Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PJ-0020241013_setup.exe

Overview

General Information

Sample name:PJ-0020241013_setup.exe
Analysis ID:1533006
MD5:3da00dd654b74f9ce78ee91f395c9fb7
SHA1:4487004823e4fa389f7a78db444319ff48feb32c
SHA256:e6e117fe163ef9db17a29fcfbf6fb9e18e432278083b273bc25a1a64572988cc
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Deletes itself after installation
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PJ-0020241013_setup.exe (PID: 5288 cmdline: "C:\Users\user\Desktop\PJ-0020241013_setup.exe" MD5: 3DA00DD654B74F9CE78EE91F395C9FB7)
    • czrdnq8b.exe (PID: 5944 cmdline: "C:\Users\user\Documents\czrdnq8b.exe" MD5: 655651DF2AEF751ED40244A79373AD2A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: PJ-0020241013_setup.exeVirustotal: Detection: 54%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\Documents\czrdnq8b.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: PJ-0020241013_setup.exeJoe Sandbox ML: detected
Source: PJ-0020241013_setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: C:\Users\BLACK\Desktop\E_Loader 1.0\Release\E_Loader.pdb source: czrdnq8b.exe, czrdnq8b.exe, 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: .pdbk source: PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000006077000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005C26000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000003.1497079778.000000000342D000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe.0.dr
Source: Binary string: C:\Users\Administrator\Desktop\Windows\Lib\HPSocket4C\x86\HPSocket4C.pdb source: PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, czrdnq8b.exe, 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe.0.dr
Source: Binary string: H:\pub_are2\rc_bug_mas_v12_2408\Build\Release\WPSOffice\office6\kshell.pdb source: PJ-0020241013_setup.exe, 00000000.00000003.1482450320.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmp
Source: global trafficTCP traffic: 192.168.2.8:49704 -> 58.49.151.131:3760
Source: Joe Sandbox ViewIP Address: 203.107.1.33 203.107.1.33
Source: global trafficHTTP traffic detected: GET /100000/d?host=www.aliyun.com HTTP/1.1Connection: Keep-AliveAccept: */*Referer: http://203.107.1.33/100000/d?host=www.aliyun.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Host: 203.107.1.33
Source: global trafficHTTP traffic detected: GET /100000/d?host=www.aliyun.com HTTP/1.1Connection: Keep-AliveAccept: */*Referer: http://203.107.1.33/100000/d?host=www.aliyun.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Host: 203.107.1.33
Source: global trafficHTTP traffic detected: GET /100000/d?host=www.aliyun.com HTTP/1.1Connection: Keep-AliveAccept: */*Referer: http://203.107.1.33/100000/d?host=www.aliyun.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Host: 203.107.1.33
Source: global trafficHTTP traffic detected: GET /100000/d?host=www.aliyun.com HTTP/1.1Connection: Keep-AliveAccept: */*Referer: http://203.107.1.33/100000/d?host=www.aliyun.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Host: 203.107.1.33
Source: global trafficHTTP traffic detected: GET /100000/d?host=www.aliyun.com HTTP/1.1Connection: Keep-AliveAccept: */*Referer: http://203.107.1.33/100000/d?host=www.aliyun.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Host: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 58.49.151.131
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: unknownTCP traffic detected without corresponding DNS query: 203.107.1.33
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F303B0 _HP_UdpArqServer_SetRecvWndSize@8,2_2_02F303B0
Source: global trafficHTTP traffic detected: GET /100000/d?host=www.aliyun.com HTTP/1.1Connection: Keep-AliveAccept: */*Referer: http://203.107.1.33/100000/d?host=www.aliyun.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Host: 203.107.1.33
Source: global trafficHTTP traffic detected: GET /100000/d?host=www.aliyun.com HTTP/1.1Connection: Keep-AliveAccept: */*Referer: http://203.107.1.33/100000/d?host=www.aliyun.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Host: 203.107.1.33
Source: global trafficHTTP traffic detected: GET /100000/d?host=www.aliyun.com HTTP/1.1Connection: Keep-AliveAccept: */*Referer: http://203.107.1.33/100000/d?host=www.aliyun.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Host: 203.107.1.33
Source: global trafficHTTP traffic detected: GET /100000/d?host=www.aliyun.com HTTP/1.1Connection: Keep-AliveAccept: */*Referer: http://203.107.1.33/100000/d?host=www.aliyun.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Host: 203.107.1.33
Source: global trafficHTTP traffic detected: GET /100000/d?host=www.aliyun.com HTTP/1.1Connection: Keep-AliveAccept: */*Referer: http://203.107.1.33/100000/d?host=www.aliyun.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36Host: 203.107.1.33
Source: PJ-0020241013_setup.exeString found in binary or memory: http://127.0.0.1:58890/transferEcho/runParams
Source: PJ-0020241013_setup.exeString found in binary or memory: http://127.0.0.1:58890/transferEcho/runParamshttps://127.0.0.1:58891/transferEcho/runParams);xhr.sen
Source: czrdnq8b.exe, 00000002.00000003.1528132894.0000000003451000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.107.1.33/
Source: czrdnq8b.exe.0.drString found in binary or memory: http://203.107.1.33/100000/d?host=www.aliyun.com
Source: czrdnq8b.exe, 00000002.00000003.2509034813.0000000003450000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.2548843903.0000000003450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.107.1.33/100000/d?host=www.aliyun.comKeep-Alive
Source: czrdnq8b.exe, 00000002.00000003.1528109888.000000000345B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.107.1.33/100000/d?host=www.aliyun.comKeep-Alivei
Source: czrdnq8b.exe, 00000002.00000003.1818143419.000000000345D000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000002.2717222863.0000000003459000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.1547620419.000000000345D000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.2146631187.000000000345E000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.2588967456.0000000003459000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.107.1.33/100000/d?host=www.aliyun.comO
Source: czrdnq8b.exe, 00000002.00000002.2716800438.000000000120E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.107.1.33/100000/d?host=www.aliyun.comr/
Source: czrdnq8b.exe, 00000002.00000003.1528132894.0000000003451000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.107.1.33/7
Source: PJ-0020241013_setup.exeString found in binary or memory: http://Mpr.dllWNetAddConnection2Wnamelist/wps/jsaddons/jsaddinblockhost.ini/wps/jsaddons/authaddin.j
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: PJ-0020241013_setup.exeString found in binary or memory: http://ic.wps.cn/wpsv6internet/infos.adsICLimitElapsedICForTestICPercentCTICPercentProofreadBottomIC
Source: PJ-0020241013_setup.exeString found in binary or memory: http://info.wps.cn/wpsv6internet/infos.ads
Source: PJ-0020241013_setup.exeString found in binary or memory: http://info.wps.cn/wpsv6internet/infos.ads56drive_improvenew_slide_btnjm_function/2019/wps/client/ap
Source: PJ-0020241013_setup.exeString found in binary or memory: http://info.wps.cn/wpsv6internet/infos.adswps_safep0p1p2p3p4p5p6p7dm=%1&action=%1&guid=%1&hdid=%1&uu
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: PJ-0020241013_setup.exe, 00000000.00000001.1462894700.00000000018D4000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000577D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://root/CertEnroll/kingsoft%20root.crl02
Source: PJ-0020241013_setup.exe, 00000000.00000001.1462894700.00000000018D4000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000577D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://root/CertEnroll/root_kingsoft%20root.crt0=
Source: PJ-0020241013_setup.exeString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: PJ-0020241013_setup.exeString found in binary or memory: http://spinfo.wps.cn/subproduct/infos.adsSoftware
Source: PJ-0020241013_setup.exeString found in binary or memory: http://switch.pcfg.cache.wpscdn.cn/platform_lmt/
Source: PJ-0020241013_setup.exeString found in binary or memory: http://switch.pcfg.cache.wpscdn.cn/platform_lmt/BackStageCfgPreCheck
Source: PJ-0020241013_setup.exeString found in binary or memory: http://wdl1.cache.wps.cn/per-plugin/dl/onlineshapes/
Source: PJ-0020241013_setup.exeString found in binary or memory: http://wps-community.org/download.html
Source: PJ-0020241013_setup.exeString found in binary or memory: http://wps-community.org/download/dicts/
Source: PJ-0020241013_setup.exeString found in binary or memory: http://wps-community.org/download/dicts/Zip
Source: PJ-0020241013_setup.exeString found in binary or memory: http://www.baidu.com/robots.txt
Source: PJ-0020241013_setup.exeString found in binary or memory: http://www.baidu.com/robots.txtdefaultValue
Source: PJ-0020241013_setup.exe, 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000586D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: czrdnq8b.exe, 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: czrdnq8b.exe, 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.winimage.com/zLibDll-incompatible
Source: PJ-0020241013_setup.exeString found in binary or memory: https://127.0.0.1:58891/transferEcho/runParams
Source: PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe.0.drString found in binary or memory: https://2023.ipchaxun.com/
Source: PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe.0.drString found in binary or memory: https://2023.ipchaxun.com/ip#
Source: PJ-0020241013_setup.exeString found in binary or memory: https://drive.wps.com/filecollect/
Source: PJ-0020241013_setup.exeString found in binary or memory: https://drive.wps.com/filecollect/pc_filecollectDisableFileCollectfeature_filecollectDateSkewedInval
Source: PJ-0020241013_setup.exeString found in binary or memory: https://f.wps.cn/
Source: PJ-0020241013_setup.exeString found in binary or memory: https://f.wps.cn/https://www.wps.cn/learning/https://get.wps.cn/PrintPreview/ControlTitleFeedback&ap
Source: PJ-0020241013_setup.exeString found in binary or memory: https://get.wps.cn/
Source: PJ-0020241013_setup.exeString found in binary or memory: https://get.wps.cn/feedback/pc
Source: PJ-0020241013_setup.exeString found in binary or memory: https://get.wps.cn/feedback/pc?product_id=1000099&detail=Open_print_service
Source: PJ-0020241013_setup.exeString found in binary or memory: https://get.wps.cn/feedback/pc?product_id=1000099&detail=Open_print_service_kso_Printer_ConnectTimeo
Source: PJ-0020241013_setup.exeString found in binary or memory: https://get.wps.cn/feedback/pc?product_id=1000099&detail=Trouble_shooting
Source: PJ-0020241013_setup.exeString found in binary or memory: https://get.wps.cn/feedback/pc?product_id=1000099&detail=Trouble_shooting_kso_Printer_QueryTimeout_M
Source: PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2717037533.0000000002F7A000.00000040.00001000.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe.0.drString found in binary or memory: https://github.com/ldcsaa/HP-SocketF
Source: PJ-0020241013_setup.exeString found in binary or memory: https://home.wps.cn/topic/10224
Source: PJ-0020241013_setup.exeString found in binary or memory: https://privacy.wps.cn/policies/eula/wps-pdf-Windows
Source: PJ-0020241013_setup.exeString found in binary or memory: https://privacy.wps.cn/policies/eula/wps_forB
Source: PJ-0020241013_setup.exeString found in binary or memory: https://qa.wps.cn/feedback/front?wpsid=%1&product_name=%2
Source: PJ-0020241013_setup.exeString found in binary or memory: https://qing.wps.cn
Source: PJ-0020241013_setup.exeString found in binary or memory: https://qing.wps.cn/api/ping1onNetworkRequestFinished(QNetworkReply
Source: PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe.0.drString found in binary or memory: https://searchplugin.csdn.net/api/v1/ip/get
Source: PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe.0.drString found in binary or memory: https://searchplugin.csdn.net/api/v1/ip/geth
Source: PJ-0020241013_setup.exeString found in binary or memory: https://switch.pcfg.cache.wpscdn.cn/wps_assets/cfg/ad/switch/
Source: PJ-0020241013_setup.exeString found in binary or memory: https://switch.pcfg.cache.wpscdn.cn/wps_assets/cfg/ad/switch/h
Source: PJ-0020241013_setup.exeString found in binary or memory: https://vip.wps.cn/pay/member/%1/?csource=docerpersonclient
Source: PJ-0020241013_setup.exeString found in binary or memory: https://vip.wps.cn/pay/member/%1/?csource=docerpersonclientNewInstallTime1onFinished(QNetworkReply
Source: PJ-0020241013_setup.exeString found in binary or memory: https://vip.wps.cn/privilege_page/privilege_detail?id=%1
Source: PJ-0020241013_setup.exeString found in binary or memory: https://vip.wps.cn/privilege_page/privilege_detail?id=%1border-radiusKArrowToolTipWidgetshadow-width
Source: PJ-0020241013_setup.exeString found in binary or memory: https://vipapi.wps.cn/skin/api/upgrade_skin
Source: PJ-0020241013_setup.exeString found in binary or memory: https://vipapi.wps.cn/skin/api/upgrade_skin?snact=1?snact=01onRequestUrlSuccess(TASKID
Source: PJ-0020241013_setup.exeString found in binary or memory: https://www.google.com/search?q=%1
Source: PJ-0020241013_setup.exeString found in binary or memory: https://www.google.com/search?q=%1p
Source: PJ-0020241013_setup.exeString found in binary or memory: https://www.wps.cn/learning/
Source: PJ-0020241013_setup.exeString found in binary or memory: https://www.wps.cn/privacy/full_pdfpro
