849BAEBBB4FF48714F14856AE411A72D1DB786A04CB90
          Function 00562060 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 427libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,00000000,?,?,?,?,?,?,?,?,?,?,?,33F38F03), ref: 005620E5
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 005620EB
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,?,?,?,?,33F38F03,0073A355,000000FF), ref: 00562133
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00562139
          • InterlockedPushEntrySList.KERNEL32(008626C8,00862920,33F38F03,00000000), ref: 00562572
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc$EntryInterlockedListPush
          • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 3070229537-2713993708
          • Opcode ID: cec2d64862c39916bd0841e3019505c66548414a9084bf45fbe414eea43db6c4
          • Instruction ID: 161ab13fd7ee13dfbc1bda6497c299a76684d1c733a8e9b5f0b4daf856e582c5
          • Opcode Fuzzy Hash: cec2d64862c39916bd0841e3019505c66548414a9084bf45fbe414eea43db6c4
          • Instruction Fuzzy Hash: 39F1BFB0D00609EFDB15DFA4CC49BAEBBB4FF44714F14852AE911A7391DB78AA04CB91
          Function 00562690 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 427libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,-000000B4,?,?,?,?,?,?,?,?,?,?,?,33F38F03), ref: 00562715
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0056271B
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,?,?,?,?,33F38F03,0073A355,000000FF), ref: 00562763
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00562769
          • InterlockedPushEntrySList.KERNEL32(008626C8,00862938,33F38F03,00000000), ref: 00562BA2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc$EntryInterlockedListPush
          • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 3070229537-2713993708
          • Opcode ID: e50d124ee0615f3c175d82ac2e9084f31adf4f605bd71ded2af4ca594e73ffa4
          • Instruction ID: 6dc3d74f160e8f76426a7691ed4c07f820026601ffe289c781e96e7ebd5d771d
          • Opcode Fuzzy Hash: e50d124ee0615f3c175d82ac2e9084f31adf4f605bd71ded2af4ca594e73ffa4
          • Instruction Fuzzy Hash: A3F1BEB1D00609EFDB14DFA8CC49BAEBBB4FF44714F14856AE811B7291DBB85A44CB90
          Function 00560780 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 427libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,00000000,?,?,?,?,?,?,?,?,?,?,?,33F38F03), ref: 00560805
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 0056080B
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,?,?,?,?,33F38F03,0073A355,000000FF), ref: 00560853
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00560859
          • InterlockedPushEntrySList.KERNEL32(008626C8,008628C0,33F38F03,00000000), ref: 00560C92
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc$EntryInterlockedListPush
          • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 3070229537-2713993708
          • Opcode ID: 6100f66813c43cd3d7817b2bdb9e3e28bef6651daec8ef4f6dd087f1e1e1ed65
          • Instruction ID: a7e8336ebf7c511f1066f0036c28ce14ec6cf5bc6f094ab867171886bd39c99c
          • Opcode Fuzzy Hash: 6100f66813c43cd3d7817b2bdb9e3e28bef6651daec8ef4f6dd087f1e1e1ed65
          • Instruction Fuzzy Hash: 10F1BDB1D00209EFDB14DFA8CC45BAEBBB4FF44714F14856AE811A72D1DBB86A04CB90
          Function 00564990 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 427libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,00000000,?,?,?,?,?,?,?,?,?,?,?,33F38F03), ref: 00564A15
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00564A1B
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,?,?,?,?,33F38F03,0073A355,000000FF), ref: 00564A63
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00564A69
          • InterlockedPushEntrySList.KERNEL32(008626C8,008629B0,33F38F03,00000000), ref: 00564EA2
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc$EntryInterlockedListPush
          • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 3070229537-2713993708
          • Opcode ID: 3cb6aa3cf147185e6d5f731226787b853928b185c24125a51b13356642fec0a7
          • Instruction ID: 481e724cffb3fad389471f53029dc62be1ccf7e75f4766afe74b5a707aff242c
          • Opcode Fuzzy Hash: 3cb6aa3cf147185e6d5f731226787b853928b185c24125a51b13356642fec0a7
          • Instruction Fuzzy Hash: 1AF1AEB0D00209EFDB15DFA8C845BAEBBB4FF44714F14856AE811A7391DBB89A04CF91
          Function 00542EA0 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 416libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,?,?,?,?,?,?,?,?,33F38F03,0073E925,000000FF,?,00543285), ref: 00542F11
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00542F17
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,33F38F03,0073E925,000000FF,?,00543285,33F38F03,33F38F03), ref: 00542F5F
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00542F65
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc
          • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 2574300362-2713993708
          • Opcode ID: 0cf9d4d6500ff947f53d80c7a1631a224a76ad414682fd869b377de5ea7acf43
          • Instruction ID: f74731f83c1e6113a878f9725a2ee5fb24b9798683b40fe456e15a5d0e9ccf6b
          • Opcode Fuzzy Hash: 0cf9d4d6500ff947f53d80c7a1631a224a76ad414682fd869b377de5ea7acf43
          • Instruction Fuzzy Hash: 10F1B0B0D04219EFDB14DFA8C849BEEBFB4FF48714F14465AE401A72A1DB796A04CB90
          Function 00540E10 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 409libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,?,?,?,?,?,?,?,?,?,?,?,?,33F38F03), ref: 00540E95
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00540E9B
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,?,?,?,?,?,?,?,?,?,33F38F03,0073A355,000000FF), ref: 00540EE3
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00540EE9
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc
          • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 2574300362-2713993708
          • Opcode ID: 0bdbcc00983b7b451f56255364bf58da00d45bb25b4fe298b4d41cb1029a6444
          • Instruction ID: e4bff37a14c3a6001e0986da9d898ceb89239b945f0a0736605e7d2818670e3a
          • Opcode Fuzzy Hash: 0bdbcc00983b7b451f56255364bf58da00d45bb25b4fe298b4d41cb1029a6444
          • Instruction Fuzzy Hash: 1CF1C0B0D00609EFDB14DFA8C849BEEBBB4FF44714F208529E911A7390DB799A44CB94
          Function 0063FA00 Relevance: 24.9, APIs: 11, Strings: 3, Instructions: 398libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(Advapi32.dll,33F38F03,?,00000000), ref: 0063FA91
          • GetLastError.KERNEL32 ref: 0063FABF
            • Part of subcall function 004EB0F0: RtlAllocateHeap.NTDLL(?,00000000,?,33F38F03,00000000,007386D0,000000FF,?,?,008592EC,?,?,004E11F6,80004005,33F38F03), ref: 004EB13A
          • GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 0063FAD5
          • FreeLibrary.KERNEL32(00000000), ref: 0063FAF1
          • GetLastError.KERNEL32 ref: 0063FAFE
          • GetLastError.KERNEL32 ref: 0063FCF5
          • GetLastError.KERNEL32 ref: 0063FD5A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ErrorLast$Library$AddressAllocateFreeHeapLoadProc
          • String ID: Advapi32.dll$ConvertStringSidToSidW$d+~
          • API String ID: 3460774402-2874641113
          • Opcode ID: 51cb36593aa08ec53940e9df12f43325272a2374232ca4a61e13823b4a861a0a
          • Instruction ID: ac5c03f1016cbe12904ba41c8f4cf20843348866ff9e4a58098e465807f510ed
          • Opcode Fuzzy Hash: 51cb36593aa08ec53940e9df12f43325272a2374232ca4a61e13823b4a861a0a
          • Instruction Fuzzy Hash: BFF18CB1C0120AEBDF10DF94D9447EEBBB6FF09314F208229E915B7291D778AA45CB91
          Function 00507C00 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 339libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00507C85
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00507C8B
          • LoadLibraryW.KERNEL32(combase.dll,CoIncrementMTAUsage,?,007D2BD0,33F38F03,33F38F03), ref: 00507CD3
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 00507CD9
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc
          • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 2574300362-2713993708
          • Opcode ID: fdf807a0c034e70421571bd0bf2354c2f24e46ae3da19f5eb49345dd54f33331
          • Instruction ID: 3f8f6d41b3664392d36b048f2261a96c99039e8a59a47c570ff92a71635c1b0d
          • Opcode Fuzzy Hash: fdf807a0c034e70421571bd0bf2354c2f24e46ae3da19f5eb49345dd54f33331
          • Instruction Fuzzy Hash: F1D19DB1D14209EFDB14DFA8C855BAEBBB4FF48710F14856AE411A72D1DB78AA04CB90
          Function 004F13A0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 270libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,33F38F03,00000000,000000B8,?,?,?,?,?,?,?,?,?,?,33F38F03), ref: 004F1423
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 004F1429
          • LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,007CEF70,00000000,00000000,00000000), ref: 004F15DB
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: LibraryLoad$AddressProc
          • String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll$p|
          • API String ID: 1469910268-2713993708
          • Opcode ID: ef14b5e0523ec88feb19b70621ea44817f61136e16f1127b50fdfd7ae10e7f1a