Source: PJ-0020241013_setup.exeString found in binary or memory: https://www.wps.cn/privacy/full_pdfproEnableEULAPageSetup/CustomInstitutionsetup/CustomPlatformsetup
Source: PJ-0020241013_setup.exeString found in binary or memory: https://www.wps.com/eula
Source: PJ-0020241013_setup.exeString found in binary or memory: https://www.wps.com/support
Source: PJ-0020241013_setup.exeString found in binary or memory: https://www.wps.com/supporthttps://get.wps.cn/feedback/pcPreview
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FB15B2 NtProtectVirtualMemory,2_2_00FB15B2
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FB1672 NtProtectVirtualMemory,2_2_00FB1672
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FB1645 NtProtectVirtualMemory,2_2_00FB1645
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeCode function: 0_2_004B79EF0_2_004B79EF
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00F958522_2_00F95852
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00F91FE02_2_00F91FE0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FBCDDF2_2_00FBCDDF
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_010108C02_2_010108C0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FB41282_2_00FB4128
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FB66F42_2_00FB66F4
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2A2902_2_02F2A290
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F5A0182_2_02F5A018
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F5A6F42_2_02F5A6F4
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F524502_2_02F52450
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F5B42C2_2_02F5B42C
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F595762_2_02F59576
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F59AC72_2_02F59AC7
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F389902_2_02F38990
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_100019102_2_10001910
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_100019192_2_10001919
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_100041302_2_10004130
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_10001A802_2_10001A80
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_10009ED02_2_10009ED0
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\z.dll F94949A6C121A525F661DD8ABD917EB37A5CF582C89E3A258170A15D30CC0CC2
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: String function: 02F43550 appears 62 times
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: String function: 02F236B0 appears 117 times
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: String function: 02F23660 appears 59 times
Source: PJ-0020241013_setup.exeStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: czrdnq8b.exe.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDrvInDll.Dll vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHPSocket4C.dll4 vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDrvInDll.Dll vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHPSocket4C.dll4 vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000001.1462894700.00000000018D4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamekshell.dll6 vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDrvInDll.Dll vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHPSocket4C.dll4 vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000577D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekshell.dll6 vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDrvInDll.Dll vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezlib.dll2 vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHPSocket4C.dll4 vs PJ-0020241013_setup.exe
Source: PJ-0020241013_setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: mal68.evad.winEXE@3/3@0/2
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FCBBF4 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,2_2_00FCBBF4
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeFile created: C:\Users\user\Documents\conf.iniJump to behavior
Source: PJ-0020241013_setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeFile read: C:\Users\user\Documents\conf.iniJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PJ-0020241013_setup.exeVirustotal: Detection: 54%
Source: PJ-0020241013_setup.exeString found in binary or memory: /from:ksostart /install:kso
Source: PJ-0020241013_setup.exeString found in binary or memory: Server/ReinstallServer
Source: PJ-0020241013_setup.exeString found in binary or memory: Zhuhai Kingsoft Office Software Co.,LtdZhuhai Kingsoft Office Software Co., Ltd.KOnlinesetupOnlineStoreMutexNew_EF472A88-E1D0-44DF-B44E-FF5186E43ADC Global\wpspatch_C42D7A0A-2868-45FF-92EE-9B7AE7124588Global\wpssetup_C42D7A0A-2868-45FF-92EE-9B7AE7124588Global\wps_diff_patch_C42D7A0A-2868-45FF-92EE-9B7AE7124588Global\update{E2D4DC74-B0A9-41D7-8899-2AD5A0FA32B4}Global\kso{BD4FB5CE-0229-4E6A-84B4-4FD331B648EF}updateinfoUseWpsupdateXaRunProcess failKUpdateHelperfrom`anonymous-namespace'::verifyFileCertSignverifyFileCertSign failverifyFileCertSign successRun-User=Admin"/updatepatch.ini1onDelayDownloadFinished()2timeout()begin download UpdatePath_IniKUpdatePatchdownloading, ignore patch1onDownloadFinished()2finished()1onError()2error( QNetworkReply::NetworkError)%1 inBlackDownloadDir, download failurlmd5/SUseUpdateSelfSvrVerPolicyUseUpdateSelfSvrPolicy;errorcodefinishedsourcewpsupdate_fixpatchdownloadresult.ini.exe2error(QNetworkReply::NetworkError)wpsThe installation or update patches are running now. %1 will exit. Please run %2 again after the installation or updating completes.HaveNewPatchWPS Office updates have been downloaded. Do you want to install them now?/from:ksostart /install:ksowpsupdaterunbyksostart-rupdateself/from:ksoend /source:ksoend/from:ksostart /source:ksostartupdateself.exe/from:ksoendupdatepathUpdateToVersionOffice6.0common:/icons/wpsmain.icoet:/icons/etmain.icowpp:/icons/wppmain.icopdf:/icons/pdfmain.ico:/icons/kprometheus_xa.ico:/icons/kprometheus.icoWpsUpdateOnKsoupdate_dlg_intervalExecuteStateWPS Office ExceptionWPS Office update service cannot work properly, and you will not be able to access to new and improved features brought out in new versions. We recommend that you reinstalled WPS Office to solve this problem.ReinstallServer/ReinstallServerVersioninfoGUID/from:manual/from:ksostart /runon:onkso1onTimeout()UpdateResult/guid:start1onGetPId(quint32)2signalGotPID(quint32)#0D0D0D0F#E2E2E2#0f0f0frgba(13, 13, 13, 0.9)1accept()2clicked()1reject()1onBtnCloseClicked()KPacketMessageBoxDialogqtspyNamemessageBoxMainWindowWidgetmessageBoxShadowWidgetcloseButtonAndTitleWidget:/kmessagebox/pushbutton_close_normal.svgm_closeButton#m_closeButton{border-style: outset; image:url(:/res/messagebox_close_m_16_normal.svg)}#m_closeButton:hover{image:url(:/res/messagebox_close_m_16_hover.svg)}#m_closeButton:pressed{image:url(:/res/messagebox_close_m_16_click.svg)}titleWidgetmainTitleWidgetmainIcoon:/kmessagebox/reminder_surface_abnormal_l_24.svgmainTitle#mainTitle{color:rgba(13, 13, 13, 0.9);font-weight: 600;font-family:Microsoft YaHei;font-size:%1px;}subTitleWidgetsubTitleLabel#subTitleLabel{color:rgba(13, 13, 13, 0.9);font-weight: 400;font-family:Microsoft YaHei;font-size:%1px;}confirmAndCancelbuttonWidgetconfirmcancelm_confirmButton#m_confirmButton{border-radius:%1px;padding-left:%2px;padding-top:%3px;padding-right:%2px;padding-bottom:%1px;background:#0A6CFF;color:#ffffff;font-family:Microsoft YaHei;font-size:%4px;}#m_confirmButton:hover{backg
Source: PJ-0020241013_setup.exeString found in binary or memory: Zhuhai Kingsoft Office Software Co.,LtdZhuhai Kingsoft Office Software Co., Ltd.KOnlinesetupOnlineStoreMutexNew_EF472A88-E1D0-44DF-B44E-FF5186E43ADC Global\wpspatch_C42D7A0A-2868-45FF-92EE-9B7AE7124588Global\wpssetup_C42D7A0A-2868-45FF-92EE-9B7AE7124588Global\wps_diff_patch_C42D7A0A-2868-45FF-92EE-9B7AE7124588Global\update{E2D4DC74-B0A9-41D7-8899-2AD5A0FA32B4}Global\kso{BD4FB5CE-0229-4E6A-84B4-4FD331B648EF}updateinfoUseWpsupdateXaRunProcess failKUpdateHelperfrom`anonymous-namespace'::verifyFileCertSignverifyFileCertSign failverifyFileCertSign successRun-User=Admin"/updatepatch.ini1onDelayDownloadFinished()2timeout()begin download UpdatePath_IniKUpdatePatchdownloading, ignore patch1onDownloadFinished()2finished()1onError()2error( QNetworkReply::NetworkError)%1 inBlackDownloadDir, download failurlmd5/SUseUpdateSelfSvrVerPolicyUseUpdateSelfSvrPolicy;errorcodefinishedsourcewpsupdate_fixpatchdownloadresult.ini.exe2error(QNetworkReply::NetworkError)wpsThe installation or update patches are running now. %1 will exit. Please run %2 again after the installation or updating completes.HaveNewPatchWPS Office updates have been downloaded. Do you want to install them now?/from:ksostart /install:ksowpsupdaterunbyksostart-rupdateself/from:ksoend /source:ksoend/from:ksostart /source:ksostartupdateself.exe/from:ksoendupdatepathUpdateToVersionOffice6.0common:/icons/wpsmain.icoet:/icons/etmain.icowpp:/icons/wppmain.icopdf:/icons/pdfmain.ico:/icons/kprometheus_xa.ico:/icons/kprometheus.icoWpsUpdateOnKsoupdate_dlg_intervalExecuteStateWPS Office ExceptionWPS Office update service cannot work properly, and you will not be able to access to new and improved features brought out in new versions. We recommend that you reinstalled WPS Office to solve this problem.ReinstallServer/ReinstallServerVersioninfoGUID/from:manual/from:ksostart /runon:onkso1onTimeout()UpdateResult/guid:start1onGetPId(quint32)2signalGotPID(quint32)#0D0D0D0F#E2E2E2#0f0f0frgba(13, 13, 13, 0.9)1accept()2clicked()1reject()1onBtnCloseClicked()KPacketMessageBoxDialogqtspyNamemessageBoxMainWindowWidgetmessageBoxShadowWidgetcloseButtonAndTitleWidget:/kmessagebox/pushbutton_close_normal.svgm_closeButton#m_closeButton{border-style: outset; image:url(:/res/messagebox_close_m_16_normal.svg)}#m_closeButton:hover{image:url(:/res/messagebox_close_m_16_hover.svg)}#m_closeButton:pressed{image:url(:/res/messagebox_close_m_16_click.svg)}titleWidgetmainTitleWidgetmainIcoon:/kmessagebox/reminder_surface_abnormal_l_24.svgmainTitle#mainTitle{color:rgba(13, 13, 13, 0.9);font-weight: 600;font-family:Microsoft YaHei;font-size:%1px;}subTitleWidgetsubTitleLabel#subTitleLabel{color:rgba(13, 13, 13, 0.9);font-weight: 400;font-family:Microsoft YaHei;font-size:%1px;}confirmAndCancelbuttonWidgetconfirmcancelm_confirmButton#m_confirmButton{border-radius:%1px;padding-left:%2px;padding-top:%3px;padding-right:%2px;padding-bottom:%1px;background:#0A6CFF;color:#ffffff;font-family:Microsoft YaHei;font-size:%4px;}#m_confirmButton:hover{backg
Source: PJ-0020241013_setup.exeString found in binary or memory: %1/addons/%2/%3
Source: PJ-0020241013_setup.exeString found in binary or memory: kproxycommandserviceModule%1/addons/%2/%3%1/%2document_recoverkdocumentfixpdf2wordv2kpdf2wordv2photo2pdfphoto2pdfentrydocproofkocrkocrtool/wps/client/pluginsdownload1onPluginLoadResult(bool)2pluginLoadResult(bool)1onLocalDllFound()2localDllFound()1onLoadProgress(double)2loadProgress(double)_Caller_KProxyCommand::_doAsTargetModuleLoaded m_targetModule:%1 text:%2KProxyCommand::_doAsTargetModuleLoaded proxycommand null m_targetModule:%1 text:%2KProxyCommand::_doAsTargetModuleLoaded targetCmd change null %1 %2newweb1onCommandChanged()recommendavailableForReadOnlyModeonThreadTiming1onThreadTiming()2threadTiming()1onStatusChange(int, int)2statusChanged(int, int)1onUpgrade(bool)2upgrade(bool)1onPluginMgrLoaded()KProxyCommand::_runPlugin libPath:%1runContextRunningParamsKProxyCommand::_tryUseTargetWhenSetup targetCmd change null %1_
Source: PJ-0020241013_setup.exeString found in binary or memory: listText-additionalinfo
Source: PJ-0020241013_setup.exeString found in binary or memory: Invalid record. This file may have been renamed, deleted or moved.listTextKRoamingPagelistText-disDownloadsDesktopTencent FilesFileRecvQQ FileRecvWeChat FilesWechat FileDocuments%1ja_JPlistText-additionalinfo@I@@P@ r@ w@@`
Source: PJ-0020241013_setup.exeString found in binary or memory: background-start
Source: PJ-0020241013_setup.exeString found in binary or memory: 2018icon-disableQTipLabelKSubTabSliderIsActivestyle-widget-defaultdialoglegacyLayoutquickaccessLayoutForceAutoet|pdfisCustomWidgetAnimationCloseKRbTabButton-commonKMiniToolBarPopupKxEtSmartLabelAutoFillMenuKRbCategoryLayoutEtFmlEditBarBtnBackgroundRadiusarrow-bg-radiusBrowseSelectItemarrow-bgborder-widthFrameGroupBoxIndicatorBranchFrameTabWidgetCocoaGlassBackgroundcontent-activecheck-statusuncheck-status_disablearrow_uparrow_downkd-color-background-basebackground-startEtEditBarWidgetarrowShrinkUparrowExpandDownKScrollBar-deep-Etshadow-blurshadow-offsetYshadow-coloreditting-borderWPSDocmapViewbackground-seperatordrawShadowKSpinBoxeditor_background-disKSpinBoxButtonspinbox_stroke_uparrow_l_8spinbox_stroke_uparrow_l_8_disablespinbox_stroke_downarrow_l_8spinbox_stroke_downarrow_l_8_disable-defaulttab-border#06b025foregroundQCheckBoxcbcheck-on-normalcbcheck-on-normal;cbcheck-on-hover;cbcheck-on-clickcbcheck-off-normal;cbcheck-off-hover;cbcheck-off-clickcbradio-on-normal;cbradio-on-hover;cbradio-on-clickcbradio-off-normal;cbradio-off-hover;cbradio-off-clickHeaderSectionHeaderSection-activeHeaderSectionThemeHeaderEmptyAreaarrow-backgroundcombobox_fill_arrow_s_16_uneditable_clickcombobox_fill_arrow_s_16-hover-arrawsliderHeightKFullScreenDragToolBarbackground-handleborder-handleline-handleframebackground-hover-dividedbackground-radius
Source: PJ-0020241013_setup.exeString found in binary or memory: %1/addons/%2/%2.dll