          • Instruction ID: 343825e8c7c439f49484c6f980cd02f69f7f58c205611ca9cfecd63958642ccd
          • Opcode Fuzzy Hash: ef14b5e0523ec88feb19b70621ea44817f61136e16f1127b50fdfd7ae10e7f1a
          • Instruction Fuzzy Hash: D1B19C70D1020DEFDB14DFA8C855BAEBBB4FF58710F14816AE911A73A1DB789A00CB95
          Function 0063E0B0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 214fileCOMMON
          Download Yara Rule
          APIs
          • InitializeCriticalSection.KERNEL32(00863388,33F38F03,00000000), ref: 0063E0EC
          • EnterCriticalSection.KERNEL32(00000000,33F38F03,00000000), ref: 0063E0F9
          • WriteFile.KERNEL32(00000000,?,?,007818DD,00000000), ref: 0063E12B
          • FlushFileBuffers.KERNEL32(00000000,?,?,007818DD,00000000), ref: 0063E134
          • WriteFile.KERNEL32(00000000,0052E72A,88B95000,00000000,00000000,007CEF40,00000001,?,?,007818DD,00000000), ref: 0063E1CC
          • FlushFileBuffers.KERNEL32(00000000,?,?,007818DD,00000000), ref: 0063E1D5
          • WriteFile.KERNEL32(00000000,0052E71A,FFFFFF64,?,00000000,?,?,007818DD,00000000), ref: 0063E218
          • FlushFileBuffers.KERNEL32(00000000,?,?,007818DD,00000000), ref: 0063E221
          • WriteFile.KERNEL32(00000000,?,?,?,00000000,007D2DEC,00000002,?,?,007818DD,00000000), ref: 0063E28E
          • FlushFileBuffers.KERNEL32(00000000,?,?,007818DD,00000000), ref: 0063E297
          • LeaveCriticalSection.KERNEL32(00000000,?,?,007818DD,00000000), ref: 0063E2D6
            • Part of subcall function 004EA920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,004E1269,http://,?,00000000,0073B3FF,000000FF,?,80004005,33F38F03), ref: 004EA943
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: File$BuffersFlushWrite$CriticalSection$EnterFindInitializeLeaveResource
          • String ID: @|$-}
          • API String ID: 1900893598-980482901
          • Opcode ID: c1a96fdbe099e322c0e7f187095f8c579f7805bbdd743d8c533cb05f5d83abfe
          • Instruction ID: 323f8eecaad66df7d834551697596cfa24f3dcb3f8f3d73bbe95e210987f0466
          • Opcode Fuzzy Hash: c1a96fdbe099e322c0e7f187095f8c579f7805bbdd743d8c533cb05f5d83abfe
          • Instruction Fuzzy Hash: 8571BC31A00248AFDB05DF68CC49BAEBBBAFF45314F148158F811A7391CB399E01CBA4
          Function 0052D670 Relevance: 21.4, APIs: 4, Strings: 8, Instructions: 372libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 0052D798
          • GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 0052D7AA
          • GetProcAddress.KERNEL32(00000000,ShutdownEmbeddedUI), ref: 0052D7B8
          • GetProcAddress.KERNEL32(00000000,EmbeddedUIHandler), ref: 0052D7C7
            • Part of subcall function 004EB0F0: RtlAllocateHeap.NTDLL(?,00000000,?,33F38F03,00000000,007386D0,000000FF,?,?,008592EC,?,?,004E11F6,80004005,33F38F03), ref: 004EB13A
            • Part of subcall function 004EB480: GetProcessHeap.KERNEL32 ref: 004EB4D5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressProc$Heap$AllocateLibraryLoadProcess
          • String ID: build $149d0ec8$21.8.2$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI
          • API String ID: 230625546-2370864453
          • Opcode ID: 39f81032849f16d657ebf03198978b3a75a13422231cfa1b8a8a65e4420f3dc8
          • Instruction ID: faa28ffdc611c54d404f86699ee0325833cfe9d27fcae4ba80f2a037b8c1aef1
          • Opcode Fuzzy Hash: 39f81032849f16d657ebf03198978b3a75a13422231cfa1b8a8a65e4420f3dc8
          • Instruction Fuzzy Hash: DDD10171A012199BCB04DF68D845BAEBBB5FF45314F14821EF815A73C1EB78AA05CBE4
          Function 0064A120 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 227libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 0064A413
          • GetProcAddress.KERNEL32(00000000), ref: 0064A41A
          • GetCurrentProcess.KERNEL32(?), ref: 0064A451
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressCurrentHandleModuleProcProcess
          • String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
          • API String ID: 4190356694-3583743485
          • Opcode ID: 48ca8ab6033f206470a9d8fce07647ff6bea379c7c06318c650fa1ed03e56fe3
          • Instruction ID: 3a95e60f913d757974f52d5c858d6760e11432610f82e8f869f7882d2529de26
          • Opcode Fuzzy Hash: 48ca8ab6033f206470a9d8fce07647ff6bea379c7c06318c650fa1ed03e56fe3
          • Instruction Fuzzy Hash: 98A1C3B0941618EFEB20CF50DC45BEAB7BAFB44711F000299E509A72D0DBB65A94CF01
          Function 005382A0 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 496synchronizationthreadCOMMON
          Download Yara Rule
          APIs
          • CreateThread.KERNEL32(00000000,00000000,00538450,007D51CC,00000000,?), ref: 005383BC
          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 005383D5
          • CloseHandle.KERNEL32(00000000), ref: 005383EB
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: CloseCreateHandleObjectSingleThreadWait
          • String ID: p|$p|
          • API String ID: 51348343-2407752136
          • Opcode ID: 4de62bc30f6aa9e51b8f535ae4f525fb1b27a2658e7e8502de3b6c5d43d5b0e7
          • Instruction ID: b8a502439ef442ec20940cd609516716ea2ffca362f835ee25ffbee9b98a01ca
          • Opcode Fuzzy Hash: 4de62bc30f6aa9e51b8f535ae4f525fb1b27a2658e7e8502de3b6c5d43d5b0e7
          • Instruction Fuzzy Hash: 36128B71D00348DFDB18CFA5C945BAEBBB8FF44314F20856EE915A7291DB78AA05CB90
          Function 004F87A0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 115COMMON
          Download Yara Rule
          APIs
          • EnterCriticalSection.KERNEL32(008686D4,33F38F03,00000000,?,?,?,?,?,?,004F7F05,0073BECD,000000FF), ref: 004F87DD
          • LoadCursorW.USER32(00000000,00007F00), ref: 004F8858
          • LoadCursorW.USER32(00000000,00007F00), ref: 004F8900
          • LeaveCriticalSection.KERNEL32(008686D4), ref: 004F8953
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: CriticalCursorLoadSection$EnterLeave
          • String ID: 0$AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST$h }
          • API String ID: 3727441302-3812644711
          • Opcode ID: 4aff3934d6555100a92dca722ef9cf9769936ea227957d89e540b71bf4bd0cc0
          • Instruction ID: 65d262b194127e2348baecd3f2ee8e1fb578493cc174a940f3da63ec955cd9bc
          • Opcode Fuzzy Hash: 4aff3934d6555100a92dca722ef9cf9769936ea227957d89e540b71bf4bd0cc0
          • Instruction Fuzzy Hash: 545127B1D41209DBDB11CFA4D858BEEBBB8FF18304F11411AE500A6390DBB95A06CBA9
          Function 004EEE10 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 179processsynchronizationCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 004EB480: GetProcessHeap.KERNEL32 ref: 004EB4D5
          • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 004EEF28
          • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 004EEF32
          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 004EEF44
          • GetExitCodeProcess.KERNEL32(?,?), ref: 004EEF61
          • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 004EEF6B
          • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 004EEF78
          • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 004EEF82
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ErrorLastProcess$CloseCodeCreateExitHandleHeapObjectSingleWait
          • String ID: "%s" %s$D
          • API String ID: 3234789809-3971972636
          • Opcode ID: 15c11865c0779230431d0388f7fa2a46409639650916e71dbf122aeefd8d6248
          • Instruction ID: 06f79fab020e3fcd706d8e381d78fc7ea2e4c7090c0c4d74e3cc220cf66d08f2
          • Opcode Fuzzy Hash: 15c11865c0779230431d0388f7fa2a46409639650916e71dbf122aeefd8d6248
          • Instruction Fuzzy Hash: FA51CF71E00655EFDB14CF6ACC04BAEB7B5FF44311F20862AE921A7380D738A941CB99
          Function 0070F12B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
          Download Yara Rule
          APIs
          • DecodePointer.KERNEL32(?,?,?,0070F422,008619F8,?,?,?,?,004FAB84,00000000,?,?,?,80004003), ref: 0070F13D
          • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,0070F422,008619F8,?,?,?,?,004FAB84,00000000), ref: 0070F152
          • DecodePointer.KERNEL32(?), ref: 0070F1CE
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: DecodePointer$LibraryLoad
          • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
          • API String ID: 1423960858-1745123996
          • Opcode ID: 08624959fb721d0fe94386391c9de9912e995986a4db869c52ceaab141fa6a0b
          • Instruction ID: a0e1b28eda1773718310bb3f8d38280f694cd35965d4fab31ab7d87aee24bc7d
          • Opcode Fuzzy Hash: 08624959fb721d0fe94386391c9de9912e995986a4db869c52ceaab141fa6a0b
          • Instruction Fuzzy Hash: 7A01C471640219FADB719B10DC0FFC63BB57B02799F094269FC42A6AD2EB9D8A04C585
          Function 0064D110 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 213COMMON
          Download Yara Rule
          APIs
          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,33F38F03,?), ref: 0064D1A7
          • SymSetSearchPath.IMAGEHLP(33F38F03,?,33F38F03,?), ref: 0064D408
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: FileModuleNamePathSearch
          • String ID: -> $%hs()$%hs:%ld$[0x%.8Ix] ${374DE290-123F-4565-9164-39C4925E467B}
          • API String ID: 1980563475-661946600
          • Opcode ID: 23c443fda412b1fcf3eb67d0a9c6887c93a2f50c91b67ebcb1e9d87e67830151
          • Instruction ID: 779de60c31231d9eebe0d849006e96148f78ba6865bbb62089669900c7d0ef3c
          • Opcode Fuzzy Hash: 23c443fda412b1fcf3eb67d0a9c6887c93a2f50c91b67ebcb1e9d87e67830151
          • Instruction Fuzzy Hash: 2E919971D00568CBCB29CF28CC45BEDB7B5AB4A314F1082D9E619A7291DB749F84CF81
          Function 0070F237 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
          Download Yara Rule
          APIs
          • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,0070F3E1,?), ref: 0070F25B
          • HeapAlloc.KERNEL32(00000000,?,0070F3E1,?), ref: 0070F262
            • Part of subcall function 0070F32D: IsProcessorFeaturePresent.KERNEL32(0000000C,0070F249,00000000,?,0070F3E1,?), ref: 0070F32F
          • InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,0070F3E1,?), ref: 0070F272
          • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,0070F3E1,?), ref: 0070F299
          • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,0070F3E1,?), ref: 0070F2AD
          • InterlockedPopEntrySList.KERNEL32(00000000,?,0070F3E1,?), ref: 0070F2C0
          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,0070F3E1,?), ref: 0070F2D3
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
          • String ID:
          • API String ID: 2460949444-0
          • Opcode ID: 7f5e2cdeb5646726c598f73e410535d4bcba303d1efe4f254634b42635167b33
          • Instruction ID: c219c4081c66db364a023e84ad865f3a700b49cb87801a854050b7d4fd203dba
          • Opcode Fuzzy Hash: 7f5e2cdeb5646726c598f73e410535d4bcba303d1efe4f254634b42635167b33
          • Instruction Fuzzy Hash: 4C11C879601212EBDB315BB4AC49F6F7A9CFF85742F254230F941D65D0DA6CCC044BA4
          Function 00648090 Relevance: 11.0, APIs: 7, Instructions: 462fileCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 004EB480: GetProcessHeap.KERNEL32 ref: 004EB4D5
          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,33F38F03,00000000), ref: 006481FB
          • CloseHandle.KERNEL32(?), ref: 00648577
            • Part of subcall function 00647F90: LoadStringW.USER32(?,?,00000514,33F38F03), ref: 00647FE8
          • ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 0064826D
          • ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 00648519
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: File$Read$CloseCreateHandleHeapLoadProcessString
          • String ID:
          • API String ID: 2846944389-0
          • Opcode ID: 1f3cd7952ac66e1cf4a75c0862939603755a3864897929df3846eb7df7050389
          • Instruction ID: b22aa0037fb19cc036fd0cbb08bfe6b9eeb789b3e6bb5675176dae3ac7afa87e
          • Opcode Fuzzy Hash: 1f3cd7952ac66e1cf4a75c0862939603755a3864897929df3846eb7df7050389
          • Instruction Fuzzy Hash: 9B028071E002189FDB14CFA8CD49BAEBBB6EF45714F248219E415AB381DB74AE45CB90
          Function 00505A20 Relevance: 10.8, APIs: 4, Strings: 3, Instructions: 346memoryCOMMON
          Download Yara Rule
          APIs
          • GetProcessHeap.KERNEL32(?,00000000,?,00000000,33F38F03), ref: 00505AE6
          • HeapFree.KERNEL32(00000000,?,00000000,?,00000000,33F38F03), ref: 00505AEC
          • GetProcessHeap.KERNEL32(?,00000000), ref: 00505C85
          • HeapFree.KERNEL32(00000000,?,00000000), ref: 00505C8B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Heap$FreeProcess
          • String ID: #$p|$p|
          • API String ID: 3859560861-4277358874
          • Opcode ID: 27ad33f6930d58179a9ca938ead37bf3f4dd91b5c39357de940f8a14e50ec48a
          • Instruction ID: c263a62c5bed654a7517ed4c8340a53c4f3afdf01fb6d11b95ef810f25856c66
          • Opcode Fuzzy Hash: 27ad33f6930d58179a9ca938ead37bf3f4dd91b5c39357de940f8a14e50ec48a
          • Instruction Fuzzy Hash: AFD15A71E00609CBEB14CF98C9497EEBBB4FF44314F1445AAD815672D1E7B95A05CF90
          Function 0064E8C0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 291fileCOMMON
          Download Yara Rule
          APIs
          • GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,?,00000000,00000000), ref: 0064EABD
          • Wow64DisableWow64FsRedirection.KERNEL32(00000000,?,?,00000000,00000000), ref: 0064EB5F
          • CopyFileW.KERNEL32(?,?,00000000,?,?,00000000,00000000), ref: 0064EB87
          • Wow64RevertWow64FsRedirection.KERNEL32(00000000,?,?,00000000), ref: 0064EBB3
            • Part of subcall function 004EB0F0: RtlAllocateHeap.NTDLL(?,00000000,?,33F38F03,00000000,007386D0,000000FF,?,?,008592EC,?,?,004E11F6,80004005,33F38F03), ref: 004EB13A
          • DeleteFileW.KERNEL32(?,33F38F03,?,00000000,00738720,000000FF,?,80070057,80004005,?), ref: 0064EC6D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Wow64$File$Redirection$AllocateCopyDeleteDisableHeapNameRevertTemp
          • String ID: shim_clone
          • API String ID: 2310976806-3944563459
          • Opcode ID: 367df86fbfd0c383680325972cd0ffefb7fca6f9ca6133f29d498de2aac2e315
          • Instruction ID: e926d8fd803324d4864a50430bec5953274613f7b08f7a926430fb2a8c5630f5
          • Opcode Fuzzy Hash: 367df86fbfd0c383680325972cd0ffefb7fca6f9ca6133f29d498de2aac2e315
          • Instruction Fuzzy Hash: 33B1F175A006589FDB24DF24CC45BAAB7F6FF45300F1480EDE50AA7292EB35AE84CB54
          Function 006444E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 179fileCOMMON
          Download Yara Rule
          APIs
          • RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,?,0073D86D,000000FF,?,00644838,?), ref: 00644590
            • Part of subcall function 004EA920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,004E1269,http://,?,00000000,0073B3FF,000000FF,?,80004005,33F38F03), ref: 004EA943
          • RemoveDirectoryW.KERNEL32(?,33F38F03,?,?,00000000,?,?,0073D86D,000000FF,?,00644838,?,00000000,?,?,?), ref: 006445CB
          • GetLastError.KERNEL32(?,33F38F03,?,?,00000000,?,?,0073D86D,000000FF,?,00644838,?,00000000,?,?,?), ref: 006445DB
          • DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,0073D86D,000000FF,?,80004005,33F38F03), ref: 006446B0
          • GetLastError.KERNEL32(?,?,00000000,?,00000000,0073D86D,000000FF,?,00644424,?,?,00000000), ref: 006446FB
            • Part of subcall function 004EB480: GetProcessHeap.KERNEL32 ref: 004EB4D5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: DirectoryErrorLastRemove$DeleteFileFindHeapProcessResource
          • String ID: \\?\
          • API String ID: 728736790-4282027825
          • Opcode ID: 47020585b5d30cc81873af5900a78d0ae1db44321656286b275e84c2a052d5c6
          • Instruction ID: 16a7297f9a6f5b1149a9f4640d3d757591f7b83c30336aaf60afa32fbb93f0cf
          • Opcode Fuzzy Hash: 47020585b5d30cc81873af5900a78d0ae1db44321656286b275e84c2a052d5c6
          • Instruction Fuzzy Hash: 83512276A006189FDB00DFA9CC45BAEB7A5FF45321F14851AF821D7390DF78AE008B98
          Function 00500A20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 150fileCOMMON
          Download Yara Rule
          APIs
          • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,33F38F05), ref: 00500B63
          • CloseHandle.KERNEL32(00000000), ref: 00500BC0
            • Part of subcall function 0070FCC5: AcquireSRWLockExclusive.KERNEL32(00861A40,?,?,?,004EB526,00862654,33F38F03,?,?,00738C4D,000000FF,?,004E1179,33F38F03), ref: 0070FCD0
            • Part of subcall function 0070FCC5: ReleaseSRWLockExclusive.KERNEL32(00861A40,?,?,?,004EB526,00862654,33F38F03,?,?,00738C4D,000000FF,?,004E1179,33F38F03), ref: 0070FD0A
          • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 00500C27
          • CloseHandle.KERNEL32(00000000,?), ref: 00500C4D
            • Part of subcall function 0070FC74: AcquireSRWLockExclusive.KERNEL32(00861A40,?,?,004EB597,00862654,007A1290), ref: 0070FC7E
            • Part of subcall function 0070FC74: ReleaseSRWLockExclusive.KERNEL32(00861A40,?,?,004EB597,00862654,007A1290), ref: 0070FCB1
            • Part of subcall function 0070FC74: WakeAllConditionVariable.KERNEL32(00861A3C,?,?,004EB597,00862654,007A1290), ref: 0070FCBC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ExclusiveLock$AcquireCloseFileHandleRelease$ConditionCreateVariableWakeWrite
          • String ID: aix$html
          • API String ID: 3683816281-2369804267
          • Opcode ID: 7e7a2de107982fc8d4ff893a7530b696eee485eb6a9ac3c44875a2e85b8d6b79
          • Instruction ID: 28ec3b175b2bed94eb257f13102a87c22186b6a785bfe78295a5e6148b927810
          • Opcode Fuzzy Hash: 7e7a2de107982fc8d4ff893a7530b696eee485eb6a9ac3c44875a2e85b8d6b79
          • Instruction Fuzzy Hash: E1618DB0900348DFEB20CF94D859B9EBBF0FB55708F24461DE005AB2D1DBB96A49DB91
          Function 00646020 Relevance: 10.6, APIs: 7, Instructions: 121processsynchronizationCOMMON
          Download Yara Rule
          APIs
          • Wow64DisableWow64FsRedirection.KERNEL32(00000000,33F38F03,?,?), ref: 00646089
          • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00646101
          • GetLastError.KERNEL32 ref: 00646112
          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0064612E
          • GetExitCodeProcess.KERNEL32(?,000000FF), ref: 0064613F