Source: PJ-0020241013_setup.exeString found in binary or memory: KQuickHelpBarisClosePopupOnAppDeactiveisTranslucentSubCmdMovingPicToCellQuickBarshadow-X-Offersetshadow-Y-Offersetkd-shadow-blurPicture QuickBareditPicture QuickBar ReadreadfixCountdynCountPdfAutoClipPageCommandPdfCustomClipPageCommandPdfClipPageRangeCommandPdfCompleteClipPageCommandPdfAddSplitLineCommandPdfDelteSplitLineCommandPdfSplitSetPageCommandPdfImmediatelySplitCommandPdfExitSplitPageCommandPdfSignatureApplyMultiPagePdfSignatureEmbedPdfSignatureEmbedBatchPdfSignatureDeletePdfSignatureDeleteBatchisCefPopupEx1onVisibleToggle(bool)2barTogglerClicked(bool)2toggleButtonClicked(bool)2aboutPopup()1onLbuttonClicked()2lbuttonClicked()1onShapeRectChange(const QRect&)2shapeRectChanged(const QRect&)1onClosePopup()2updateVisible()1onBarCommandTriggered(KCommand*)2triggerBarCommand(KCommand*)PdfImageExitEditisHoverAutoPopupisNeedDrawShadowExtendObjecterTrigger1onSubCommandClicked(KCommand*)2subCommandClicked(KCommand*)old Fold onBeforeQhWidgetRender_edit_readpostInfoSrc_moreFold %1bFixuseFoldMenudynFoldobjectcommand_suspend_showpercentisEnablehorizontalrightKQuickHelpToolBarWidgetseparatorAutoAdaptKQuickHelpQpaqueItembackground%1border%1%1/%3.dll%1/addons/%2/%2.dll1onLButtonClicked()2forceSendEvent(QEvent*)1syncCommandChanged()2activeCommand()defaultHiddenbackgroud%1_autoshowqhbarksmartresourceshopKDocerCommonpasteTimeautoPopupisAutoPopupisFirstAutoTriggerautoTriggerautoPopupTimeoutisPopupHasArrowisCompletedHideisPopupExec1onPopupHide()isPopupNewWidget1onDestoryPopupWidget()quick_help1onClosedPopup()1onBeforePopup()ArrowPopupWidget" quick help button1onTimerOut()1onAutoPopUp()_PopopWidgetpixelSize2destroying()ToggleExpand;ToggleExpand-hover;ToggleExpand-downToggleCollapse;ToggleCollapse-hover;ToggleCollapse-downExpandQuickBarCollapseQuickBarshadow-Y-Offerset-Togglekd-shadow-blur-Togglekd-shadow-width-Togglebackground-defaultKPdfQuickHelpButtonIconBaseColorKxPdfTreeWidget_IconColorVipCornermarker(-DT
Source: PJ-0020241013_setup.exeString found in binary or memory: /addons/list/
Source: PJ-0020241013_setup.exeString found in binary or memory: win-i386/addons/list/ksolaunch.exe/wpscloudlaunch /run_plugin /plugin_name=ksharetofriend /plugin_entry=ksharetofriend.dll /showDlg /appName="/wpsplugin.plg.dll
Source: PJ-0020241013_setup.exeString found in binary or memory: (The system uses WPS Office as the default one to open %1 files)KFileAssociateCommand::timerEvent, emit promeGuideLogin from _kso_QueryFeatureState!first_detect_file_association_while_startupKFileAssociateCommand::timerEvent, emit promeGuideLogin from first_detect_file_association_while_startup!disableShowAssoDlgKFileAssociateCommand::checkProtectAsso, return true from kaf_kso_RestoreAtStartUp && needReadReg!KFileAssociateCommand::timerEvent, emit promeGuideLogin from disableShowAssoDlg!.doc.xls.ppt/utility/install.inimodulestate/startup_source=default_assoshow_asso_dlgafter_dialog_assokprometheus_assoinfoassoprotectassochoiceset_asso_protectassociatefile_protect_setintervalDaysfileassociatedialogKWPS.PDF.9KWPSPDF.PDF.9KWPSPDF.MOBI.9KWPS.MOBI.9.mobiKWPSPDF.EPUB.9KWPS.EPUB.9.epub -assoepubpdf_whitelistacroWPSPDFWPS.PDFasso_whitelistprog_idSoftware\Classes\.pdf
Source: PJ-0020241013_setup.exeString found in binary or memory: ./addons/kfeedbackcmds/kfeedbackcmds
Source: PJ-0020241013_setup.exeString found in binary or memory: (%1)KxApplication::appQueryQuitNotifycloudFileSecdoccontrolcloudFileSavingShmFlagcloudFileIDKxApplication::setupXmlFromSettingsLoading UI XML file failed. For more information, please use KDebugConsole or read logs.Note.chmrainbowlanguagesOperatingWindowMutexReadOnlyPreviewMode./addons/kfeedbackcmds/kfeedbackcmdskfeedbackcmdsKxApplication::onAboutQuitSupport/BackupKeepCacheDaysKxApplication::coreInitCompleteSystemDockModeConvertibleSlateModeDocumentEncryptionForSaveretrySaveAsFlagshowSecureLinkasyncActivationonlyAddPermissionSave documents or not?title_widgetSave FailedWechatReadOnlySaveDlg_darkTitleIconWechatReadOnlySaveDlg_lightTitleIcon_kso_Tx_CANCLE_SAVECancel Save_kso_Tx_COVERCover_kso_TX_DESC_WPS_APP_NAMEWPS Document_kso_TX_DESC_ET_APP_NAMEWPS SpreadSheet_kso_TX_DESC_WPP_APP_NAMEcorepermissionupdateuploadcopy_contentdrive_idext_attrsSECURITY_DOC_MARKSECURITY_DOCoriginUrldownload_urlsecdoccontrolactiveSecdocv7SecCloudFileIdcloudFilePermission_kso_TX_FILE_LOCK_SERVICE_ERRORCannot save or upload. Server Error_kso_TX_NET_CONDITION_BAD_INFOCannot save or upload due to bad network condition._kso_TX_FILE_UPDATE_CONFLICTCannot save or upload. This file has been updated by other users._kso_TX_FILE_EDITING_CONFLICTCannot save or upload. This file is being edited by other users.HyperlinkClickIClink_typekso_linkclick_starup_objectroamingidapptypeprometheusDocIdVersionName/themesp
Source: PJ-0020241013_setup.exeString found in binary or memory: :/loading.gif
Source: PJ-0020241013_setup.exeString found in binary or memory: methodWPS3 POSTon_name_conflictfailstore_requestheadersstore_response_keysheader_keysstore_responsePromptUnknowNetwork disconnected. Please check or try to reconnectNo read permission, failed to open. Please contact the administrator for authorizationNo edit permission, failed to save. Please contact the administrator for authorizationNo enough space, save failed. Clear the cloud space or change the save locationAccount no longer valid, please contact administratorClosing file...Closing file in "Save as Normal Document"hasHandledealModeerrorCodecreatedV4SecDocDecryptUploadManagerV4ToV7DecryptUploadQDialog{background-image: url(:/background.png);}:/loading.gifcolor: rgb(255, 255, 255); Document is downloading, downloaded: Document uploading, uploaded: 1timeoutSlots()parent_idfile_idreplaceupload_requestsupload_method
Source: PJ-0020241013_setup.exeString found in binary or memory: /utility/install.ini
Source: PJ-0020241013_setup.exeString found in binary or memory: roleIdcompanyIdstrServiceNamehasTaghasPayRightlstUpgradeServiceNamesuperAdminNamemso:tabkpromewebapppageUseLicenseToActivateDeveloperToolset_filterimg_loss_compressprop_entranceentranceAuth/ProBuySerialNumberUrlAuth/ProBuySerialNumberUrlParamPNOption&SubPNParamNameDownload</a>Click to purchase now.'> <a href='1on_linkActivated(QString)2linkActivated(QString)StopRecordMacroRecordMacroStopRecordRunJSMacroMacrosKxLegacyRaiseCommand: can not found raise command:KxLegacyTriggerStateCommand: can not found kso command:KxIndexListCommand::Get - can not corvertKxUndoListItemCommand%1KUndoListPopupWidget-deep1_onDestroyed(QObject*)KxCurrentFileMRUCommandItem1onDoubleClickedTimeOut()KxShowMoreHistoriesCommandswitch window toselect windowKFormatComboBoxfontSizetextColorcolor:%1KxPropComposeCommand::Get - can not corvertKxPropComposeListCommand::Get - can not corvertCustom:Custom2downloadFailed()1onRetryDownload()2retryDownload()1onStatusChanged(int, int)startLoadTimedocer_common_plugin_downloadplugin_namepos4.0plugin_errorLogplugin_errorCodeplugin_httpStatusCodeplugin_descriptionplugin_url1onSendEntranceShowInfo(const QString&)2sendEntranceShowInfo(const QString&)1onSendEntranceClickInfo()_localnewVisualDocerPictureBtnInOpenDlgBridgeGetShowParamShowDocerPictureBtnParamChange PictureFill Picture1on_indexDblClicked(int)2indexDblClicked(int)_titlequeryOnlineIconjumpPopupCategoryTypetexttosmartartOnlineTableKAiWppOnlineTableL10NProductAuthopenRedirect/proxy/docer/partner.php/api/startup/v2/pro_recommend/profession?guid=%1&hdid=%2&uuid=%3docerapiwpscareer/proxy/docer/v3.php/api/user/allinfoX-CookieXMLHttpRequestX-Requested-WithlevelvipmemberidAuth/IsAutoTypeCommercialShowFeedbackDialogotherEntranceJapanese365VersionFeedbackUrl?subject=mailto:No E-Mail Client.Feedback(%1)KxFileMenuDonateCommandBaseTpFeedbackdonateKxUpdateOnlineCommandBase/from=manualChangeVersion-changeversion/utility/install.iniInactiveqwpslowerversionhigherversionneedAdminKxChangeVersionCommandBaseNo idQ attribute found in a command elementCommand element only support idQ attributeCommand element do not support sub elementsWingdings 2WingdingsSimSun1updateFont(const QFont&)2fontChanged(const QFont&)Symbol_%1KxGallerySymbolCommandShadowColor3DColorLineColorFillColorFontOutlineColorDgUil_ShadowColorShadow ColorThreeDColorDgUil_3DColor3-D ColorTouchbarFontColorTouchbarFillColorDgUil_FillColorFill ColorCannot run the macro '%1'. The macro may not be available in this workbook, or all macros may have been disabled.Cannot find the macro, or the macro is disabled because of security settings.Due to macro security settings, no macro or macro can be found to be disabled.!<.{2,}>$kso_sOpenfilterAll Files (*.*) | *.*Insert File Object*DontCopyDspsFD_kso_InsertFileObjectIsShowCloudTab%windir%/system32/SHELL32.dll,0.ico/.DefaultIconKxFontFetcherCommand::fetchFontKxFontFetcherCommand::fetchPubKxFontFetcherCommand::getPubfamKHideOrShowTaskPaneCheckCmd
Source: PJ-0020241013_setup.exeString found in binary or memory: /addons/%1/mui/%2/%3
Source: PJ-0020241013_setup.exeString found in binary or memory: AIRecommendlockTaskPanetabbarMenuSwitchshowTaskPanegroupcssTypeimageadvanceconfigelementdescoption1option2imagehostcustomimageurlkwebonlinetaskpanecontent.xml/wps/cdnwps/upload/official/template/docer/2020-05-15/task-form/%1/mui/%2/%3/addons/%1/mui/%2/%3onlinetaskpaneres%1%2.svgbasicConfigadvanceConfiggoToPageofficekingsoftplugins1onDestroyed()saveCustSettingswps_apptaskpanel_%1invalidate
Source: PJ-0020241013_setup.exeString found in binary or memory: /addons/
Source: PJ-0020241013_setup.exeString found in binary or memory: kdbcmdcreatormso:cmd_kso_Only_Import_WPS_CustomizationsOnly import WPS customized files_kso_Only_Import_ET_CustomizationsOnly import ET customized files_kso_Only_Import_WPP_CustomizationsOnly import WPP customized files/addons/createCmds1.0.12currentAccountChanged()%1ui.xmlQATKxCustomRibbonConfig::init1onAboutToChangeAddInUi()2aboutToChangeAddInUi()imageMsoribbonqatmenuOrdercontrolidKidMonActiondelmsoCtrl+'FillDownCtrl+0rHideColumnCtrl+PCtrl+F1KRbLogicGroupVisibleToggleCmdCtrl+Shift+'Ctrl+Shift+,Ctrl+Shift+.FillRightCtrl+Shift+SpaceCtrl+Shift+TTotalRowmso:customUIhttp://schemas.microsoft.com/office/2009/07/customuimso:ribbonmso:qatmso:buttonmso:controlmso:tabsmso:contextualTabsQAT_Menu1.0
Source: PJ-0020241013_setup.exeString found in binary or memory: :/icons/16x16/AddRestrictPermissionUser.png
Source: PJ-0020241013_setup.exeString found in binary or memory: :/icons/16x16/AddRestrictPermissionAnyone.png
Source: PJ-0020241013_setup.exeString found in binary or memory: KxRestrictedAccessDlgpermisionGroupBoxreadToolButton:/icons/16x16/AddRestrictPermissionUser.pngreadTextEditreadLabelreadEveryone:/icons/16x16/AddRestrictPermissionAnyone.pngchangeToolButtonchangeTextEditchangeLabelchangeEveryonemoreOptionPushButtonEnter the e-mail addresses of users in the Read and Change boxes (exapmle: 'someone@example.com').
Source: PJ-0020241013_setup.exeString found in binary or memory: :/icons/16x16/AddRestrictPermissionCheckNames.png
Source: PJ-0020241013_setup.exeString found in binary or memory: KxRestrictedAccessOutlookDlgreadCheckNames:/icons/16x16/AddRestrictPermissionCheckNames.pngchangeCheckNamesCheck names^([\w-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([\w-]+\.)+))([a-zA-Z]{2,}|[0-9]{1,3})(\]?)$1checkReadNamesClicked()1checkChangeNamesClicked()1readTextcursorPositionChanged()2cursorPositionChanged()1changeTextcursorPositionChanged()ForceResolutionRecipientsToLabelCcLabelNumberOfRecipientSelectorsResolveAllDisplayAddTypeCountItemNameAddressEntryCreateContactCardShowGetSelectNamesDialogOutlook.ApplicationSessionGetDefaultFolderItemsClassFullNameEmail1AddressEmail1DisplayNameEmail2AddressEmail2DisplayNameEmail3AddressEmail3DisplayNameDLNameMemberCountGetMemberAddress'[FullName] = 'FindCreateRecipient
Source: PJ-0020241013_setup.exeString found in binary or memory: :/gif/loading-data.gif
Source: PJ-0020241013_setup.exeString found in binary or memory: :/gif/loading-data-dark.gif
Source: PJ-0020241013_setup.exeString found in binary or memory: sign-tocloud-help
Source: PJ-0020241013_setup.exeString found in binary or memory: Insert_Signature1onLoginChanged()sign-tocloud-delete-normal;sign-tocloud-delete-hover;sign-tocloud-delete-clickClear Signaturesign-tocloud-upload-errorSignature uploads failed, please click to try again.KxSignatureCommandtooltip-titletooltip-contenttooltip-background1onMouseEnter(QListWidgetItem *)2mouseEnter(QListWidgetItem *)1onItemSelectionChanged()menu-background1onRemoveListItem(QListWidgetItem*)2removeListItem(QListWidgetItem*)1onNetworkStateChanged(bool)2netWorkStateChanged(bool)1onSyncSignatureFinished(bool)2syncSignatureFinished(bool)kd-color-gray-6QScrollBar:vertical{width: %1px;background: rgba(0,0,0,0%);border-radius: %2px;border: none;padding-top: %3px;padding-bottom: %3px;}QScrollBar::handle:vertical{background: rgba(%5, %6, %7, 30%);border-radius: %2px;min-height:%4px;}QScrollBar::handle:vertical:hover{background: rgba(%5, %6, %7, 60%);border-radius: %2px;}QScrollBar::handle:vertical:pressed{background: rgba(%5, %6, %7, 80%);border-radius: %2px;}QScrollBar::add-line:vertical{background: transparent;}QScrollBar::sub-line:vertical{background: transparent;}1onDeleteLater()1onLoadSignatureProgress(KxSignatureNode, const QImage &, int, int)2sigLoadSignatureProgress(KxSignatureNode, const QImage &, int, int)1reloadFileList()2sigReloadList()1onModifyList()2sigModifyList()1start()Creation failed, the number of signatures has reached 100, please delete some signatures before creating.InsertSignature1onRemoveListItem(QString, bool)2removeListItem(QString, bool):/gif/loading-data.gif:/gif/loading-data-dark.gifLoading...empty-text#262E3E26background: transparent; color: %1sign_empty_placeholderNo signatureitem-backgrounditem-textitem-text-backgrounditem-border-hoverCloud synchronization descriptionbackground:transparent; border: none;sign-tocloud-helpSync in progress.sign-tocloud-sync-successsign-tocloud-sync-failsign-tocloud-loadingtitle-textfont-size:%1px;font-family: Microsoft YaHei; border: none;color:%2;line-height:20px;background:transparent;background: rgba(255,255,255,100%); border: none;Cloud Synchronization title1onSyncButtonClicked()Cloud SynchronizationCloud Signature Sync CompletedCloud Signature Sync Completed descriptionSync failed, please click to try again.The synchronization failed. The number of signatures has reached 100. Please delete some signatures before synchronization.deleteLater
Source: PJ-0020241013_setup.exeString found in binary or memory: Insert_Signature1onLoginChanged()sign-tocloud-delete-normal;sign-tocloud-delete-hover;sign-tocloud-delete-clickClear Signaturesign-tocloud-upload-errorSignature uploads failed, please click to try again.KxSignatureCommandtooltip-titletooltip-contenttooltip-background1onMouseEnter(QListWidgetItem *)2mouseEnter(QListWidgetItem *)1onItemSelectionChanged()menu-background1onRemoveListItem(QListWidgetItem*)2removeListItem(QListWidgetItem*)1onNetworkStateChanged(bool)2netWorkStateChanged(bool)1onSyncSignatureFinished(bool)2syncSignatureFinished(bool)kd-color-gray-6QScrollBar:vertical{width: %1px;background: rgba(0,0,0,0%);border-radius: %2px;border: none;padding-top: %3px;padding-bottom: %3px;}QScrollBar::handle:vertical{background: rgba(%5, %6, %7, 30%);border-radius: %2px;min-height:%4px;}QScrollBar::handle:vertical:hover{background: rgba(%5, %6, %7, 60%);border-radius: %2px;}QScrollBar::handle:vertical:pressed{background: rgba(%5, %6, %7, 80%);border-radius: %2px;}QScrollBar::add-line:vertical{background: transparent;}QScrollBar::sub-line:vertical{background: transparent;}1onDeleteLater()1onLoadSignatureProgress(KxSignatureNode, const QImage &, int, int)2sigLoadSignatureProgress(KxSignatureNode, const QImage &, int, int)1reloadFileList()2sigReloadList()1onModifyList()2sigModifyList()1start()Creation failed, the number of signatures has reached 100, please delete some signatures before creating.InsertSignature1onRemoveListItem(QString, bool)2removeListItem(QString, bool):/gif/loading-data.gif:/gif/loading-data-dark.gifLoading...empty-text#262E3E26background: transparent; color: %1sign_empty_placeholderNo signatureitem-backgrounditem-textitem-text-backgrounditem-border-hoverCloud synchronization descriptionbackground:transparent; border: none;sign-tocloud-helpSync in progress.sign-tocloud-sync-successsign-tocloud-sync-failsign-tocloud-loadingtitle-textfont-size:%1px;font-family: Microsoft YaHei; border: none;color:%2;line-height:20px;background:transparent;background: rgba(255,255,255,100%); border: none;Cloud Synchronization title1onSyncButtonClicked()Cloud SynchronizationCloud Signature Sync CompletedCloud Signature Sync Completed descriptionSync failed, please click to try again.The synchronization failed. The number of signatures has reached 100. Please delete some signatures before synchronization.deleteLater
Source: PJ-0020241013_setup.exeString found in binary or memory: p-signtocloud-help
Source: PJ-0020241013_setup.exeString found in binary or memory: pdf_plus_sign_normal;pdf_plus_sign_hover;pdf_plus_sign_click;pdf_plus_sign_normal#B6C0CCaddimagebtn-textKxSignatureDlgaddimagebtn-text-hoverwarn-textlibcefCloud SignatureQDialog{background: #FFFFFF;border: %1px solid #CCCCCC;border-radius: %2px;} QPushButton{outline: none;}#EBEDF2title-tab-hoverImageWritePreview of black and whiteQCheckBox{font-family:Microsoft YaHei;color:#4F5D79;}QCheckBox:disabled{color:#B7BFD0;}QCheckBox::indicator{width:%1px;height:%2px;image:url(:/icons_svg/24x24/sign_pic_off.svg);}QCheckBox::indicator:checked {image: url(:/icons_svg/24x24/sign_pic_on.svg);}color: #333333;QFrame{background: %3;border: %1px solid #B6C0CC;border-radius:%2px;}add ImageSignature Reminder multilineQPushButton{font-family: Microsoft YaHei;font-size: %1px;color: #36425A;background: none;border: none;}QPushButton:hover{background: #EBEDF2;}QPushButton:pressed{background: #D4DBE9;}mainCanvasborder: none;Pdf_sign_clearQPushButton{font-family: Microsoft YaHei;font-size: %1px;color: #4F5D79;background: none;border: none;border-radius: %2px;}QPushButton:hover{background: #EBEDF2;}QPushButton:pressed{background: #D4DBE9;}Signature Reminder#8B95A8background: transparent; border: none; color: %1Synchronize to cloudp-signtocloud-vipp-signtocloud-helpTxMessage_FontNameNotExisitFirstHalfThe font '' is not available on your system. Do you want to use this font anyway?1slotLineStyleChanged(int)1slotSliderScaled(int)1slotAddImage()1on_Font_Clicked(const QString &)2indexClicked(const QString &)1imageBtnClick()1inputBtnClick()1writeBtnClick()1onTextChanged()1onReturnPressed()1textAreaChanged()1onCanvasUpdated()2sigCanvasUpdated()1slotOK()1slotCancel()1slotClear()1onCheckBoxSyncSwitchClicked(bool)#999999#333333CT_Tool|Add_WritingCT_Tool|Add_TypingCT_Tool|Add_Picfont_nameerror_codedocer_font_usageCT_Tool|Add_Typing|font|Image File (*.jpg *.png *.bmp)Open ImageThe size of the inserted image is too large.Image Data Is Null
Source: PJ-0020241013_setup.exeString found in binary or memory: /addons/data/
Source: PJ-0020241013_setup.exeString found in binary or memory: /addons
Source: PJ-0020241013_setup.exeString found in binary or memory: BLACKChartFontColor1moreColorSlot()1autoColorSlot()1updateIcon(const QColor &)2currentColorChanged(const QColor &)minisite/addons/data//addons/wpsminisite.iniqrc:resource
Source: PJ-0020241013_setup.exeString found in binary or memory: resource/filedialog/loadingall.gif
Source: PJ-0020241013_setup.exeString found in binary or memory: resource/filedialog/loadingfail.gif
Source: PJ-0020241013_setup.exeString found in binary or memory: -startup
Source: PJ-0020241013_setup.exeString found in binary or memory: Recommended save as specify formatKernel32.dllFindCloseKImagePlayDlg\*\.%1(;|\|)\*\.%1;wpssoso\Everything.dllEverything_SetSearchWEverything_QueryWEverything_GetLastErrorEverything_GetNumResultsEverything_GetResultFileNameWEverything_IsFolderResultEverything_GetResultPathWEverything_Reset_Everything_GetReplyWindow@0resource/filedialog/bg_loading.pngresource/filedialog/loadingall.gifSearch Waiting Textresource/filedialog/loadingfail.gifSearch Fail Text1OnPluginLoadFailed()1OnPluginLoaded()\Everything.ini\kingsoft\wps\everything\Everything.ini\Kingsoft\office6\backup","\Kingsoft\WPS Cloud Files\userdata\qing\filecache\\exclude_foldersEverything\Everything.exeEverything.exe-startup1OnWpsHelperRunFinished(const WpsHostRunParam&)
Source: PJ-0020241013_setup.exeString found in binary or memory: Recommended save as specify formatKernel32.dllFindCloseKImagePlayDlg\*\.%1(;|\|)\*\.%1;wpssoso\Everything.dllEverything_SetSearchWEverything_QueryWEverything_GetLastErrorEverything_GetNumResultsEverything_GetResultFileNameWEverything_IsFolderResultEverything_GetResultPathWEverything_Reset_Everything_GetReplyWindow@0resource/filedialog/bg_loading.pngresource/filedialog/loadingall.gifSearch Waiting Textresource/filedialog/loadingfail.gifSearch Fail Text1OnPluginLoadFailed()1OnPluginLoaded()\Everything.ini\kingsoft\wps\everything\Everything.ini\Kingsoft\office6\backup","\Kingsoft\WPS Cloud Files\userdata\qing\filecache\\exclude_foldersEverything\Everything.exeEverything.exe-startup1OnWpsHelperRunFinished(const WpsHostRunParam&)
Source: PJ-0020241013_setup.exeString found in binary or memory: :/icons_svg/16x16/LoadingCircle.svg
Source: PJ-0020241013_setup.exeString found in binary or memory: :/icons_svg/16x16/LoadingCircle.svg1onAnim()1onThreadingBeforeFinished()2threadingBeforeFinished()1onThreadingAllFinished()printPreviewDiagnosisLabelKSO_Print_DiagnoseDiagnose1onComboBoxPrinterActivated(const QString&)2activated(const QString&)1onComboBoxCurrentPrinterChanged(const QString&)1onComboBoxRowInserted(QModelIndex,int,int)2rowsInserted(QModelIndex,int,int)The system cannot connect to the printer._kso_System_PrintService_NotEnabledThe system print service is not enabledKSO_Print_NoPrinterInstalledAndCheckThe printer is not installed in the system, please go to the system settings to checkKSO_Print_NoPrinterInstalledThe system shows that you do not have a printer installedkeepShowingKSO_Print_Service_StartedSystem print service is startedKSO_Print_Service_StartFailedThe system print service failed to startKSO_Print_GettingPrinterGetting printer listprintpreview_printercomboboxchange
Source: PJ-0020241013_setup.exeString found in binary or memory: text-help
Source: PJ-0020241013_setup.exeString found in binary or memory: KxPrint2022LiteLabeltext-helpKxPrint2022SpecifyPageLabelH"
Source: PJ-0020241013_setup.exeString found in binary or memory: ./addons/kwppcopilot/kwppcopilot.dll
Source: PJ-0020241013_setup.exeString found in binary or memory: kwebwpscopilotisEntryEnabled__trigger_source__ktaskpanelcopilotisUseEntryControlonUpdateAiEntryVisbiledisableaientryai_clickentryId%1_taskpanelAIEntry_visibleai_appAI_assistantopen_positionisCopilotPluginExistinvoke isCopilotPluginExist failedKTaskPanelCopilotProxyCommand::onCommandTriggerKTaskPanelCopilotEntryonCopilotPluginDownloadSucceeddownloadCopilotPlugininvoke downloadCopilotPlugin failed1tryConnectBtnClicked()tabbarAIEntry1onExistTaskPanelAIFuncChanged(bool, const QString&)2sigExistTaskPanelAIFuncChanged(bool, const QString&)1onEntryEnabledChanged(bool)2sigEntryEnabledChanged(bool)m_tabbarEntryId:%1,visible:%2,enable:%3KTaskPanelCopilotProxyCommand::initEntryControlKMenuWidgetTriggerItemQA_Mouse_Clickedtoolbar_searchexisted: %1KTaskPanelCopilotProxyCommand::onExistTaskPanelAIFuncChangedKTaskPanelCopilotProxyCommand::onCopilotPluginDownloadSucceed1onTabBtnAdd(KCommand*, KxTabButton*)2insertCmdAndBtn(KCommand*, KxTabButton*)1onTabBtnClicked()1onTabBarVisibleChanged(bool)2taskTabBarVisibleChanged(bool)%1 ai_show successKTaskPanelCopilotProxyCommand::reportAiShow%1_floatWidgetAIEntry_visibleafterFloatWidgetHandleUserAitriggerhandleUserAitriggeronCopilotPluginDownloadSuccess./addons/kwppcopilot/kwppcopilot.dllplugin_name: %1KFloatWidgetCopilotProxyCommand::onCopilotPluginDownloadSuccessproduct_name-pcwps-intention_codeonCheckAIAccessFinishedcheckAIAccess%1: kcopilotentrylite invoke checkAIAccess failedKxPostCheckTaskPanelCopilotProxyCommand::checkAuthpdfmain
Source: unknownProcess created: C:\Users\user\Desktop\PJ-0020241013_setup.exe "C:\Users\user\Desktop\PJ-0020241013_setup.exe"
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess created: C:\Users\user\Documents\czrdnq8b.exe "C:\Users\user\Documents\czrdnq8b.exe"
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess created: C:\Users\user\Documents\czrdnq8b.exe "C:\Users\user\Documents\czrdnq8b.exe" Jump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: crtdll.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: winhttpcom.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeFile written: C:\Users\user\Documents\conf.iniJump to behavior
Source: PJ-0020241013_setup.exeStatic file information: File size 28442624 > 1048576
Source: PJ-0020241013_setup.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1a29000
Source: Binary string: C:\Users\BLACK\Desktop\E_Loader 1.0\Release\E_Loader.pdb source: czrdnq8b.exe, czrdnq8b.exe, 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: .pdbk source: PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000006077000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005C26000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000003.1497079778.000000000342D000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe.0.dr
Source: Binary string: C:\Users\Administrator\Desktop\Windows\Lib\HPSocket4C\x86\HPSocket4C.pdb source: PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, czrdnq8b.exe, 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe.0.dr
Source: Binary string: H:\pub_are2\rc_bug_mas_v12_2408\Build\Release\WPSOffice\office6\kshell.pdb source: PJ-0020241013_setup.exe, 00000000.00000003.1482450320.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmp
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeCode function: 0_2_004BB425 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004BB425
Source: z.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x72b5
Source: czrdnq8b.exe.0.drStatic PE information: real checksum: 0x21c2f6 should be: 0x221035
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeCode function: 0_2_004B26C3 push ecx; ret 0_2_004B26D3
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeCode function: 0_2_004ADCD0 push eax; ret 0_2_004ADCE4
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeCode function: 0_2_004ADCD0 push eax; ret 0_2_004ADD0C
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeCode function: 0_2_004AFCE0 push eax; ret 0_2_004AFCFE
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00F95E5D push ecx; ret 2_2_00F95E70
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_01081C15 push ecx; ret 2_2_01081C28
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_0107E634 push eax; ret 2_2_0107E652
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F50075 push ecx; ret 2_2_02F50088
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F67E24 push ebx; iretd 2_2_02F67E29
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_1000C1A8 push eax; retn 0000h2_2_1000C1A9
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_1000C1B0 push es; retn 0000h2_2_1000C189
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior

barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeFile created: C:\Users\user\Documents\czrdnq8b.exeJump to dropped file
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeFile created: C:\Users\user\Documents\czrdnq8b.exeJump to dropped file
Source: C:\Users\user\Documents\czrdnq8b.exeFile created: C:\Users\user\AppData\Roaming\z.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Deletes itself after installation
Source: C:\Users\user\Documents\czrdnq8b.exeFile deleted: c:\users\user\desktop\pj-0020241013_setup.exeJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-64894
Source: C:\Users\user\Documents\czrdnq8b.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\z.dllJump to dropped file
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-2507
Source: C:\Users\user\Documents\czrdnq8b.exeAPI coverage: 5.9 %
Source: C:\Users\user\Documents\czrdnq8b.exe TID: 6760Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exe TID: 5876Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FB1104 GetSystemInfo,2_2_00FB1104
Source: PJ-0020241013_setup.exe, 00000000.00000003.1485407999.00000000020D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: PJ-0020241013_setup.exe, 00000000.00000003.1485563647.00000000020C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: czrdnq8b.exe, 00000002.00000003.2509034813.0000000003459000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.1818143419.000000000345D000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000002.2717222863.0000000003459000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.2548843903.0000000003459000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.1547620419.000000000345D000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.1528109888.000000000345B000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.2146543213.0000000003463000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.2588967456.0000000003459000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: czrdnq8b.exe, 00000002.00000002.2717145511.000000000342C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeAPI call chain: ExitProcess graph end nodegraph_0-2492
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeAPI call chain: ExitProcess graph end nodegraph_0-2508
Source: C:\Users\user\Documents\czrdnq8b.exeAPI call chain: ExitProcess graph end nodegraph_2-64972
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00F98858 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00F98858
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeCode function: 0_2_004BB425 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004BB425
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FB1094 mov ebx, dword ptr fs:[00000030h]2_2_00FB1094
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FB1865 mov ebx, dword ptr fs:[00000030h]2_2_00FB1865
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FB1815 mov esi, dword ptr fs:[00000030h]2_2_00FB1815
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FCD905 mov ebx, dword ptr fs:[00000030h]2_2_00FCD905
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FCDA79 mov ebx, dword ptr fs:[00000030h]2_2_00FCDA79
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FC0B75 mov ebx, dword ptr fs:[00000030h]2_2_00FC0B75
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FB1527 mov ebx, dword ptr fs:[00000030h]2_2_00FB1527
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_01003930 GetProcessHeap,HeapFree,2_2_01003930
Source: C:\Users\user\Documents\czrdnq8b.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00F9A489 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00F9A489
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00F98858 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00F98858
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00F94DE7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00F94DE7
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F4FBE6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_02F4FBE6
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F4CFF9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_02F4CFF9
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeProcess created: C:\Users\user\Documents\czrdnq8b.exe "C:\Users\user\Documents\czrdnq8b.exe" Jump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00FCAE68 cpuid 2_2_00FCAE68
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeCode function: GetLocaleInfoA,0_2_004BC806
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: GetLocaleInfoA,2_2_00F9A5A0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_00F97671 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,2_2_00F97671
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeCode function: 0_2_004CBD45 GetVersion,InitializeCriticalSection,0_2_004CBD45
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: czrdnq8b.exe, 00000002.00000002.2717145511.0000000003420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kxetray.exe
Source: czrdnq8b.exe, 00000002.00000002.2717145511.0000000003420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360tray.exe
Source: C:\Users\user\Desktop\PJ-0020241013_setup.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F200 _Destroy_HP_UdpServerListener@4,2_2_02F2F200
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F49300 socket,WSAIoctl,WSAGetLastError,WSAGetLastError,ioctlsocket,bind,SetLastError,SetLastError,GetLastError,SetLastError,WSAGetLastError,SetLastError,WSAGetLastError,WSAGetLastError,SetLastError,2_2_02F49300
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F0E0 _Create_HP_TcpAgentListener@0,2_2_02F2F0E0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F0A0 _Create_HP_TcpServerListener@0,2_2_02F2F0A0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F46080 bind,htons,bind,InterlockedIncrement,InterlockedIncrement,InterlockedIncrement,2_2_02F46080
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F1D0 _Create_HP_TcpPullClientListener@0,2_2_02F2F1D0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F190 _Create_HP_TcpPullAgentListener@0,2_2_02F2F190
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F150 _Create_HP_TcpPullServerListener@0,2_2_02F2F150
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F120 _Create_HP_TcpClientListener@0,2_2_02F2F120
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F31630 _Create_HP_ThreadPoolListener@0,2_2_02F31630
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F47630 socket,WSAGetLastError,SetLastError,WSAIoctl,WSAGetLastError,ioctlsocket,bind,WSAGetLastError,SetLastError,getsockname,WSAGetLastError,SetLastError,setsockopt,SetLastError,SetLastError,GetLastError,SetLastError,2_2_02F47630
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F3B610 WSASetLastError,WSAGetLastError,WSAStringToAddressA,WSAGetLastError,socket,WSAIoctl,WSAGetLastError,setsockopt,htons,bind,WSAGetLastError,2_2_02F3B610
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F31600 _HP_Set_FN_UdpNode_OnPrepareListen@8,2_2_02F31600
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F397B0 WSASetLastError,WSAGetLastError,SetLastError,WSAStringToAddressA,socket,bind,_memmove,closesocket,WSAGetLastError,SetLastError,closesocket,2_2_02F397B0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F7A0 _HP_Server_GetListenAddress@16,2_2_02F2F7A0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F4E0 _Create_HP_UdpNodeListener@0,2_2_02F2F4E0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F4B0 _Create_HP_UdpCastListener@0,2_2_02F2F4B0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F480 _Create_HP_UdpClientListener@0,2_2_02F2F480
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F440 _Create_HP_UdpServerListener@0,2_2_02F2F440
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F550 _Create_HP_UdpArqClientListener@0,2_2_02F2F550
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F510 _Create_HP_UdpArqServerListener@0,2_2_02F2F510
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F44BF0 bind,InterlockedIncrement,InterlockedIncrement,InterlockedIncrement,2_2_02F44BF0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F318F0 _Destroy_HP_ThreadPoolListener@4,2_2_02F318F0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F950 _HP_TcpServer_GetSocketListenQueue@4,2_2_02F2F950
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2F930 _HP_TcpServer_SetSocketListenQueue@8,2_2_02F2F930
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F3EE60 socket,WSAIoctl,WSAGetLastError,WSAGetLastError,setsockopt,ioctlsocket,bind,SetLastError,SetLastError,listen,WSAGetLastError,SetLastError,GetLastError,SetLastError,WSAGetLastError,SetLastError,WSAGetLastError,SetLastError,2_2_02F3EE60
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2FFD0 _HP_Client_StartWithBindAddressAndLocalPort@24,2_2_02F2FFD0
Source: C:\Users\user\Documents\czrdnq8b.exeCode function: 2_2_02F2FFA0 _HP_Client_StartWithBindAddress@20,2_2_02F2FFA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory31
Security Software Discovery		Remote Desktop Protocol1
Data from Local System		1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
Obfuscated Files or Information		LSA Secrets12
File and Directory Discovery		SSHKeylogging11
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials25
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PJ-0020241013_setup.exe54%VirustotalBrowse
PJ-0020241013_setup.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Documents\czrdnq8b.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\z.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
http://www.winimage.com/zLibDll0%URL Reputationsafe
https://drive.wps.com/filecollect/0%VirustotalBrowse
https://www.wps.com/support0%VirustotalBrowse
https://github.com/ldcsaa/HP-SocketF0%VirustotalBrowse
https://www.wps.com/eula0%VirustotalBrowse
http://wps-community.org/download/dicts/Zip0%VirustotalBrowse
http://www.winimage.com/zLibDll-incompatible0%VirustotalBrowse
https://2023.ipchaxun.com/0%VirustotalBrowse
https://get.wps.cn/feedback/pc?product_id=1000099&detail=Open_print_service_kso_Printer_ConnectTimeo0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://www.wps.com/eulaPJ-0020241013_setup.exefalseunknown
https://drive.wps.com/filecollect/PJ-0020241013_setup.exefalseunknown
https://github.com/ldcsaa/HP-SocketFPJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2717037533.0000000002F7A000.00000040.00001000.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe.0.drfalseunknown
http://wps-community.org/download/dicts/ZipPJ-0020241013_setup.exefalseunknown
https://www.wps.com/supportPJ-0020241013_setup.exefalseunknown
https://get.wps.cn/feedback/pc?product_id=1000099&detail=Open_print_service_kso_Printer_ConnectTimeoPJ-0020241013_setup.exefalseunknown
http://203.107.1.33/100000/d?host=www.aliyun.comKeep-Aliveiczrdnq8b.exe, 00000002.00000003.1528109888.000000000345B000.00000004.00000020.00020000.00000000.sdmpfalse
    		unknown
    http://schemas.xmlsoap.org/soap/envelope/PJ-0020241013_setup.exefalse
    • URL Reputation: safe
    		unknown
    http://www.winimage.com/zLibDll-incompatibleczrdnq8b.exe, 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmpfalseunknown
    https://2023.ipchaxun.com/PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe.0.drfalseunknown
    http://wps-community.org/download.htmlPJ-0020241013_setup.exefalse
      		unknown
      http://wdl1.cache.wps.cn/per-plugin/dl/onlineshapes/PJ-0020241013_setup.exefalse
        		unknown
        https://searchplugin.csdn.net/api/v1/ip/getPJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe.0.drfalse
          		unknown
          https://f.wps.cn/PJ-0020241013_setup.exefalse
            		unknown
            https://privacy.wps.cn/policies/eula/wps-pdf-WindowsPJ-0020241013_setup.exefalse
              		unknown
              https://www.wps.cn/learning/PJ-0020241013_setup.exefalse
                		unknown
                http://Mpr.dllWNetAddConnection2Wnamelist/wps/jsaddons/jsaddinblockhost.ini/wps/jsaddons/authaddin.jPJ-0020241013_setup.exefalse
                  		unknown
                  https://vip.wps.cn/pay/member/%1/?csource=docerpersonclientNewInstallTime1onFinished(QNetworkReplyPJ-0020241013_setup.exefalse
                    		unknown
                    http://203.107.1.33/100000/d?host=www.aliyun.comczrdnq8b.exe.0.drfalse
                      		unknown
                      http://www.baidu.com/robots.txtPJ-0020241013_setup.exefalse
                        		unknown
                        http://ic.wps.cn/wpsv6internet/infos.adsICLimitElapsedICForTestICPercentCTICPercentProofreadBottomICPJ-0020241013_setup.exefalse
                          		unknown
                          http://switch.pcfg.cache.wpscdn.cn/platform_lmt/BackStageCfgPreCheckPJ-0020241013_setup.exefalse
                            		unknown
                            https://f.wps.cn/https://www.wps.cn/learning/https://get.wps.cn/PrintPreview/ControlTitleFeedback&apPJ-0020241013_setup.exefalse
                              		unknown
                              http://info.wps.cn/wpsv6internet/infos.ads56drive_improvenew_slide_btnjm_function/2019/wps/client/apPJ-0020241013_setup.exefalse
                                		unknown
                                https://www.wps.com/supporthttps://get.wps.cn/feedback/pcPreviewPJ-0020241013_setup.exefalse
                                  		unknown
                                  https://switch.pcfg.cache.wpscdn.cn/wps_assets/cfg/ad/switch/PJ-0020241013_setup.exefalse
                                    		unknown
                                    https://get.wps.cn/feedback/pc?product_id=1000099&detail=Trouble_shootingPJ-0020241013_setup.exefalse
                                      		unknown
                                      https://get.wps.cn/PJ-0020241013_setup.exefalse
                                        		unknown
                                        http://switch.pcfg.cache.wpscdn.cn/platform_lmt/PJ-0020241013_setup.exefalse
                                          		unknown
                                          http://203.107.1.33/100000/d?host=www.aliyun.comKeep-Aliveczrdnq8b.exe, 00000002.00000003.2509034813.0000000003450000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.2548843903.0000000003450000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://drive.wps.com/filecollect/pc_filecollectDisableFileCollectfeature_filecollectDateSkewedInvalPJ-0020241013_setup.exefalse
                                              		unknown
                                              https://searchplugin.csdn.net/api/v1/ip/gethPJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe.0.drfalse
                                                		unknown
                                                https://www.google.com/search?q=%1PJ-0020241013_setup.exefalse
                                                  		unknown
                                                  https://qa.wps.cn/feedback/front?wpsid=%1&product_name=%2PJ-0020241013_setup.exefalse
                                                    		unknown
                                                    https://get.wps.cn/feedback/pc?product_id=1000099&detail=Trouble_shooting_kso_Printer_QueryTimeout_MPJ-0020241013_setup.exefalse
                                                      		unknown
                                                      https://switch.pcfg.cache.wpscdn.cn/wps_assets/cfg/ad/switch/hPJ-0020241013_setup.exefalse
                                                        		unknown
                                                        https://get.wps.cn/feedback/pcPJ-0020241013_setup.exefalse
                                                          		unknown
                                                          https://127.0.0.1:58891/transferEcho/runParamsPJ-0020241013_setup.exefalse
                                                            		unknown
                                                            https://vip.wps.cn/pay/member/%1/?csource=docerpersonclientPJ-0020241013_setup.exefalse
                                                              		unknown
                                                              https://2023.ipchaxun.com/ip#PJ-0020241013_setup.exe, 00000000.00000003.1485134886.0000000005EBF000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466281213.0000000005A6E000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1467048728.0000000005C97000.00000004.00000020.00020000.00000000.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1466586418.0000000005A66000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000000.1482147431.00000000010A8000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe, 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmp, czrdnq8b.exe.0.drfalse
                                                                		unknown
                                                                http://203.107.1.33/7czrdnq8b.exe, 00000002.00000003.1528132894.0000000003451000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://vipapi.wps.cn/skin/api/upgrade_skin?snact=1?snact=01onRequestUrlSuccess(TASKIDPJ-0020241013_setup.exefalse
                                                                    		unknown
                                                                    http://127.0.0.1:58890/transferEcho/runParamshttps://127.0.0.1:58891/transferEcho/runParams);xhr.senPJ-0020241013_setup.exefalse
                                                                      		unknown
                                                                      https://vipapi.wps.cn/skin/api/upgrade_skinPJ-0020241013_setup.exefalse
                                                                        		unknown
                                                                        http://www.baidu.com/robots.txtdefaultValuePJ-0020241013_setup.exefalse
                                                                          		unknown
                                                                          https://qing.wps.cnPJ-0020241013_setup.exefalse
                                                                            		unknown
                                                                            https://www.wps.cn/privacy/full_pdfproEnableEULAPageSetup/CustomInstitutionsetup/CustomPlatformsetupPJ-0020241013_setup.exefalse
                                                                              		unknown
                                                                              http://127.0.0.1:58890/transferEcho/runParamsPJ-0020241013_setup.exefalse
                                                                                		unknown
                                                                                http://spinfo.wps.cn/subproduct/infos.adsSoftwarePJ-0020241013_setup.exefalse
                                                                                  		unknown
                                                                                  https://www.google.com/search?q=%1pPJ-0020241013_setup.exefalse
                                                                                    		unknown
                                                                                    http://203.107.1.33/100000/d?host=www.aliyun.comOczrdnq8b.exe, 00000002.00000003.1818143419.000000000345D000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000002.2717222863.0000000003459000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.1547620419.000000000345D000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.2146631187.000000000345E000.00000004.00000020.00020000.00000000.sdmp, czrdnq8b.exe, 00000002.00000003.2588967456.0000000003459000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://root/CertEnroll/kingsoft%20root.crl02PJ-0020241013_setup.exe, 00000000.00000001.1462894700.00000000018D4000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000577D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://root/CertEnroll/root_kingsoft%20root.crt0=PJ-0020241013_setup.exe, 00000000.00000001.1462894700.00000000018D4000.00000002.00000001.01000000.00000003.sdmp, PJ-0020241013_setup.exe, 00000000.00000003.1482450320.000000000577D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://qing.wps.cn/api/ping1onNetworkRequestFinished(QNetworkReplyPJ-0020241013_setup.exefalse
                                                                                            		unknown
                                                                                            http://wps-community.org/download/dicts/PJ-0020241013_setup.exefalse
                                                                                              		unknown
                                                                                              https://get.wps.cn/feedback/pc?product_id=1000099&detail=Open_print_servicePJ-0020241013_setup.exefalse
                                                                                                		unknown
                                                                                                https://home.wps.cn/topic/10224PJ-0020241013_setup.exefalse
                                                                                                  		unknown
                                                                                                  http://203.107.1.33/100000/d?host=www.aliyun.comr/czrdnq8b.exe, 00000002.00000002.2716800438.000000000120E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://vip.wps.cn/privilege_page/privilege_detail?id=%1PJ-0020241013_setup.exefalse
                                                                                                      		unknown
                                                                                                      https://www.wps.cn/privacy/full_pdfproPJ-0020241013_setup.exefalse
                                                                                                        		unknown
                                                                                                        http://203.107.1.33/czrdnq8b.exe, 00000002.00000003.1528132894.0000000003451000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.winimage.com/zLibDllczrdnq8b.exe, 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://vip.wps.cn/privilege_page/privilege_detail?id=%1border-radiusKArrowToolTipWidgetshadow-widthPJ-0020241013_setup.exefalse
                                                                                                            		unknown
                                                                                                            http://info.wps.cn/wpsv6internet/infos.adswps_safep0p1p2p3p4p5p6p7dm=%1&action=%1&guid=%1&hdid=%1&uuPJ-0020241013_setup.exefalse
                                                                                                              		unknown
                                                                                                              https://privacy.wps.cn/policies/eula/wps_forBPJ-0020241013_setup.exefalse
                                                                                                                		unknown
                                                                                                                http://info.wps.cn/wpsv6internet/infos.adsPJ-0020241013_setup.exefalse
                                                                                                                  		unknown