          • CloseHandle.KERNEL32(?), ref: 00646149
          • Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00646164
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
          • String ID:
          • API String ID: 1153077990-0
          • Opcode ID: 9a740555c63bb30dd304c33dda60f72075a9fb9ceff3b18917ce5da90f1093bc
          • Instruction ID: 57e716b07b4fabd3ff12c4a0994db81ed9a300eed43aeeef000f287ad2c199ef
          • Opcode Fuzzy Hash: 9a740555c63bb30dd304c33dda60f72075a9fb9ceff3b18917ce5da90f1093bc
          • Instruction Fuzzy Hash: 8241CF71E043889BDB10CFA9CC447EEBBF9AF4A314F148269F810A7281D7749940CF91
          Function 0064DCD0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 104libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,00863388), ref: 0064DCF3
          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0064DD03
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc
          • String ID: SHGetSpecialFolderPathW$Shell32.dll$kys$uys
          • API String ID: 2574300362-245467002
          • Opcode ID: 25c93ac11f1fba866d05408e9501c99328adab4a59956ae13d96dd446dc0755f
          • Instruction ID: fadea977c3c113eca402f342f6113678e7f35a8b277bd66f318487f19aa3f2e4
          • Opcode Fuzzy Hash: 25c93ac11f1fba866d05408e9501c99328adab4a59956ae13d96dd446dc0755f
          • Instruction Fuzzy Hash: 2331D471E007019BDB249F24DC49BABB7F6BFD4B00F08C42CE486872D0EBB598468B91
          Function 00647D30 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(ComCtl32.dll,33F38F03,00000000,00000000,?), ref: 00647D6A
          • GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 00647D90
          • FreeLibrary.KERNEL32(00000000), ref: 00647E19
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Library$AddressFreeLoadProc
          • String ID: ComCtl32.dll$LoadIconMetric$d+~
          • API String ID: 145871493-1678350609
          • Opcode ID: 66b7572b3c77c653c6f6d8636bd0b513721ac807a66d588056d9e6c84fbe5c30
          • Instruction ID: 713e86941014ebe140bfdad82508a00d5ab0de15af0c20170a94a11b0ebe9b21
          • Opcode Fuzzy Hash: 66b7572b3c77c653c6f6d8636bd0b513721ac807a66d588056d9e6c84fbe5c30
          • Instruction Fuzzy Hash: 7A3180B2A00259EBDB158F95CC04BBFBBB9FF49750F004229F915A7390D7794E008B90
          Function 0064ED10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,0065B47B,?), ref: 0064ED2F
          • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0064ED45
          • FreeLibrary.KERNEL32(00000000), ref: 0064ED88
          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,0065B47B,?), ref: 0064EDA4
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Library$Free$AddressLoadProc
          • String ID: DllGetVersion$Shlwapi.dll
          • API String ID: 1386263645-2240825258
          • Opcode ID: cc9d8703d36322e2c6857858ac74c9ed9575f85d6a98c2a0f64a02fb6a492e95
          • Instruction ID: 334c7f519ce3224d0bb6b0638b9b1e95abbcfdf23f1333d2e92703d1755865b9
          • Opcode Fuzzy Hash: cc9d8703d36322e2c6857858ac74c9ed9575f85d6a98c2a0f64a02fb6a492e95
          • Instruction Fuzzy Hash: F521E075A043058BC714DF2AE88996BFBE6FFDD310B404A2DF849C3340EA39D9458B92
          Function 00729706 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • FreeLibrary.KERNEL32(00000000,?,00729813,0000000D,004F22FC,00000001,00000000,0000000B,?,00729A7D,00000021,FlsSetValue,007CC43C,007CC444,00000001), ref: 007297C7
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: FreeLibrary
          • String ID: api-ms-$ext-ms-
          • API String ID: 3664257935-537541572
          • Opcode ID: 58cb4c9a73e3179c986a911c2760efa770892288521cc2114cff78a9f4b3b78b
          • Instruction ID: 64b7295a0f718be5e36936c9b46e111114be0594d3c77d16f0fe74825915af21
          • Opcode Fuzzy Hash: 58cb4c9a73e3179c986a911c2760efa770892288521cc2114cff78a9f4b3b78b
          • Instruction Fuzzy Hash: FC21E435A11231ABD7229F65FC45E5A7769EF517B0F294124FA0AA73D0DB38EE00C6E0
          Function 0066D620 Relevance: 9.4, APIs: 6, Instructions: 447fileCOMMON
          Download Yara Rule
          APIs
          • SetFilePointer.KERNEL32(?,?,?,00000000,33F38F03,00000000), ref: 0066D687
          • GetLastError.KERNEL32 ref: 0066D9BA
          • GetLastError.KERNEL32 ref: 0066DA4A
          • GetLastError.KERNEL32 ref: 0066D696
            • Part of subcall function 00647B80: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,33F38F03,?,00000000), ref: 00647BCB
            • Part of subcall function 00647B80: GetLastError.KERNEL32(?,00000000), ref: 00647BD5
          • ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 0066D7A9
          • ReadFile.KERNEL32(?,?,00000000,00000000,00000000,00000001), ref: 0066D800
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ErrorLast$File$Read$FormatMessagePointer
          • String ID:
          • API String ID: 3903527278-0
          • Opcode ID: d11edebe00e307dea3eb8d87ab35c5ebe3f5e6df755d4588fef1b3bc70d84f60
          • Instruction ID: 0481e225a13ad97f6b20b56c6556c7d1b7e84a6770da54bbc40906c0218d04c2
          • Opcode Fuzzy Hash: d11edebe00e307dea3eb8d87ab35c5ebe3f5e6df755d4588fef1b3bc70d84f60
          • Instruction Fuzzy Hash: EE028F71E00609DFDB04DFA8C845BEEBBB6FF49324F148259E815A7391DB74AA01CB94
          Function 005305E0 Relevance: 9.2, APIs: 6, Instructions: 156COMMON
          Download Yara Rule
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 0053062A
          • std::_Lockit::_Lockit.LIBCPMT ref: 0053064C
          • std::_Lockit::~_Lockit.LIBCPMT ref: 00530674
          • __Getctype.LIBCPMT ref: 00530755
          • std::_Facet_Register.LIBCPMT ref: 005307B7
          • std::_Lockit::~_Lockit.LIBCPMT ref: 005307EB
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
          • String ID:
          • API String ID: 1102183713-0
          • Opcode ID: d1192d782c1a7d1efa51c61df92db9969d26fcc206e1b3d711ea181bab6810e1
          • Instruction ID: 2c23d83825ce7ff6e161164cfac5fa0297729a11212c6aa315682b59f576d17d
          • Opcode Fuzzy Hash: d1192d782c1a7d1efa51c61df92db9969d26fcc206e1b3d711ea181bab6810e1
          • Instruction Fuzzy Hash: E961ACB0C00209DFDB11CF68C955BAEFBB4FF54310F248259D805AB392EB74AA44CB91
          Function 005303E0 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
          Download Yara Rule
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 0053041D
          • std::_Lockit::_Lockit.LIBCPMT ref: 0053043F
          • std::_Lockit::~_Lockit.LIBCPMT ref: 00530467
          • __Getcoll.LIBCPMT ref: 00530531
          • std::_Facet_Register.LIBCPMT ref: 00530576
          • std::_Lockit::~_Lockit.LIBCPMT ref: 005305B7
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
          • String ID:
          • API String ID: 1184649410-0
          • Opcode ID: c20f2e65e31f563174320c8407d614e30fffe858c04fa98ae1ef0df69c255408
          • Instruction ID: ba3884212b67a7754bb0caeb549894c4b96854aae60d5a788d22ad01397a1f74
          • Opcode Fuzzy Hash: c20f2e65e31f563174320c8407d614e30fffe858c04fa98ae1ef0df69c255408
          • Instruction Fuzzy Hash: EF516971C00218EFDF11DF98D894B9DBBF4FF40314F248269E855AB291DB78AA05CB91
          Function 004FC230 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159threadCOMMON
          Download Yara Rule
          APIs
          • SetLastError.KERNEL32(0000000E,33F38F03), ref: 004FC26F
          • GetCurrentThreadId.KERNEL32 ref: 004FC2B3
          • EnterCriticalSection.KERNEL32(008686D4), ref: 004FC2D3
          • LeaveCriticalSection.KERNEL32(008686D4), ref: 004FC2F7
            • Part of subcall function 0070F399: GetProcessHeap.KERNEL32(00000008,00000008,00000000,004FA133), ref: 0070F39E
            • Part of subcall function 0070F399: HeapAlloc.KERNEL32(00000000), ref: 0070F3A5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: CriticalHeapSection$AllocCurrentEnterErrorLastLeaveProcessThread
          • String ID: AXWIN UI Window
          • API String ID: 2176831970-1592869507
          • Opcode ID: 8267e88d55b973825b2215caf68acd3cd881f7ed3a49352d3204a8dde52aaac8
          • Instruction ID: e9f539e388af6247d9daac6b6de553f410f84e09c92c75126743dcf56d71bb75
          • Opcode Fuzzy Hash: 8267e88d55b973825b2215caf68acd3cd881f7ed3a49352d3204a8dde52aaac8
          • Instruction Fuzzy Hash: A651D472604209EFDB20CF59DD48B6BBBE4FB54711F11821AF904D7380D778A904CB65
          Function 004FBCA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154COMMON
          Download Yara Rule
          APIs
          • EnterCriticalSection.KERNEL32(008686D4,33F38F03,00000000,008686F0), ref: 004FBD13
          • LeaveCriticalSection.KERNEL32(008686D4), ref: 004FBD77
          • LoadCursorW.USER32(004E0000,80004005), ref: 004FBDD0
          • LeaveCriticalSection.KERNEL32(008686D4), ref: 004FBE68
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: CriticalSection$Leave$CursorEnterLoad
          • String ID: ATL:%p
          • API String ID: 2080323225-4171052921
          • Opcode ID: 29358b3b155709a29ec2dca62bc72581c00f4080ec111f2055d7786ac29d4e82
          • Instruction ID: 3b16a7315a4b4e5532e03ef44a1cd0cae933f1cd7883d81ace1d795882179444
          • Opcode Fuzzy Hash: 29358b3b155709a29ec2dca62bc72581c00f4080ec111f2055d7786ac29d4e82