                                                                                                                  World Map of Contacted IPs

                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs

                                                                                                                  Public IPs

                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  203.107.1.33
                                                                                                                  		unknownChina
                                                                                                                  		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                                                                                                                  58.49.151.131
                                                                                                                  		unknownChina
                                                                                                                  		58563CHINATELECOM-HUBEI-IDCCHINANETHubeiprovincenetworkCNfalse

                                                                                                                  General Information

                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                  Analysis ID:1533006
                                                                                                                  Start date and time:2024-10-14 09:45:34 +02:00
                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                  Overall analysis duration:0h 7m 2s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:full
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                  Number of analysed new started processes analysed:8
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Sample name:PJ-0020241013_setup.exe
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal68.evad.winEXE@3/3@0/2
                                                                                                                  EGA Information:
                                                                                                                  • Successful, ratio: 100%
                                                                                                                  HCA Information:
                                                                                                                  • Successful, ratio: 53%
                                                                                                                  • Number of executed functions: 62
                                                                                                                  • Number of non-executed functions: 299
                                                                                                                  Cookbook Comments:
                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                  Warnings

                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  03:46:41API Interceptor10x Sleep call for process: czrdnq8b.exe modified

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  203.107.1.33Tomcat.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                  b4cbf3ffbd8e152116e72487c3b16f1d.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                  Tomcat.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                  b4cbf3ffbd8e152116e72487c3b16f1d.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                  Tomcat.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                  1I9EGoBq.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                  Tomcat.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                  1I9EGoBq.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                  Tomcat.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                  setup8803165981.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                  58.49.151.13109569097_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 58.49.151.131/
                                                                                                                  09569097_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 58.49.151.131/

                                                                                                                  Domains

                                                                                                                  No context

                                                                                                                  ASNs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdarm5.nn-20241014-0317.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                  • 120.26.147.79
                                                                                                                  http://wwwuhex9z.xyz/Get hashmaliciousUnknownBrowse
                                                                                                                  • 106.11.43.113
                                                                                                                  http://wwwuhex9z.xyz/Get hashmaliciousUnknownBrowse
                                                                                                                  • 203.119.169.174
                                                                                                                  mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                  • 121.42.24.63
                                                                                                                  na.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 8.132.173.165
                                                                                                                  yzm8rrCtD5.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                                                  • 47.103.109.70
                                                                                                                  SecuriteInfo.com.Win32.TrojanX-gen.16449.26967.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 47.102.203.90
                                                                                                                  SecuriteInfo.com.Win32.MalwareX-gen.14234.12476.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 47.102.203.90
                                                                                                                  SecuriteInfo.com.Win32.TrojanX-gen.17640.30814.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 47.102.203.90
                                                                                                                  SecuriteInfo.com.Win32.MalwareX-gen.14234.12476.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 47.102.203.90
                                                                                                                  CHINATELECOM-HUBEI-IDCCHINANETHubeiprovincenetworkCNjYEvdBHMOI.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 116.211.142.219
                                                                                                                  09569097_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 58.49.151.131
                                                                                                                  09569097_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 58.49.151.131
                                                                                                                  aP9qAM8Wpm.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 116.211.150.111
                                                                                                                  aP9qAM8Wpm.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 116.211.150.111
                                                                                                                  https://down-package.ludashicdn.com/downloader/temp_package/2024-07/%E8%85%BE%E8%AE%AF%E4%BC%9A.%E8%AE%AE_4496905339.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 116.211.85.130
                                                                                                                  1yBFfYi5Do.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 116.211.174.91
                                                                                                                  networkxm.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 119.96.246.149
                                                                                                                  jxnRJIvUKz.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 116.211.166.17
                                                                                                                  wxa7qH57Zr.elfGet hashmaliciousMiraiBrowse
                                                                                                                  • 116.211.190.168

                                                                                                                  JA3 Fingerprints

                                                                                                                  No context

                                                                                                                  Dropped Files

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  C:\Users\user\AppData\Roaming\z.dllTomcat.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                    b4cbf3ffbd8e152116e72487c3b16f1d.exeGet hashmaliciousUnknownBrowse
                                                                                                                      Tomcat.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                        b4cbf3ffbd8e152116e72487c3b16f1d.exeGet hashmaliciousUnknownBrowse
                                                                                                                          Tomcat.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                            1I9EGoBq.exeGet hashmaliciousUnknownBrowse
                                                                                                                              Tomcat.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                1I9EGoBq.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  Tomcat.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    setup8803165981.exeGet hashmaliciousUnknownBrowse

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Users\user\AppData\Roaming\z.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Documents\czrdnq8b.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):28160
                                                                                                                                      Entropy (8bit):7.60529633824776
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:MYU6KLwpgEzR4U1dubgDhx+r6gqeq1ve0/JVzJtr68:MZGz00Dhkrhqeq1veIVzJlf
                                                                                                                                      MD5:849E9F3E59DAF750DB838E885D58C6FA
                                                                                                                                      SHA1:733CB105153E4B83160A52BFA2DDD95D750FB806
                                                                                                                                      SHA-256:F94949A6C121A525F661DD8ABD917EB37A5CF582C89E3A258170A15D30CC0CC2
                                                                                                                                      SHA-512:3FEFF6DB5FC5AE371A4EC60CE13A383668A5ACCAC537A0AE56B9B5B7318A2D5BDB4B79286A519CAD3610CB6D1F335A11C09A4D3165C147A00D5A7880EA23E173
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: Tomcat.bin.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: b4cbf3ffbd8e152116e72487c3b16f1d.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: Tomcat.bin.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: b4cbf3ffbd8e152116e72487c3b16f1d.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: Tomcat.bin.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: 1I9EGoBq.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: Tomcat.bin.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: 1I9EGoBq.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: Tomcat.bin.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: setup8803165981.exe, Detection: malicious, Browse
                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$M[.J.[.J.[.J...S.Y.J.[.K._.J.[.J.A.J...D.Z.J...V.I.J...u.Z.J.....Z.J...w.Z.J.Rich[.J.........PE..L...ft.<...........!.....`...........+.......0...............................@........................... ...........4..@...h3.......0..h...................L:......................................................................................UPX0....................................UPX1.....`.......^..................@....rsrc........0.......b..............@..............................................................................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                      C:\Users\user\Documents\conf.ini

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\PJ-0020241013_setup.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):121
                                                                                                                                      Entropy (8bit):3.9752259768749205
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:5+WXL2ZGDhSRQqXTRRmUaST0vHJtXXxXUtUGvWjdTQZWgFSRWR55v:5+3c9SNRRmUaSMStUtJXkHv
                                                                                                                                      MD5:5EA124073C7B2E1B1DD7A1CF555C99E7
                                                                                                                                      SHA1:9201A0C3BBDB577676867E260636431DE8287013
                                                                                                                                      SHA-256:1C93855196813F7912F03D00985A6626668112E1A4D08C322916566C1D7915A1
                                                                                                                                      SHA-512:22299F0E7639A8A75EC73321058CEF6D2A6BBC1B17C58987D6FC49EA3C11B69579B0409EA13443D695D493B521B8F1656CAF4F27D2818BFE5184D5AA3CFEE300
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:[a]..a=532A4C45637562634C7865727562644C5475637B647F604C405A3D202022202224212021234F63756465603E756875A23489CE3..t=10/14..

                                                                                                                                      C:\Users\user\Documents\czrdnq8b.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\PJ-0020241013_setup.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2170224
                                                                                                                                      Entropy (8bit):6.888610164886745
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:hVL2yTWaGJnzgjq/9hKspf1OiMeGPsBVPmjxcuE0D5K8Da:7LHWaHYKspfflGEB5j+tO
                                                                                                                                      MD5:655651DF2AEF751ED40244A79373AD2A
                                                                                                                                      SHA1:E963D703211CDC985BFA13B872E02CB00A2CE33C
                                                                                                                                      SHA-256:C6BDBB865019EF347B775D648E574B6C5CD0ADFA95EC5979912AAA8924A18734
                                                                                                                                      SHA-512:D56F771DF38CEFFDCA101126EA62A4E335FE25EA671B2FEA635C050BC9C397264844FCD28A5AFDA66DB006B02E373B6C57F9DFFA1D1D54909D5973C17C083793
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......../..SNgFSNgFSNgF<8.F.NgF<8.F}NgF<8.F.NgF...F]NgF.QtF.NgFZ6.FQNgF1QtFENgF.F:FQNgFSNfF.LgFehmFANgFehlF3NgF.QlF.NgF.QmFHNgFSNgF.NgFI..FRNgF<8.FRNgFRichSNgF........PE..L...3..f.........."......f........................@...........................$.......!...@....................................T.....".hh............ .p%...@#.....................................................................................text....e.......f.................. ..`.rdata...=.......>...j..............@..@.data...l........b..................@....rsrc...hh...."..j..................@..@.reloc..d....@#......t..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Entropy (8bit):6.983484223868744
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                      File name:PJ-0020241013_setup.exe
                                                                                                                                      File size:28'442'624 bytes
                                                                                                                                      MD5:3da00dd654b74f9ce78ee91f395c9fb7
                                                                                                                                      SHA1:4487004823e4fa389f7a78db444319ff48feb32c
                                                                                                                                      SHA256:e6e117fe163ef9db17a29fcfbf6fb9e18e432278083b273bc25a1a64572988cc
                                                                                                                                      SHA512:caadeb200bc3e758056e03151d8067d8c26d38a21056e8772e2b0ceec051e4f46bc65891fc905dd10827b98d90455a3b95acc0c751e7586599b47145e18112ab
                                                                                                                                      SSDEEP:393216:2IMwzq7u7MgcOTwBi5tbEHeKMtUkH6CGY4IBfqWqxQLP:2IMwzeu7MgcPizbE+5UkH6CGUdNP
                                                                                                                                      TLSH:0B57BE237A08C276E56C01B16C5B5FEFC55ECC280B3259C3A254BE9D78311DB9B3668B
                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........a..................................L....................................... ....&.......&......t.......t...............[......

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:31989e92929c9831

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x4ac447
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:false
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                      DLL Characteristics:
                                                                                                                                      Time Stamp:0x66F58EBB [Thu Sep 26 16:41:31 2024 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:4
                                                                                                                                      OS Version Minor:0
                                                                                                                                      File Version Major:4
                                                                                                                                      File Version Minor:0
                                                                                                                                      Subsystem Version Major:4
                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                      Import Hash:c33dcbbb6ed702516e927aeb428bbd94

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      push 00000060h
                                                                                                                                      push 01EEB4F8h
                                                                                                                                      call 00007F9F852D3EFAh
                                                                                                                                      mov edi, 00000094h
                                                                                                                                      mov eax, edi
                                                                                                                                      call 00007F9F852CF536h
                                                                                                                                      mov dword ptr [ebp-18h], esp
                                                                                                                                      mov esi, esp
                                                                                                                                      mov dword ptr [esi], edi
                                                                                                                                      push esi
                                                                                                                                      call dword ptr [004D4314h]
                                                                                                                                      mov ecx, dword ptr [esi+10h]
                                                                                                                                      mov dword ptr [01F5A60Ch], ecx
                                                                                                                                      mov eax, dword ptr [esi+04h]
                                                                                                                                      mov dword ptr [01F5A618h], eax
                                                                                                                                      mov edx, dword ptr [esi+08h]
                                                                                                                                      mov dword ptr [01F5A61Ch], edx
                                                                                                                                      mov esi, dword ptr [esi+0Ch]
                                                                                                                                      and esi, 00007FFFh
                                                                                                                                      mov dword ptr [01F5A610h], esi
                                                                                                                                      cmp ecx, 02h
                                                                                                                                      je 00007F9F852CDCCEh
                                                                                                                                      or esi, 00008000h
                                                                                                                                      mov dword ptr [01F5A610h], esi
                                                                                                                                      shl eax, 08h
                                                                                                                                      add eax, edx
                                                                                                                                      mov dword ptr [01F5A614h], eax
                                                                                                                                      xor esi, esi
                                                                                                                                      push esi
                                                                                                                                      mov edi, dword ptr [004D4350h]
                                                                                                                                      call edi
                                                                                                                                      cmp word ptr [eax], 5A4Dh
                                                                                                                                      jne 00007F9F852CDCE1h
                                                                                                                                      mov ecx, dword ptr [eax+3Ch]
                                                                                                                                      add ecx, eax
                                                                                                                                      cmp dword ptr [ecx], 00004550h
                                                                                                                                      jne 00007F9F852CDCD4h
                                                                                                                                      movzx eax, word ptr [ecx+18h]
                                                                                                                                      cmp eax, 0000010Bh
                                                                                                                                      je 00007F9F852CDCE1h
                                                                                                                                      cmp eax, 0000020Bh
                                                                                                                                      je 00007F9F852CDCC7h
                                                                                                                                      mov dword ptr [ebp-1Ch], esi
                                                                                                                                      jmp 00007F9F852CDCE9h
                                                                                                                                      cmp dword ptr [ecx+00000084h], 0Eh
                                                                                                                                      jbe 00007F9F852CDCB4h
                                                                                                                                      xor eax, eax
                                                                                                                                      cmp dword ptr [ecx+000000F8h], esi
                                                                                                                                      jmp 00007F9F852CDCD0h
                                                                                                                                      cmp dword ptr [ecx+74h], 0Eh
                                                                                                                                      jbe 00007F9F852CDCA4h
                                                                                                                                      xor eax, eax
                                                                                                                                      cmp dword ptr [ecx+000000E8h], esi
                                                                                                                                      setne al
                                                                                                                                      mov dword ptr [ebp-1Ch], eax

                                                                                                                                      Rich Headers

                                                                                                                                      Programming Language:
                                                                                                                                      • [C++] VS2003 (.NET) build 3077
                                                                                                                                      • [ASM] VS2003 (.NET) build 3077
                                                                                                                                      • [ C ] VS2003 (.NET) build 3077
                                                                                                                                      • [C++] VS98 (6.0) SP6 build 8804
                                                                                                                                      • [ C ] VS98 (6.0) SP6 build 8804
                                                                                                                                      • [C++] VS98 (6.0) build 8168
                                                                                                                                      • [ C ] VS98 (6.0) build 8168
                                                                                                                                      • [EXP] VC++ 6.0 SP5 build 8804
                                                                                                                                      • [LNK] VS2003 (.NET) build 3077

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1afa6a00x104.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1b600000xad0c.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xd40000x7d0.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x10000xd2a6e0xd3000d0877b1b0de4b0b6b278d7a83f631fb7False0.5161572497037915data6.575764380282678IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rdata0xd40000x1a28e940x1a290002153c521743d796b531758a0d454b5b1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .data0x1afd0000x629e80x18000a15b10a14548b86ee35949901b14c097False0.3082682291666667data5.23343706797413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .rsrc0x1b600000xad0c0xb0007f7d108d2a27a2c5da7ba2191cdd1b6eFalse0.9107776988636364data7.8547848028444776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                      PNG0x1b606440x2f20PNG image data, 552 x 302, 8-bit colormap, non-interlacedChineseChina0.9413958885941645
                                                                                                                                      PNG0x1b635640x19bcPNG image data, 920 x 40, 8-bit colormap, non-interlacedChineseChina0.9766241651487553
                                                                                                                                      PNG0x1b64f200x3adPNG image data, 108 x 22, 8-bit/color RGBA, non-interlacedChineseChina1.0116896918172158
                                                                                                                                      PNG0x1b652d00x187PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedChineseChina1.0025575447570332
                                                                                                                                      PNG0x1b654580x3aePNG image data, 45 x 45, 8-bit/color RGB, non-interlacedChineseChina1.0116772823779194
                                                                                                                                      PNG0x1b658080x356PNG image data, 45 x 45, 8-bit/color RGB, non-interlacedChineseChina1.0128805620608898
                                                                                                                                      RT_ICON0x1b65b600x251fPNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced1.0011575292013049
                                                                                                                                      RT_ICON0x1b680800x2529PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced1.0011563124145906
                                                                                                                                      RT_DIALOG0x1b6a5ac0x2cdataChineseChina0.8409090909090909
                                                                                                                                      RT_DIALOG0x1b6a5d80x2edataChineseChina0.8695652173913043
                                                                                                                                      RT_DIALOG0x1b6a6080x2cdataChineseChina0.8409090909090909
                                                                                                                                      RT_DIALOG0x1b6a6340x2cdataChineseChina0.8409090909090909
                                                                                                                                      RT_DIALOG0x1b6a6600x2cdataChineseChina0.8409090909090909
                                                                                                                                      RT_DIALOG0x1b6a68c0x4edataChineseChina0.8717948717948718
                                                                                                                                      RT_DIALOG0x1b6a6dc0x2cdataChineseChina0.8409090909090909
                                                                                                                                      RT_DIALOG0x1b6a7080x2edataChineseChina0.8695652173913043
                                                                                                                                      RT_DIALOG0x1b6a7380x2cdataChineseChina0.8409090909090909
                                                                                                                                      RT_DIALOG0x1b6a7640x2cdataChineseChina0.8409090909090909
                                                                                                                                      RT_DIALOG0x1b6a7900x2cdataChineseChina0.8409090909090909
                                                                                                                                      RT_DIALOG0x1b6a7bc0x52dataChineseChina0.9024390243902439
                                                                                                                                      RT_DIALOG0x1b6a8100x40dataChineseChina0.8125
                                                                                                                                      RT_DIALOG0x1b6a8500x40dataChineseChina0.8125
                                                                                                                                      RT_DIALOG0x1b6a8900x40dataChineseChina0.8125
                                                                                                                                      RT_GROUP_ICON0x1b6a8d00x14data1.15
                                                                                                                                      RT_GROUP_ICON0x1b6a8e40x14data1.25
                                                                                                                                      RT_VERSION0x1b6a8f80x158370 sysV pure executable not strippedEnglishUnited States0.6046511627906976
                                                                                                                                      RT_MANIFEST0x1b6aa500x2b9XML 1.0 document, ASCII text, with very long lines (697), with no line terminators0.5279770444763271

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      WINMM.dllmidiStreamOut, midiOutPrepareHeader, waveOutPause, waveOutReset, waveOutClose, waveOutGetNumDevs, waveOutOpen, midiOutUnprepareHeader, midiStreamOpen, midiStreamProperty, waveOutUnprepareHeader, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, waveOutWrite, waveOutRestart, waveOutPrepareHeader
                                                                                                                                      WS2_32.dllWSACleanup, inet_ntoa, closesocket, WSAAsyncSelect, recvfrom, getpeername, accept, ntohl, ioctlsocket, recv
                                                                                                                                      KERNEL32.dllQueryPerformanceCounter, GetTimeZoneInformation, GetLocaleInfoA, GetVersion, CreateMutexA, ReleaseMutex, TerminateThread, SuspendThread, SetStdHandle, GetACP, HeapSize, GetDateFormatA, GetTimeFormatA, RaiseException, GetSystemTimeAsFileTime, RtlUnwind, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GetProfileIntA, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, FileTimeToSystemTime, FormatMessageA, LocalFree, InterlockedDecrement, InterlockedIncrement, SetLastError, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, MultiByteToWideChar, WideCharToMultiByte, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, GetFileAttributesA, DeleteFileA, CopyFileA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, GetFileType, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, HeapDestroy, HeapCreate, VirtualFree, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, IsBadWritePtr, InterlockedExchange, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, GetCurrentProcessId
                                                                                                                                      USER32.dllGetSystemMenu, DeleteMenu, GetMenu, SystemParametersInfoA, LoadImageA, EnumDisplaySettingsA, ClientToScreen, EnableMenuItem, GetSubMenu, GetDlgCtrlID, CreateAcceleratorTableA, CreateMenu, ModifyMenuA, AppendMenuA, CreatePopupMenu, DrawIconEx, CreateIconFromResource, CreateIconFromResourceEx, RegisterClipboardFormatA, SetRectEmpty, DispatchMessageA, GetMessageA, WindowFromPoint, DrawFocusRect, DrawEdge, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, DrawFrameControl, LoadBitmapA, WinHelpA, KillTimer, SetTimer, ReleaseCapture, GetCapture, SetCapture, GetSysColorBrush, LoadStringA, wvsprintfA, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, DefWindowProcA, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, InvertRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBeep, MessageBoxA, GetCursorPos, GetSystemMetrics, IsClipboardFormatAvailable, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, WaitForInputIdle, GetClassInfoA, IsZoomed, PostQuitMessage, CopyAcceleratorTableA, TranslateMessage, LoadIconA, DrawTextA, GrayStringA, ClipCursor, GetCursor, GetDoubleClickTime, FrameRect, GetDesktopWindow, GetClassNameA, GetDlgItem, GetWindowTextA, GetKeyState, TranslateAcceleratorA, IsWindowEnabled, PtInRect, ShowWindow, CopyRect, UnregisterClassA, TabbedTextOutA, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetForegroundWindow, GetLastActivePopup, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, GetMenuItemID, GetMenuItemCount, RegisterClassA, GetScrollPos, ShowScrollBar, SetScrollInfo, GetScrollInfo, ScrollWindow, AdjustWindowRectEx, MapWindowPoints, SendDlgItemMessageA, ScrollWindowEx, IsDialogMessageA, SetWindowTextA, MoveWindow, CheckMenuItem, SetMenuItemBitmaps, GetMenuState, GetMenuCheckMarkDimensions
                                                                                                                                      GDI32.dllExtSelectClipRgn, LineTo, MoveToEx, ExcludeClipRect, GetClipBox, CreatePatternBrush, SelectObject, CreatePen, PatBlt, CombineRgn, CreateRectRgn, FillRgn, CreateSolidBrush, CreateFontIndirectA, GetStockObject, GetObjectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, CreateCompatibleDC, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, RectVisible, TextOutA, ExtTextOutA, GetTextMetricsA, Escape, AbortDoc, CreateFontA, SetBrushOrgEx, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, SetTextColor, SetROP2, SetPolyFillMode, GetViewportExtEx, CopyMetaFileA, CreateBitmap, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, GetTextColor, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, SetBkMode, RestoreDC, SaveDC, GetWindowExtEx, GetDIBits, RealizePalette, SelectPalette, StretchBlt, CreatePalette, GetSystemPaletteEntries, CreateDIBitmap, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, PtVisible, CreateRectRgnIndirect, Ellipse, SetBkColor
                                                                                                                                      WINSPOOL.DRVDocumentPropertiesA, ClosePrinter, OpenPrinterA
                                                                                                                                      ADVAPI32.dllRegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegQueryValueA, RegCreateKeyExA, RegCloseKey
                                                                                                                                      SHELL32.dllShell_NotifyIconA, ShellExecuteA
                                                                                                                                      ole32.dllCoLockObjectExternal, DoDragDrop, CoTaskMemAlloc, OleIsCurrentClipboard, OleFlushClipboard, OleSetClipboard, CoTaskMemFree, ReleaseStgMedium, CLSIDFromProgID, OleRun, CoCreateInstance, CreateStreamOnHGlobal, CLSIDFromString, OleUninitialize, OleInitialize, OleDuplicateData, OleGetClipboard, RevokeDragDrop
                                                                                                                                      OLEAUT32.dllVarDateFromStr, UnRegisterTypeLib, LoadTypeLib, LHashValOfNameSys, RegisterTypeLib, SafeArrayPutElement, SafeArrayCreate, SafeArrayDestroy, SysAllocString, VariantInit, VariantCopyInd, SafeArrayGetElement, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, VariantChangeType, VariantClear, VariantCopy
                                                                                                                                      COMCTL32.dllImageList_AddMasked, ImageList_Draw, ImageList_GetImageInfo, ImageList_Destroy, ImageList_Create
                                                                                                                                      comdlg32.dllChooseColorA, GetOpenFileNameA, GetSaveFileNameA, GetFileTitleA, PrintDlgA

                                                                                                                                      Possible Origin

                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                      ChineseChina
                                                                                                                                      EnglishUnited States

                                                                                                                                      Network Behavior

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Oct 14, 2024 09:46:41.330080986 CEST497043760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:46:41.372450113 CEST37604970458.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:41.372558117 CEST497043760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:46:41.414247990 CEST4970580192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:41.419403076 CEST8049705203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:41.419477940 CEST4970580192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:41.419692039 CEST4970580192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:41.424940109 CEST8049705203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:42.205281019 CEST37604970458.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:42.205353975 CEST497043760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:46:42.413326979 CEST8049705203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:42.455816031 CEST4970580192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:43.142313957 CEST497043760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:46:43.142313957 CEST497043760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:46:43.147273064 CEST37604970458.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:43.147286892 CEST37604970458.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:43.331290960 CEST497063760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:46:43.336165905 CEST37604970658.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:43.336262941 CEST497063760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:46:43.341511965 CEST4970580192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:43.341798067 CEST4970780192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:43.346611023 CEST8049707203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:43.346673965 CEST4970780192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:43.346767902 CEST4970780192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:43.346848011 CEST8049705203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:43.346895933 CEST4970580192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:43.351537943 CEST8049707203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:44.239830017 CEST8049707203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:44.285836935 CEST4970780192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:44.372709036 CEST497063760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:46:44.377645016 CEST37604970658.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:49.239267111 CEST8049707203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:46:49.239420891 CEST4970780192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:49.239500999 CEST4970780192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:49.244362116 CEST8049707203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:47:44.379954100 CEST497063760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:47:44.384988070 CEST37604970658.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:18.003073931 CEST37604970658.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:18.003200054 CEST497063760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:18.003249884 CEST497063760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:18.008116961 CEST37604970658.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:19.462296963 CEST498963760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:19.467247009 CEST37604989658.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:19.467339993 CEST498963760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:19.475990057 CEST4989780192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:19.480782986 CEST8049897203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:19.480844021 CEST4989780192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:19.481049061 CEST4989780192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:19.486112118 CEST8049897203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:20.410012960 CEST8049897203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:20.450930119 CEST4989780192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:20.518129110 CEST498963760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:20.523042917 CEST37604989658.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:21.478365898 CEST37604989658.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:21.478488922 CEST498963760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:21.478554964 CEST498963760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:21.483328104 CEST37604989658.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:23.462322950 CEST499233760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:23.467185020 CEST37604992358.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:23.467302084 CEST499233760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:23.474535942 CEST4989780192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:23.474850893 CEST4992480192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:23.480822086 CEST8049924203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:23.480963945 CEST4992480192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:23.481129885 CEST4992480192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:23.481214046 CEST8049897203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:23.481276035 CEST4989780192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:23.487010002 CEST8049924203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:24.392110109 CEST8049924203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:24.444950104 CEST4992480192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:24.501626015 CEST499233760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:24.506622076 CEST37604992358.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:25.547425985 CEST37604992358.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:25.547605991 CEST499233760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:25.547605991 CEST499233760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:25.554012060 CEST37604992358.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:27.464410067 CEST499503760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:27.469441891 CEST37604995058.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:27.469526052 CEST499503760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:27.474620104 CEST4992480192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:27.474870920 CEST4995180192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:27.479712963 CEST8049951203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:27.479747057 CEST8049924203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:27.479794025 CEST4995180192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:27.479821920 CEST4992480192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:27.479935884 CEST4995180192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:27.484741926 CEST8049951203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:28.410223007 CEST8049951203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:28.450982094 CEST4995180192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:28.517880917 CEST499503760192.168.2.858.49.151.131
                                                                                                                                      Oct 14, 2024 09:48:28.522732973 CEST37604995058.49.151.131192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:33.409476995 CEST8049951203.107.1.33192.168.2.8
                                                                                                                                      Oct 14, 2024 09:48:33.409575939 CEST4995180192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:33.414673090 CEST4995180192.168.2.8203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:33.419811010 CEST8049951203.107.1.33192.168.2.8

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • 203.107.1.33

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      0192.168.2.849705203.107.1.33805944C:\Users\user\Documents\czrdnq8b.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 14, 2024 09:46:41.419692039 CEST286OUTGET /100000/d?host=www.aliyun.com HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
                                                                                                                                      Host: 203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:42.413326979 CEST321INHTTP/1.1 200
                                                                                                                                      Server: Tengine
                                                                                                                                      Date: Mon, 14 Oct 2024 07:46:42 GMT
                                                                                                                                      Content-Type: application/json;charset=UTF-8
                                                                                                                                      Content-Length: 159
                                                                                                                                      Connection: keep-alive
                                                                                                                                      Data Raw: 7b 22 68 6f 73 74 22 3a 22 77 77 77 2e 61 6c 69 79 75 6e 2e 63 6f 6d 22 2c 22 69 70 73 22 3a 5b 22 34 37 2e 38 38 2e 31 39 38 2e 36 38 22 2c 22 34 37 2e 38 38 2e 31 39 38 2e 36 39 22 2c 22 34 37 2e 37 34 2e 31 33 38 2e 36 36 22 2c 22 34 37 2e 38 38 2e 32 35 31 2e 31 38 39 22 2c 22 34 37 2e 38 38 2e 31 32 38 2e 34 22 5d 2c 22 74 74 6c 22 3a 33 30 2c 22 6f 72 69 67 69 6e 5f 74 74 6c 22 3a 33 30 2c 22 63 6c 69 65 6e 74 5f 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                                                                                                      Data Ascii: {"host":"www.aliyun.com","ips":["47.88.198.68","47.88.198.69","47.74.138.66","47.88.251.189","47.88.128.4"],"ttl":30,"origin_ttl":30,"client_ip":"8.46.123.33"}


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      1192.168.2.849707203.107.1.33805944C:\Users\user\Documents\czrdnq8b.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 14, 2024 09:46:43.346767902 CEST286OUTGET /100000/d?host=www.aliyun.com HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
                                                                                                                                      Host: 203.107.1.33
                                                                                                                                      Oct 14, 2024 09:46:44.239830017 CEST321INHTTP/1.1 200
                                                                                                                                      Server: Tengine
                                                                                                                                      Date: Mon, 14 Oct 2024 07:46:44 GMT
                                                                                                                                      Content-Type: application/json;charset=UTF-8
                                                                                                                                      Content-Length: 159
                                                                                                                                      Connection: keep-alive
                                                                                                                                      Data Raw: 7b 22 68 6f 73 74 22 3a 22 77 77 77 2e 61 6c 69 79 75 6e 2e 63 6f 6d 22 2c 22 69 70 73 22 3a 5b 22 34 37 2e 37 34 2e 31 33 38 2e 36 36 22 2c 22 34 37 2e 38 38 2e 32 35 31 2e 31 38 39 22 2c 22 34 37 2e 38 38 2e 31 39 38 2e 36 38 22 2c 22 34 37 2e 38 38 2e 31 32 38 2e 34 22 2c 22 34 37 2e 38 38 2e 31 39 38 2e 36 39 22 5d 2c 22 74 74 6c 22 3a 32 39 2c 22 6f 72 69 67 69 6e 5f 74 74 6c 22 3a 33 30 2c 22 63 6c 69 65 6e 74 5f 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                                                                                                      Data Ascii: {"host":"www.aliyun.com","ips":["47.74.138.66","47.88.251.189","47.88.198.68","47.88.128.4","47.88.198.69"],"ttl":29,"origin_ttl":30,"client_ip":"8.46.123.33"}