          • Instruction Fuzzy Hash: D5519A31904B488BDB20CF68C9446ABBBF4FF19710F00861EE995A3691EB74A980CB95
          Function 004E2D10 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135COMMON
          Download Yara Rule
          APIs
          • InitializeCriticalSectionAndSpinCount.KERNEL32(00863344,00000000,33F38F03,00000000,0077E943,000000FF,?,33F38F03), ref: 004E2E83
          • GetLastError.KERNEL32(?,33F38F03), ref: 004E2E8D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: CountCriticalErrorInitializeLastSectionSpin
          • String ID: HJ~$lJ~$J~
          • API String ID: 439134102-1695832444
          • Opcode ID: bbeb6628912183148e166440c922b196a42041c33298c201c07f959706bfad39
          • Instruction ID: eeceb24713dcfb4b9f9789b93dbc42b3c19a65ff177fb7b15232f07474eca7b9
          • Opcode Fuzzy Hash: bbeb6628912183148e166440c922b196a42041c33298c201c07f959706bfad39
          • Instruction Fuzzy Hash: 2A51E4B1C01688DBDB10CF5AEE0679EB7F8FB08714F01426ED414A7390DBBD9A048B55
          Function 0052F8A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
          Download Yara Rule
          APIs
          • GetCurrentProcess.KERNEL32 ref: 0052F8F2
          • OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 0052F8FF
          • GetLastError.KERNEL32 ref: 0052F93D
          • CloseHandle.KERNEL32(00000000), ref: 0052F974
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Process$CloseCurrentErrorHandleLastOpenToken
          • String ID: SeShutdownPrivilege
          • API String ID: 2767541406-3733053543
          • Opcode ID: 95fdfc3ae6b8ee472dd1979216be191f0f43b2b93efc8fefddb9f14af3c27753
          • Instruction ID: eba51a834fa21fe0110e5b738c44e8ef9659ed50625354623474ab53d2560173
          • Opcode Fuzzy Hash: 95fdfc3ae6b8ee472dd1979216be191f0f43b2b93efc8fefddb9f14af3c27753
          • Instruction Fuzzy Hash: 05313C71A44609EBEB10DFA0EC49BEEBBB8FB09B14F104129E511B72C0DB795A04CB64
          Function 0070ECA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • EncodePointer.KERNEL32(005D2727,?,0070D1B7,0070D200,?,0070D046,00000000,00000000,00000000,00000004,005D2727,00000001,?,005D1346,?), ref: 0070ECB8
          • IsProcessorFeaturePresent.KERNEL32(00000017,007149B2,?,00714921,00000001,00000016,00714B30,?,?,?,?,?,00000000,00000001,00000009,?), ref: 00719C10
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: EncodeFeaturePointerPresentProcessor
          • String ID: 0Kq
          • API String ID: 4030241255-4020628454
          • Opcode ID: b95e4084f6aef23b8a1fc61dd3d0918134ffffc1cf351b0a14ae6b80be08bdcb
          • Instruction ID: af5a2cda7d61c9da58c6eeb75629fb6018f8985535a2859edc263b509091c0ce
          • Opcode Fuzzy Hash: b95e4084f6aef23b8a1fc61dd3d0918134ffffc1cf351b0a14ae6b80be08bdcb
          • Instruction Fuzzy Hash: 83113A71144308FBFB252F64AC4EF963BADFB85755F180025FA08951D2DAF98D80C6A0
          Function 0071C8DE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
          Download Yara Rule
          APIs
          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,33F38F03,00000001,?,00000000,007A1040,000000FF,?,0071C86E,?,?,0071C842,00000016), ref: 0071C913
          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0071C925
          • FreeLibrary.KERNEL32(00000000,?,00000000,007A1040,000000FF,?,0071C86E,?,?,0071C842,00000016), ref: 0071C947
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressFreeHandleLibraryModuleProc
          • String ID: CorExitProcess$mscoree.dll
          • API String ID: 4061214504-1276376045
          • Opcode ID: 4bec1047c6dced013d671a91153894e43d622afbd93037fa6d1b7dfefddbf4b8
          • Instruction ID: d647ac56fc498ddb18aa45c6e68eea5dca2531b5f7e13f54d0198cc855ce211e
          • Opcode Fuzzy Hash: 4bec1047c6dced013d671a91153894e43d622afbd93037fa6d1b7dfefddbf4b8
          • Instruction Fuzzy Hash: 9D01A271944669FBDB028F94CC09FEEB7B9FB44B11F008629F811A22D0DB7D9A00CA80
          Function 0054A250 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 276memoryCOMMON
          Download Yara Rule
          APIs
          • GetProcessHeap.KERNEL32(?,?,?,00000000,?), ref: 0054A4CD
          • HeapFree.KERNEL32(00000000,?,?,?,00000000,?), ref: 0054A4D3
          • GetProcessHeap.KERNEL32(?,?,?), ref: 0054A52D
          • HeapFree.KERNEL32(00000000,?,?,?), ref: 0054A533
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Heap$FreeProcess
          • String ID: p|
          • API String ID: 3859560861-2000032371
          • Opcode ID: 6cfc5d84dc022b7622a34cb6e88c26dde7bfc6c2eda9c69e90f1019a17eaa791
          • Instruction ID: 0fcdfc3c130c1ad19343be71b072f00c7837e0e338fd40dda14e583cb730f6e2
          • Opcode Fuzzy Hash: 6cfc5d84dc022b7622a34cb6e88c26dde7bfc6c2eda9c69e90f1019a17eaa791
          • Instruction Fuzzy Hash: E8B1BE71D00248DFDB15DFA8C948BEDFBF4BF44318F14866AE411A7291DB789A05CB91
          Function 0070CCBD Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
          Download Yara Rule
          APIs
          • GetCurrentThreadId.KERNEL32 ref: 0070CCD1
          • AcquireSRWLockExclusive.KERNEL32(00000008,?,005282DF,00000000,33F38F03), ref: 0070CCF0
          • AcquireSRWLockExclusive.KERNEL32(00000008,?,?,?,005282DF,00000000,33F38F03), ref: 0070CD1E
          • TryAcquireSRWLockExclusive.KERNEL32(00000008,?,?,?,005282DF,00000000,33F38F03), ref: 0070CD79
          • TryAcquireSRWLockExclusive.KERNEL32(00000008,?,?,?,005282DF,00000000,33F38F03), ref: 0070CD90
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AcquireExclusiveLock$CurrentThread
          • String ID:
          • API String ID: 66001078-0
          • Opcode ID: 5f7f4f1ee285ce402f01f52de6f4d5fffe467cfc417bce9358a60e51ce666f73
          • Instruction ID: 5302320f91d33ea41daff030778466c79c43c05ffe79f64058ec7a4316419611
          • Opcode Fuzzy Hash: 5f7f4f1ee285ce402f01f52de6f4d5fffe467cfc417bce9358a60e51ce666f73
          • Instruction Fuzzy Hash: D0414C75A0060ADBCB26DF65C484AAABBF4FF45310B108B3AE446D7AC0D738E945DB60
          Function 0063C820 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
          Download Yara Rule
          APIs
          • std::_Lockit::_Lockit.LIBCPMT ref: 0063C84D
          • std::_Lockit::_Lockit.LIBCPMT ref: 0063C870
          • std::_Lockit::~_Lockit.LIBCPMT ref: 0063C898
          • std::_Facet_Register.LIBCPMT ref: 0063C90D
          • std::_Lockit::~_Lockit.LIBCPMT ref: 0063C941
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
          • String ID:
          • API String ID: 459529453-0
          • Opcode ID: 7a875393307dfef74d94725f759b028f30df2a3a8c0db1a50347e37af398681c
          • Instruction ID: a8df493d3f429cc2cda4eaa48f58791b9767b91574ea336187067915dcc9f554
          • Opcode Fuzzy Hash: 7a875393307dfef74d94725f759b028f30df2a3a8c0db1a50347e37af398681c
          • Instruction Fuzzy Hash: 9A41797180020ADFCB11DF58D844BAEBBB5FF41324F258259E855A7391DB74AE06CBD1
          Function 0063FF90 Relevance: 7.6, APIs: 6, Instructions: 98memoryCOMMON
          Download Yara Rule
          APIs
          • LocalFree.KERNEL32(?,?,00000000,S-1-5-18,10000000,00000001), ref: 0063FFA2
          • LocalFree.KERNEL32(?,?,00000000,S-1-5-18,10000000,00000001), ref: 0063FFB6
          • GetLastError.KERNEL32 ref: 0063FFF8
          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00640038
          • GetLastError.KERNEL32 ref: 00640052
          • LocalFree.KERNEL32(?), ref: 00640063
            • Part of subcall function 004EB0F0: RtlAllocateHeap.NTDLL(?,00000000,?,33F38F03,00000000,007386D0,000000FF,?,?,008592EC,?,?,004E11F6,80004005,33F38F03), ref: 004EB13A
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Local$Free$ErrorLast$AllocAllocateHeap
          • String ID:
          • API String ID: 1027944315-0
          • Opcode ID: 0595181edf82d3a6ee2c6e569fb62da8d1ce5b14b12e614e8782fde6adf34cee
          • Instruction ID: af689379d8bacc5170234a86a29aaee0ef6954eecc1109982d5a9e543999d7fe
          • Opcode Fuzzy Hash: 0595181edf82d3a6ee2c6e569fb62da8d1ce5b14b12e614e8782fde6adf34cee
          • Instruction Fuzzy Hash: 9C311A70604705EFE7209F39D848B97BBE9BF44705F00892DF986D2650EB79D508CB91
          Function 006410B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 241libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(Advapi32.dll,33F38F03,33F38F03,?,?), ref: 006412F4
          • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00641304
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressHandleModuleProc
          • String ID: Advapi32.dll$RegOpenKeyTransactedW
          • API String ID: 1646373207-3913318428
          • Opcode ID: 2f549571c748472bd93458d5e3c19c3276f1637b5ef9113d8a069929a1242a52
          • Instruction ID: e92fb56345472ef1eb63b53d6dbab076c4638fe0aa19354391aed2973e352147
          • Opcode Fuzzy Hash: 2f549571c748472bd93458d5e3c19c3276f1637b5ef9113d8a069929a1242a52
          • Instruction Fuzzy Hash: 31A159B0D00348DFDB14DFA9C948B9EBBF5BF49304F208659E419AB391D778AA44CB90
          Function 0072A22D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 202COMMON
          Download Yara Rule
          APIs
          • __freea.LIBCMT ref: 0072A3DC
            • Part of subcall function 0072822B: RtlAllocateHeap.NTDLL(00000000,00000001,00000009,?,00710E44,0000000B,00000009,?,?,?,004F22FC,0000000D,0000000D), ref: 0072825D
          • __freea.LIBCMT ref: 0072A3F1
          • __freea.LIBCMT ref: 0072A401
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: __freea$AllocateHeap
          • String ID: 0Kq
          • API String ID: 2243444508-4020628454
          • Opcode ID: 3ddfe1038d2e6ea8c0c0f6bce0303eed8a4f46662b77dd80849ffbced3efaac3
          • Instruction ID: 8b0a72091a41c1dc7c35c77f21049682555212f3c3d5a46cbac0497e74374d6d
          • Opcode Fuzzy Hash: 3ddfe1038d2e6ea8c0c0f6bce0303eed8a4f46662b77dd80849ffbced3efaac3
          • Instruction Fuzzy Hash: A351C372A00226FFEF259EA4EC85EBB36E9EF44350B150129FD08D6152E679CC5087A2
          Function 006A0D20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 147fileCOMMON
          Download Yara Rule
          APIs
          • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,33F38F03), ref: 006A0D82
          • WriteFile.KERNEL32(00000000,?,0000C800,0000C800,00000000), ref: 006A0E28
          • CloseHandle.KERNEL32(00000000), ref: 006A0E9C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: File$CloseCreateHandleWrite
          • String ID: wvs
          • API String ID: 1065093856-513169713
          • Opcode ID: 990c819d647b2095f7341c3618711865d50b81c7b23465f3ef960528751f6a57
          • Instruction ID: 90b82af2422e4f9d3e5ef7b81c6a848014d17b04714ecdcce2e33e44c4453db2
          • Opcode Fuzzy Hash: 990c819d647b2095f7341c3618711865d50b81c7b23465f3ef960528751f6a57
          • Instruction Fuzzy Hash: 195138B1901208AFEB14DFA4D949BEEFBF9FF49714F20416AE400B7290D7755E048BA4
          Function 0051C040 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 132stringCOMMON
          Download Yara Rule
          APIs
          • lstrcpynW.KERNEL32(?,?,00000020), ref: 0051C141
          • MulDiv.KERNEL32(?,00000048,00000000), ref: 0051C17E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: lstrcpyn
          • String ID: ?$t
          • API String ID: 97706510-1995845436
          • Opcode ID: 2c94cfe56a69e468b2583006d02dd3d1228836768e63dfb5e4a9db4ef47fc703
          • Instruction ID: cbad07e43a9faf9bf556886551eb43831f99e7e050c639f5d3ee08bdf5309527
          • Opcode Fuzzy Hash: 2c94cfe56a69e468b2583006d02dd3d1228836768e63dfb5e4a9db4ef47fc703
          • Instruction Fuzzy Hash: 24518171644341AFE720DF60DC49BABBFE8FB89300F004919F699D6291DB74D558CB92
          Function 0062D600 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleW.KERNEL32(Advapi32.dll,33F38F03,33F38F03), ref: 0062D645
          • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0062D66E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressHandleModuleProc
          • String ID: Advapi32.dll$RegCreateKeyTransactedW
          • API String ID: 1646373207-2994018265
          • Opcode ID: ea1a99193217127ae0d8c9db20710cbd4feff9b8637d8b80a48f5910df594c53
          • Instruction ID: ec12dc79084488411716e73cc0a57b6ebb6b1641456869d9bfc1fd5c0d37777a
          • Opcode Fuzzy Hash: ea1a99193217127ae0d8c9db20710cbd4feff9b8637d8b80a48f5910df594c53
          • Instruction Fuzzy Hash: 7731AF71A40619EFEB148F55EC45FAABBB9FB48710F10812AF909E73D0D775A900CE94
          Function 00644600 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90fileCOMMON
          Download Yara Rule
          APIs
          • DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,0073D86D,000000FF,?,80004005,33F38F03), ref: 006446B0
            • Part of subcall function 004EA920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,004E1269,http://,?,00000000,0073B3FF,000000FF,?,80004005,33F38F03), ref: 004EA943
          • DeleteFileW.KERNEL32(?,33F38F03,?,?,00000000,?,00000000,0073D86D,000000FF,?,00644424,?,?,00000000), ref: 006446EB
          • GetLastError.KERNEL32(?,?,00000000,?,00000000,0073D86D,000000FF,?,00644424,?,?,00000000), ref: 006446FB
            • Part of subcall function 004EB480: GetProcessHeap.KERNEL32 ref: 004EB4D5
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: DeleteFile$ErrorFindHeapLastProcessResource
          • String ID: \\?\
          • API String ID: 2079828947-4282027825
          • Opcode ID: 0aaef092482d17f31861ccb340acbfa11ce433fe0cebf08bce4496e4d0c86c89
          • Instruction ID: 45b97b520a6a8d92b3ed1bbb8982adddd813ad7a07fc68fc28121214889a187e
          • Opcode Fuzzy Hash: 0aaef092482d17f31861ccb340acbfa11ce433fe0cebf08bce4496e4d0c86c89
          • Instruction Fuzzy Hash: 7931F136A006159FDB009F69CC49BAEB7A6FF06321F15451AF821D7390DF399D00CB94
          Function 004F2A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80libraryloaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 004F2A54
          • GetProcAddress.KERNEL32(00000000,combase.dll), ref: 004F2A5A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressLibraryLoadProc
          • String ID: RoOriginateLanguageException$combase.dll
          • API String ID: 2574300362-3996158991
          • Opcode ID: a8cb630713e48e762725abf14b1d9b0dcfe631ae3384211af957e6eeb56054be
          • Instruction ID: fbe89fc9775cadfc55b0a38813468f1251c1e74b07616f8f12a7798a368629e9
          • Opcode Fuzzy Hash: a8cb630713e48e762725abf14b1d9b0dcfe631ae3384211af957e6eeb56054be
          • Instruction Fuzzy Hash: 17317C71D0021DDBDB25DF94CA06BAEBBB8FB00710F10462AE910A73D1DBB85A44CBD5
          Function 00620B40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetProcAddress.KERNEL32(SetWindowTheme), ref: 00620C0D
            • Part of subcall function 0070FCC5: AcquireSRWLockExclusive.KERNEL32(00861A40,?,?,?,004EB526,00862654,33F38F03,?,?,00738C4D,000000FF,?,004E1179,33F38F03), ref: 0070FCD0
            • Part of subcall function 0070FCC5: ReleaseSRWLockExclusive.KERNEL32(00861A40,?,?,?,004EB526,00862654,33F38F03,?,?,00738C4D,000000FF,?,004E1179,33F38F03), ref: 0070FD0A
            • Part of subcall function 005C55B0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 005C55F2
            • Part of subcall function 0070FC74: AcquireSRWLockExclusive.KERNEL32(00861A40,?,?,004EB597,00862654,007A1290), ref: 0070FC7E
            • Part of subcall function 0070FC74: ReleaseSRWLockExclusive.KERNEL32(00861A40,?,?,004EB597,00862654,007A1290), ref: 0070FCB1
            • Part of subcall function 0070FC74: WakeAllConditionVariable.KERNEL32(00861A3C,?,?,004EB597,00862654,007A1290), ref: 0070FCBC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ExclusiveLock$AcquireRelease$AddressConditionDirectoryProcSystemVariableWake
          • String ID: SetWindowTheme$UxTheme.dll$explorer
          • API String ID: 3484637549-3123591815
          • Opcode ID: 85a1b6d01be9659ff4069f72eb59b05955c3c016dbbb1cac5728b4f6fea2cb4d
          • Instruction ID: c487ab0125a517d0f5d13263d1cdfb593d79b4ce6b9f8138c9c70b4197636f7f
          • Opcode Fuzzy Hash: 85a1b6d01be9659ff4069f72eb59b05955c3c016dbbb1cac5728b4f6fea2cb4d
          • Instruction Fuzzy Hash: B12109B1640706EBD720DF14EC4AB89B7ADF746B20F210325F861A37D1CBBD69048B54
          Function 0064CDB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0070FCC5: AcquireSRWLockExclusive.KERNEL32(00861A40,?,?,?,004EB526,00862654,33F38F03,?,?,00738C4D,000000FF,?,004E1179,33F38F03), ref: 0070FCD0
            • Part of subcall function 0070FCC5: ReleaseSRWLockExclusive.KERNEL32(00861A40,?,?,?,004EB526,00862654,33F38F03,?,?,00738C4D,000000FF,?,004E1179,33F38F03), ref: 0070FD0A
          • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 0064CE0E
          • GetProcAddress.KERNEL32(00000000), ref: 0064CE15
            • Part of subcall function 0070FC74: AcquireSRWLockExclusive.KERNEL32(00861A40,?,?,004EB597,00862654,007A1290), ref: 0070FC7E
            • Part of subcall function 0070FC74: ReleaseSRWLockExclusive.KERNEL32(00861A40,?,?,004EB597,00862654,007A1290), ref: 0070FCB1
            • Part of subcall function 0070FC74: WakeAllConditionVariable.KERNEL32(00861A3C,?,?,004EB597,00862654,007A1290), ref: 0070FCBC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: ExclusiveLock$AcquireRelease$AddressConditionLibraryLoadProcVariableWake
          • String ID: Dbghelp.dll$SymFromAddr
          • API String ID: 1702099962-642441706
          • Opcode ID: 552f27a6ce70bebb083dd4d1b9e630012f2b6826c8c1f487d445ea36aee62884
          • Instruction ID: b6ede0a681cbe277e58e1f6001818f4f7ee5cc5d5d6868e6b74ec702308d6afb
          • Opcode Fuzzy Hash: 552f27a6ce70bebb083dd4d1b9e630012f2b6826c8c1f487d445ea36aee62884
          • Instruction Fuzzy Hash: 33017CB1941689EBDB10CF98DC46B4ABBB8F709B20F114729E825D37E0D7786900CB11
          Function 0052A550 Relevance: 6.2, APIs: 4, Instructions: 243COMMON
          Download Yara Rule
          APIs
          • std::_Throw_Cpp_error.LIBCPMT ref: 0052A659
          • std::_Throw_Cpp_error.LIBCPMT ref: 0052A664
            • Part of subcall function 0070CC9F: ReleaseSRWLockExclusive.KERNEL32(?,?,0070CADD,00861568,?,?,?,?,?,004EFB80,?,00000001,?,?,33F38F03), ref: 0070CCB3
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
          • String ID:
          • API String ID: 3666349979-0
          • Opcode ID: 6843feae79183617695d67a91ea11b99d51e4ebd1d3f1c56ea16b0dab91512c6
          • Instruction ID: d0037c5b7f13f971e8dfc5e5cd48110ae68d0a6598c302e0cde2293367b389e4
          • Opcode Fuzzy Hash: 6843feae79183617695d67a91ea11b99d51e4ebd1d3f1c56ea16b0dab91512c6
          • Instruction Fuzzy Hash: 4C91AFB1E00218DBDB00DF68D8457AEBBF5FF85314F10425AE824AB381D7B9AA05CB91
          Function 00646190 Relevance: 6.2, APIs: 4, Instructions: 180synchronizationCOMMON
          Download Yara Rule
          APIs
          • GetLastError.KERNEL32 ref: 00646334
          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00646350
          • GetExitCodeProcess.KERNEL32(00000000,00782F17), ref: 00646361
          • CloseHandle.KERNEL32(00000000), ref: 0064636F
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
          • String ID:
          • API String ID: 2321548817-0
          • Opcode ID: 09237a1054062fa2acb219b4be00d715aa5e1d17e592f3d99b24e82f2a8f7d96
          • Instruction ID: 34a102ef525d6e7793c34b2e925f81859a23df2c655a785d74a9b2c96deb0777
          • Opcode Fuzzy Hash: 09237a1054062fa2acb219b4be00d715aa5e1d17e592f3d99b24e82f2a8f7d96
          • Instruction Fuzzy Hash: BC717B70A006499BDB14CFA8C8447AEBBB5FF49324F14825DF825A73D1DB78AE45CB80
          Function 004F1100 Relevance: 6.1, APIs: 4, Instructions: 62threadCOMMON
          Download Yara Rule
          APIs
          • GetCurrentThreadId.KERNEL32 ref: 004F1110
            • Part of subcall function 0070CA3E: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,004F1126,?,00000000,00000000), ref: 0070CA4A
            • Part of subcall function 0070CA3E: GetExitCodeThread.KERNEL32(?,00000000,?,?,?,004F1126,?,00000000,00000000), ref: 0070CA63
            • Part of subcall function 0070CA3E: CloseHandle.KERNEL32(?,?,?,?,004F1126,?,00000000,00000000), ref: 0070CA75
          • std::_Throw_Cpp_error.LIBCPMT ref: 004F1139
          • std::_Throw_Cpp_error.LIBCPMT ref: 004F1140
          • std::_Throw_Cpp_error.LIBCPMT ref: 004F1147
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Cpp_errorThrow_std::_$Thread$CloseCodeCurrentExitHandleObjectSingleWait
          • String ID:
          • API String ID: 2210105531-0
          • Opcode ID: 8059baf24b54533e8cdc82ec0f5bd4ac813f98f57e31fbe0cdef51f4dad06657
          • Instruction ID: 5c00fe4dcd3ef5b25c0ed34789f49bf4da2aa310a5547b4add74b4ac8fe91745
          • Opcode Fuzzy Hash: 8059baf24b54533e8cdc82ec0f5bd4ac813f98f57e31fbe0cdef51f4dad06657
          • Instruction Fuzzy Hash: 0D114C7550530CDBEB35AFA4DC0B75AB7D49F00B20F10C21EF7985B5D1DEB9A8808685
          Function 0070D014 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
          Download Yara Rule
          APIs
          • __EH_prolog3.LIBCMT ref: 0070D01B
          • std::_Lockit::_Lockit.LIBCPMT ref: 0070D026
          • std::_Lockit::~_Lockit.LIBCPMT ref: 0070D094
            • Part of subcall function 0070D177: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0070D18F
          • std::locale::_Setgloballocale.LIBCPMT ref: 0070D041
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
          • String ID:
          • API String ID: 677527491-0
          • Opcode ID: 63e762cdc67d5533adb9ed11eeb9a750d3fd6fc312fbf6084e289d972bb1e41a
          • Instruction ID: a8277c61632c8a9f3c3ebc950d3f48389a3b4188bec714c9286dbc02f4044590
          • Opcode Fuzzy Hash: 63e762cdc67d5533adb9ed11eeb9a750d3fd6fc312fbf6084e289d972bb1e41a
          • Instruction Fuzzy Hash: 64019A75A00210DBCB0AEB60D859A7DBBA2FF85740F098209E802573D2CF7C6E42CBC1
          Function 005287F0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 414COMMON
          Download Yara Rule
          APIs
          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00528D24
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
          • String ID: Component$d
          • API String ID: 885266447-676972764
          • Opcode ID: 260d13111a15d2fad6345c6528ef52f475534855ffb9ce7794ade48097a7ee29
          • Instruction ID: 7106ea2ce92c100e51134478054b2a07f2a1cef4ff873b90d677df836953145b
          • Opcode Fuzzy Hash: 260d13111a15d2fad6345c6528ef52f475534855ffb9ce7794ade48097a7ee29
          • Instruction Fuzzy Hash: F6026A71D01218DFDB24CFA4D884BAEBBB1FF49314F248199E509B7291DB74AA84CF91
          Function 00524790 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 414COMMON
          Download Yara Rule
          APIs
          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00524CC4
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
          • String ID: Component$d
          • API String ID: 885266447-676972764
          • Opcode ID: 1bcc490489b99390d9373d6e2ef9d20a6b36daf645f2e6a4bbfd89d92e805040
          • Instruction ID: 5ccb5d4dea297638752a8e88ec6c197e2ee785bed5687000758970e445564288
          • Opcode Fuzzy Hash: 1bcc490489b99390d9373d6e2ef9d20a6b36daf645f2e6a4bbfd89d92e805040
          • Instruction Fuzzy Hash: 11025A71D00218DFDB24CFA4D885BAEBBB5FF49314F248199E509B7291DB74AA84CF90
          Function 0063EF80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: AddressAllocateHeapLibraryLoadProc
          • String ID: ADVINST_LOGS$Everyone
          • API String ID: 4199853766-3921853867
          • Opcode ID: 7050ae8b3e38b73d55c97b2ede81ffd80401f57c629d8870629f8665ebb9b356
          • Instruction ID: 434ac90d2e761bfcf415a2dd84220d871479dce325c37600cae32e11f08ffa3a
          • Opcode Fuzzy Hash: 7050ae8b3e38b73d55c97b2ede81ffd80401f57c629d8870629f8665ebb9b356
          • Instruction Fuzzy Hash: 69A1DF71D01208DBDB04DFA8C955BEEB7B2EF44314F244169E811AB392DB396E05CBE4
          Function 0063DC50 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 212COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 004EB480: GetProcessHeap.KERNEL32 ref: 004EB4D5
          • CloseHandle.KERNEL32(?,33F38F03,00868658,?,?,80004005,33F38F03,00000004), ref: 0063DDEB
          • DeleteCriticalSection.KERNEL32(?,33F38F03,00868658,?,?,80004005,33F38F03,00000004), ref: 0063DEA4
          Strings
          • << Advanced Installer (x86) Log >>, xrefs: 0063DD45
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: CloseCriticalDeleteHandleHeapProcessSection
          • String ID: << Advanced Installer (x86) Log >>
          • API String ID: 1977327082-396061572
          • Opcode ID: 0f79533c52ff7287bb0f8bd840d0b73f6600ee3c03f9e194ec73afb7e6e8376d
          • Instruction ID: 38cad28808522067e1fa536eaf8f7433f78f1c4a645afb0d6da5f2569bca5f48
          • Opcode Fuzzy Hash: 0f79533c52ff7287bb0f8bd840d0b73f6600ee3c03f9e194ec73afb7e6e8376d
          • Instruction Fuzzy Hash: 4981AD70A0164ADFCB04DF69C8547AEBBB5FF49314F14829EE815A7381DB79AA01CBC0
          Function 0063C9C0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 203COMMON
          Download Yara Rule
          APIs
          • Concurrency::cancel_current_task.LIBCPMT ref: 0063CBF0
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Concurrency::cancel_current_task
          • String ID: false$true
          • API String ID: 118556049-2658103896
          • Opcode ID: b8e788cff0aebaf8e88b3bad640f2f59c7a38d9929a26e5f8b0c891253f1cfb7
          • Instruction ID: 12373d8407e9061141468e7798cd08e0bc325baab9eee881f170aede83560c51
          • Opcode Fuzzy Hash: b8e788cff0aebaf8e88b3bad640f2f59c7a38d9929a26e5f8b0c891253f1cfb7
          • Instruction Fuzzy Hash: 0B7192B1D00348DBDB11DFA8C945BDEB7F8FF04710F14826AE855AB281E779AA44CB91
          Function 005432C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
          Download Yara Rule
          APIs
          • InterlockedPushEntrySList.KERNEL32(008626C8,008627E0,33F38F03,?), ref: 00543492
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: EntryInterlockedListPush
          • String ID: $0Z}
          • API String ID: 4129690577-1647885759
          • Opcode ID: 14e102f68ea6dad27601e8178815d4f6a73390eace8852187ff1eaf3cdc64483
          • Instruction ID: f09afb9ccf450578d6c9245b843b18d05c277aebe60b1a54901996279f4bf4bf
          • Opcode Fuzzy Hash: 14e102f68ea6dad27601e8178815d4f6a73390eace8852187ff1eaf3cdc64483
          • Instruction Fuzzy Hash: 476168B1D00219DFDB05CF94C849BEEFBB4FB44718F10856AE911A7391DBB96A44CB90
          Function 006AF080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON
          Download Yara Rule
          APIs
          • OpenEventW.KERNEL32(00000000,00000000,33F38F03,_pbl_evt,00000008,?,?,007EA4DC,00000001,33F38F03,?), ref: 006AF12E
          • CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 006AF14B
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Event$CreateOpen
          • String ID: _pbl_evt
          • API String ID: 2335040897-4023232351
          • Opcode ID: 561fc619c64e2a9418edd48473d75a2b0c9c51e4413a39eb94b1f9d55645f7d4
          • Instruction ID: ad95ef1302d0407d5d2d2a30489b2d1e5eecf3a935709d70a0f205689906bba0
          • Opcode Fuzzy Hash: 561fc619c64e2a9418edd48473d75a2b0c9c51e4413a39eb94b1f9d55645f7d4
          • Instruction Fuzzy Hash: AB518EB1D00248EFDB14DFA5CC45BEEB7B4EB09714F108629E815A76C0DB786E05CB95
          Function 0063F2A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON
          Download Yara Rule
          APIs
          • GetTempPathW.KERNEL32(00000104,80000002,33F38F03,?,80000002,00863388), ref: 0063F2DF
          • CreateDirectoryW.KERNEL32(80000002,00000000,?,80000002,00863388), ref: 0063F340
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: CreateDirectoryPathTemp
          • String ID: ADVINST_LOGS
          • API String ID: 2885754953-2492584244
          • Opcode ID: 72c181eb7cd3e9f510fc4973b95e634c8935ee8da0c0979b3c68422e5a0e7a1c
          • Instruction ID: b56f5e7c2e8e71ba6be80750366bc808c8407cbd4535bd29753aadf1a053fb41
          • Opcode Fuzzy Hash: 72c181eb7cd3e9f510fc4973b95e634c8935ee8da0c0979b3c68422e5a0e7a1c
          • Instruction Fuzzy Hash: 3451AA75D00219CADB209F28C8447BAB3F5FF50714F2446BEE84997291EB799E82CBD4
          Function 0063EA70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120fileCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 004EB480: GetProcessHeap.KERNEL32 ref: 004EB4D5
          • WriteFile.KERNEL32(?,00000005,?,?,00000000,007D2DEC,00000002,?,00000000,CPU: ,00000005), ref: 0063EB61
          • FlushFileBuffers.KERNEL32(?), ref: 0063EB6A
            • Part of subcall function 004EA920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,004E1269,http://,?,00000000,0073B3FF,000000FF,?,80004005,33F38F03), ref: 004EA943
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: File$BuffersFindFlushHeapProcessResourceWrite
          • String ID: CPU:
          • API String ID: 2793600070-1724696780
          • Opcode ID: 196a25b94542e3e6bc2de0d5373d7617c6fa633263d929a4b562ebb6a2a83d06
          • Instruction ID: 9dcc09003018f8a2f28cbd474cd3e170b477db8c222950156fc96afb9868a711
          • Opcode Fuzzy Hash: 196a25b94542e3e6bc2de0d5373d7617c6fa633263d929a4b562ebb6a2a83d06
          • Instruction Fuzzy Hash: 6B41AE71A01609ABDB04DF69CC45BAEBBB5FF44320F148119F912A73D1DB79AE01CB94
          Function 00541530 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON
          Download Yara Rule
          APIs
          • InterlockedPushEntrySList.KERNEL32(008626C8,00862780,33F38F03,00000002), ref: 0054161C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: EntryInterlockedListPush
          • String ID: X}$3
          • API String ID: 4129690577-457934055
          • Opcode ID: db8b49325d3fdfe3c10eda0322b9c2151aa831e072f03a6b197e4f5250cc92ca
          • Instruction ID: bb446b8f014d57502aca1b748200d6a8c68f4b6b75ca3fb95138b32503314e1b
          • Opcode Fuzzy Hash: db8b49325d3fdfe3c10eda0322b9c2151aa831e072f03a6b197e4f5250cc92ca
          • Instruction Fuzzy Hash: D9419AB0D01609DFDB01CFA4C884BEEBBB4FF48309F10416AE911A7390D7B95A44CB95
          Function 00508870 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
          Download Yara Rule
          APIs
          • InterlockedPushEntrySList.KERNEL32(008626C8,00862730,33F38F03,00000800), ref: 00508952
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: EntryInterlockedListPush
          • String ID: &$@,}
          • API String ID: 4129690577-3236757055
          • Opcode ID: 26bea124d5156d5ccae8e61f869062ccb8768ddfcfc0ae99c53639cce4b35709
          • Instruction ID: be6bb985b6f5f18ecbea35388e7f456036ef37340376c7121fabae0e784e26ab
          • Opcode Fuzzy Hash: 26bea124d5156d5ccae8e61f869062ccb8768ddfcfc0ae99c53639cce4b35709
          • Instruction Fuzzy Hash: 80318A70D0161ADBDB01DFA4C845BFEBBB4FB44318F11442AE910A72C0CBB95A08CBE1
          Function 00719C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
          Download Yara Rule
          APIs
          • __alldvrm.LIBCMT ref: 00719C55
          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00719C7A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Unothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
          • String ID: 0Kq
          • API String ID: 3107155309-4020628454
          • Opcode ID: 8c40e2c6059dbca8a2b5662408a0ae1434ccf2e44e389d2a9cc9c5a0946fcfa2
          • Instruction ID: 73be1f47eddb0a835790716f64a073fc860bda656214964542fe2f8bb3f524e5
          • Opcode Fuzzy Hash: 8c40e2c6059dbca8a2b5662408a0ae1434ccf2e44e389d2a9cc9c5a0946fcfa2
          • Instruction Fuzzy Hash: 2CF05073600204BFEB202B55DC89F9B7B6EE7C5764F184015F608A6191C5F2DC00D2B0
          Function 004F2B30 Relevance: 5.2, APIs: 4, Instructions: 237memoryCOMMON
          Download Yara Rule
          APIs
          • GetProcessHeap.KERNEL32(-000000FE,?,?), ref: 004F2CF4
          • HeapFree.KERNEL32(00000000,-000000FE,?,?), ref: 004F2CFA
          • GetProcessHeap.KERNEL32(-000000FE,00000000,00000000,00000000,00000000,00000000,33F38F03,00000004,?,?), ref: 004F2D27
          • HeapFree.KERNEL32(00000000,-000000FE,00000000,00000000,00000000,00000000,00000000,33F38F03,00000004,?,?), ref: 004F2D2D
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Heap$FreeProcess
          • String ID:
          • API String ID: 3859560861-0
          • Opcode ID: 925f63ef188c3fad5a74436c785d89ac226b8bc708e91c47dabf651ac08b5ec9
          • Instruction ID: 8e634d16e0a2e4ca73b86e7a85fd3f91cb9854a97f9954344176317c2600e980
          • Opcode Fuzzy Hash: 925f63ef188c3fad5a74436c785d89ac226b8bc708e91c47dabf651ac08b5ec9
          • Instruction Fuzzy Hash: 4E919A70D0024DDBDB14DFA8C945BAEBBB8BF05314F24425EE911A73D1C7B9AA04CBA5
          Function 004F2760 Relevance: 5.2, APIs: 4, Instructions: 155memoryCOMMON
          Download Yara Rule
          APIs
          • GetProcessHeap.KERNEL32(?,?), ref: 004F283B
          • HeapFree.KERNEL32(00000000,?,?), ref: 004F2841
          • GetProcessHeap.KERNEL32(?,?), ref: 004F2875
          • HeapFree.KERNEL32(00000000,?,?), ref: 004F287B
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Heap$FreeProcess
          • String ID:
          • API String ID: 3859560861-0
          • Opcode ID: 86b60dfe1fb8d46ec0143ce9a4fd0d51135ef7cdf60666556fa196f8c674a859
          • Instruction ID: 6229a36121d844771ef01907c858047ccc2c53976ae8ed1d9bd2ff02f2d35e20
          • Opcode Fuzzy Hash: 86b60dfe1fb8d46ec0143ce9a4fd0d51135ef7cdf60666556fa196f8c674a859
          • Instruction Fuzzy Hash: B65191B1A00609EBEB14DF58C945BAFB7F4FB44364F10432EE925973D1D7B95A008B91
          Function 004F04E0 Relevance: 5.1, APIs: 4, Instructions: 142memoryCOMMON
          Download Yara Rule
          APIs
          • GetProcessHeap.KERNEL32(?,?,33F38F03,?,?,?,0073A1FD,000000FF), ref: 004F0527
          • HeapFree.KERNEL32(00000000,?,?,33F38F03,?,?,?,0073A1FD,000000FF), ref: 004F052D
            • Part of subcall function 004F2510: GetProcessHeap.KERNEL32(?,?,?,?,?,004F262B,00000000,00000004,?,?), ref: 004F2530
            • Part of subcall function 004F2510: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,004F262B,00000000,00000004,?,?), ref: 004F2536
          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,33F38F03), ref: 004F05B6
          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?,0000FDE9,00000000,?,?,00000000,00000000,33F38F03), ref: 004F0608
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Heap$ByteCharMultiProcessWide$AllocFree
          • String ID:
          • API String ID: 1621643742-0
          • Opcode ID: 103f697e45e7fd1445694db5540e0332a66c223f89d289ee4665a84dd7077436
          • Instruction ID: 2813bc36f9cd732cd729cdca64ff6b49f415e236973295f4b2576b18937c38c7
          • Opcode Fuzzy Hash: 103f697e45e7fd1445694db5540e0332a66c223f89d289ee4665a84dd7077436
          • Instruction Fuzzy Hash: A74180B1904249EFDB14DFA8D805BAABBF8FB45724F10476EE524A73C0D7B95A048B90
          Function 0070F399 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
          Download Yara Rule
          APIs
          • GetProcessHeap.KERNEL32(00000008,00000008,00000000,004FA133), ref: 0070F39E
          • HeapAlloc.KERNEL32(00000000), ref: 0070F3A5
          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0070F3EB
          • HeapFree.KERNEL32(00000000), ref: 0070F3F2
            • Part of subcall function 0070F237: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,0070F3E1,?), ref: 0070F25B
            • Part of subcall function 0070F237: HeapAlloc.KERNEL32(00000000,?,0070F3E1,?), ref: 0070F262
          Memory Dump Source
          • Source File: 00000000.00000002.1739575898.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true
          • Associated: 00000000.00000002.1739562533.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739846551.00000000007A3000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739908066.000000000085E000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739921554.0000000000860000.00000008.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739935223.0000000000861000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1739950792.000000000086C000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_4e0000_kas77c5mDL.jbxd
          Similarity
          • API ID: Heap$Process$Alloc$Free
          • String ID:
          • API String ID: 1864747095-0
          • Opcode ID: 80fa6f4dc74bebafca5a403a95909a48aef9d519ad108253d8376936cda98bad
          • Instruction ID: 795925be3a80da804509d664b24b1526bdabc2423a5cce8330b9e009c18eecdb
          • Opcode Fuzzy Hash: 80fa6f4dc74bebafca5a403a95909a48aef9d519ad108253d8376936cda98bad
          • Instruction Fuzzy Hash: F4F0BB73504611D7CB356BB8BC1C95B7995AFC17617158234F506C66C4DE3CC8419764