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      2192.168.2.849897203.107.1.33805944C:\Users\user\Documents\czrdnq8b.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 14, 2024 09:48:19.481049061 CEST286OUTGET /100000/d?host=www.aliyun.com HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
                                                                                                                                      Host: 203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:20.410012960 CEST321INHTTP/1.1 200
                                                                                                                                      Server: Tengine
                                                                                                                                      Date: Mon, 14 Oct 2024 07:48:20 GMT
                                                                                                                                      Content-Type: application/json;charset=UTF-8
                                                                                                                                      Content-Length: 159
                                                                                                                                      Connection: keep-alive
                                                                                                                                      Data Raw: 7b 22 68 6f 73 74 22 3a 22 77 77 77 2e 61 6c 69 79 75 6e 2e 63 6f 6d 22 2c 22 69 70 73 22 3a 5b 22 34 37 2e 38 38 2e 31 39 38 2e 36 38 22 2c 22 34 37 2e 38 38 2e 31 32 38 2e 34 22 2c 22 34 37 2e 38 38 2e 31 39 38 2e 36 39 22 2c 22 34 37 2e 38 38 2e 32 35 31 2e 31 38 39 22 2c 22 34 37 2e 37 34 2e 31 33 38 2e 36 36 22 5d 2c 22 74 74 6c 22 3a 33 30 2c 22 6f 72 69 67 69 6e 5f 74 74 6c 22 3a 33 30 2c 22 63 6c 69 65 6e 74 5f 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                                                                                                      Data Ascii: {"host":"www.aliyun.com","ips":["47.88.198.68","47.88.128.4","47.88.198.69","47.88.251.189","47.74.138.66"],"ttl":30,"origin_ttl":30,"client_ip":"8.46.123.33"}


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      3192.168.2.849924203.107.1.33805944C:\Users\user\Documents\czrdnq8b.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 14, 2024 09:48:23.481129885 CEST286OUTGET /100000/d?host=www.aliyun.com HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
                                                                                                                                      Host: 203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:24.392110109 CEST321INHTTP/1.1 200
                                                                                                                                      Server: Tengine
                                                                                                                                      Date: Mon, 14 Oct 2024 07:48:24 GMT
                                                                                                                                      Content-Type: application/json;charset=UTF-8
                                                                                                                                      Content-Length: 159
                                                                                                                                      Connection: keep-alive
                                                                                                                                      Data Raw: 7b 22 68 6f 73 74 22 3a 22 77 77 77 2e 61 6c 69 79 75 6e 2e 63 6f 6d 22 2c 22 69 70 73 22 3a 5b 22 34 37 2e 38 38 2e 31 32 38 2e 34 22 2c 22 34 37 2e 38 38 2e 31 39 38 2e 36 39 22 2c 22 34 37 2e 37 34 2e 31 33 38 2e 36 36 22 2c 22 34 37 2e 38 38 2e 32 35 31 2e 31 38 39 22 2c 22 34 37 2e 38 38 2e 31 39 38 2e 36 38 22 5d 2c 22 74 74 6c 22 3a 32 36 2c 22 6f 72 69 67 69 6e 5f 74 74 6c 22 3a 33 30 2c 22 63 6c 69 65 6e 74 5f 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                                                                                                      Data Ascii: {"host":"www.aliyun.com","ips":["47.88.128.4","47.88.198.69","47.74.138.66","47.88.251.189","47.88.198.68"],"ttl":26,"origin_ttl":30,"client_ip":"8.46.123.33"}


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      4192.168.2.849951203.107.1.33805944C:\Users\user\Documents\czrdnq8b.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Oct 14, 2024 09:48:27.479935884 CEST286OUTGET /100000/d?host=www.aliyun.com HTTP/1.1
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Accept: */*
                                                                                                                                      Referer: http://203.107.1.33/100000/d?host=www.aliyun.com
                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
                                                                                                                                      Host: 203.107.1.33
                                                                                                                                      Oct 14, 2024 09:48:28.410223007 CEST321INHTTP/1.1 200
                                                                                                                                      Server: Tengine
                                                                                                                                      Date: Mon, 14 Oct 2024 07:48:28 GMT
                                                                                                                                      Content-Type: application/json;charset=UTF-8
                                                                                                                                      Content-Length: 159
                                                                                                                                      Connection: keep-alive
                                                                                                                                      Data Raw: 7b 22 68 6f 73 74 22 3a 22 77 77 77 2e 61 6c 69 79 75 6e 2e 63 6f 6d 22 2c 22 69 70 73 22 3a 5b 22 34 37 2e 37 34 2e 31 33 38 2e 36 36 22 2c 22 34 37 2e 38 38 2e 32 35 31 2e 31 38 39 22 2c 22 34 37 2e 38 38 2e 31 39 38 2e 36 39 22 2c 22 34 37 2e 38 38 2e 31 32 38 2e 34 22 2c 22 34 37 2e 38 38 2e 31 39 38 2e 36 38 22 5d 2c 22 74 74 6c 22 3a 32 32 2c 22 6f 72 69 67 69 6e 5f 74 74 6c 22 3a 33 30 2c 22 63 6c 69 65 6e 74 5f 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                                                                                                      Data Ascii: {"host":"www.aliyun.com","ips":["47.74.138.66","47.88.251.189","47.88.198.69","47.88.128.4","47.88.198.68"],"ttl":22,"origin_ttl":30,"client_ip":"8.46.123.33"}


                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:03:46:34
                                                                                                                                      Start date:14/10/2024
                                                                                                                                      Path:C:\Users\user\Desktop\PJ-0020241013_setup.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\Desktop\PJ-0020241013_setup.exe"
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:28'442'624 bytes
                                                                                                                                      MD5 hash:3DA00DD654B74F9CE78EE91F395C9FB7
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:2
                                                                                                                                      Start time:03:46:36
                                                                                                                                      Start date:14/10/2024
                                                                                                                                      Path:C:\Users\user\Documents\czrdnq8b.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\Documents\czrdnq8b.exe"
                                                                                                                                      Imagebase:0xfb0000
                                                                                                                                      File size:2'170'224 bytes
                                                                                                                                      MD5 hash:655651DF2AEF751ED40244A79373AD2A
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:false

                                                                                                                                      Disassembly

                                                                                                                                      Reset < >

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:6.5%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:2.5%
                                                                                                                                        Total number of Nodes:680
                                                                                                                                        Total number of Limit Nodes:23
                                                                                                                                        execution_graph 3139 4b2519 3142 4b5df3 LeaveCriticalSection 3139->3142 3141 4b2520 3142->3141 2336 4ae02c 2339 4ae000 2336->2339 2340 4ae029 2339->2340 2342 4ae007 ___initmbctable 2339->2342 2342->2340 2343 4adf85 2342->2343 2345 4adf91 ___initmbctable 2343->2345 2344 4adfc4 2346 4adfdf RtlAllocateHeap 2344->2346 2348 4adfee ___initmbctable 2344->2348 2345->2344 2353 4b5ea8 2345->2353 2346->2348 2348->2342 2349 4adfac 2360 4b7cce 2349->2360 2354 4b5ebb 2353->2354 2355 4b5ece EnterCriticalSection 2353->2355 2369 4b5e08 2354->2369 2355->2349 2357 4b5ec1 2357->2355 2390 4ac3fe 2357->2390 2361 4b7d00 2360->2361 2362 4adfb7 2361->2362 2363 4b7e23 2361->2363 2511 4b7832 2361->2511 2366 4adff7 2362->2366 2363->2362 2519 4b78e9 2363->2519 2523 4b5df3 LeaveCriticalSection 2366->2523 2368 4adffe 2368->2344 2370 4b5e14 ___initmbctable 2369->2370 2389 4b5e37 __lock ___initmbctable 2370->2389 2396 4ae02c 2370->2396 2373 4b5e3f 2375 4b5ea8 __lock 36 API calls 2373->2375 2374 4b5e32 2399 4ae8e2 2374->2399 2377 4b5e46 2375->2377 2378 4b5e4e 2377->2378 2379 4b5e86 2377->2379 2402 4bb39a 2378->2402 2381 4adf14 ___free_lc_time 36 API calls 2379->2381 2382 4b5e82 2381->2382 2417 4b5e9f 2382->2417 2383 4b5e59 2383->2382 2384 4b5e5f 2383->2384 2407 4adf14 2384->2407 2387 4b5e65 2388 4ae8e2 __lock 36 API calls 2387->2388 2388->2389 2389->2357 2391 4ac40c 2390->2391 2392 4ac407 2390->2392 2458 4b1962 2391->2458 2452 4b1ad9 2392->2452 2397 4ae000 ___initmbctable 36 API calls 2396->2397 2398 4ae03b 2397->2398 2398->2373 2398->2374 2420 4b2376 GetLastError FlsGetValue 2399->2420 2401 4ae8e7 2401->2389 2403 4bb3a6 ___initmbctable 2402->2403 2404 4bb3b8 GetModuleHandleA 2403->2404 2406 4bb3dc ___initmbctable 2403->2406 2405 4bb3c7 GetProcAddress 2404->2405 2404->2406 2405->2406 2406->2383 2408 4adf20 ___initmbctable 2407->2408 2409 4adf7f ___initmbctable 2408->2409 2410 4b5ea8 __lock 35 API calls 2408->2410 2416 4adf5c 2408->2416 2409->2387 2412 4adf37 ___free_lc_time 2410->2412 2411 4adf71 RtlFreeHeap 2411->2409 2413 4adf51 2412->2413 2441 4b751a 2412->2441 2447 4adf67 2413->2447 2416->2409 2416->2411 2451 4b5df3 LeaveCriticalSection 2417->2451 2419 4b5ea6 2419->2389 2421 4b23db SetLastError 2420->2421 2422 4b2392 2420->2422 2421->2401 2430 4aedc7 2422->2430 2424 4b239e 2425 4b23d3 2424->2425 2426 4b23a6 FlsSetValue 2424->2426 2427 4ac3fe __lock 31 API calls 2425->2427 2426->2425 2428 4b23b7 GetCurrentThreadId 2426->2428 2429 4b23da 2427->2429 2428->2421 2429->2421 2436 4aedd3 ___initmbctable 2430->2436 2431 4aee40 HeapAlloc 2431->2436 2432 4b5ea8 __lock 35 API calls 2432->2436 2433 4aee6c ___initmbctable 2433->2424 2434 4b7cce ___initmbctable 5 API calls 2434->2436 2436->2431 2436->2432 2436->2433 2436->2434 2437 4aee71 2436->2437 2440 4b5df3 LeaveCriticalSection 2437->2440 2439 4aee78 2439->2436 2440->2439 2442 4b7557 2441->2442 2446 4b77fd ___free_lc_time 2441->2446 2443 4b7743 VirtualFree 2442->2443 2442->2446 2444 4b77a7 2443->2444 2445 4b77b6 VirtualFree HeapFree 2444->2445 2444->2446 2445->2446 2446->2413 2450 4b5df3 LeaveCriticalSection 2447->2450 2449 4adf6e 2449->2416 2450->2449 2451->2419 2453 4b1ae3 2452->2453 2454 4b1962 _fast_error_exit 36 API calls 2453->2454 2457 4b1b10 2453->2457 2455 4b1afa 2454->2455 2456 4b1962 _fast_error_exit 36 API calls 2455->2456 2456->2457 2457->2391 2459 4b1988 2458->2459 2460 4b1a95 _strlen 2459->2460 2462 4b19c7 2459->2462 2468 4b1a90 2459->2468 2464 4b1aaa GetStdHandle WriteFile 2460->2464 2465 4b19d3 GetModuleFileNameA 2462->2465 2462->2468 2464->2468 2466 4b19ed _fast_error_exit _strncpy _strlen 2465->2466 2469 4bb425 2466->2469 2476 4b7499 2468->2476 2470 4bb438 LoadLibraryA 2469->2470 2474 4bb4a5 2469->2474 2471 4bb44d GetProcAddress 2470->2471 2470->2474 2472 4bb464 GetProcAddress GetProcAddress 2471->2472 2471->2474 2473 4bb487 GetProcAddress 2472->2473 2472->2474 2473->2474 2475 4bb498 GetProcAddress 2473->2475 2474->2468 2475->2474 2477 4b7468 ___initmbctable 2476->2477 2478 4ac415 2476->2478 2482 4bca78 2477->2482 2478->2355 2483 4bca87 ___initmbctable 2482->2483 2484 4bcae9 GetModuleFileNameA 2483->2484 2489 4bca9a 2483->2489 2487 4bcb03 _fast_error_exit _strncpy _strlen 2484->2487 2488 4bb425 _fast_error_exit 6 API calls 2487->2488 2488->2489 2490 4b0d7b 2489->2490 2493 4b0ca7 2490->2493 2492 4b0d88 ExitProcess 2494 4b0cb3 ___initmbctable 2493->2494 2495 4b5ea8 __lock 34 API calls 2494->2495 2496 4b0cba 2495->2496 2497 4b0ccb GetCurrentProcess TerminateProcess 2496->2497 2498 4b0cdb _fast_error_exit 2496->2498 2497->2498 2503 4b0d56 2498->2503 2501 4b0d51 ___initmbctable 2501->2492 2504 4b0d5b 2503->2504 2505 4b0d3e 2503->2505 2506 4b5df3 __lock LeaveCriticalSection 2504->2506 2505->2501 2507 4b0be3 GetModuleHandleA 2505->2507 2506->2505 2508 4b0c08 ExitProcess 2507->2508 2509 4b0bf2 GetProcAddress 2507->2509 2509->2508 2510 4b0c02 2509->2510 2510->2508 2512 4b7878 HeapAlloc 2511->2512 2513 4b7844 HeapReAlloc 2511->2513 2516 4b789f 2512->2516 2517 4b78a3 VirtualAlloc 2512->2517 2514 4b7863 2513->2514 2515 4b7867 2513->2515 2514->2363 2515->2512 2516->2363 2517->2516 2518 4b78bd HeapFree 2517->2518 2518->2516 2520 4b78fe VirtualAlloc 2519->2520 2522 4b7945 2520->2522 2522->2362 2523->2368 3152 4ca42a 3153 4ca434 __EH_prolog 3152->3153 3154 4cac7d 2 API calls 3153->3154 3155 4ca43f 3154->3155 3156 4c5c8a 3157 4cab27 28 API calls 3156->3157 3158 4c5c90 3157->3158 3161 4c5920 28 API calls 3158->3161 3162 4c5cab 3158->3162 3159 4cb0af 21 API calls 3160 4c5ccc CallNextHookEx 3159->3160 3163 4c5caf 3160->3163 3161->3162 3162->3159 3162->3163 3164 4af6dc 3165 4af790 __lock 3164->3165 3167 4af6fa __lock 3164->3167 3167->3165 3168 4ad1b4 RtlUnwind 3167->3168 3169 4ad1cc 3168->3169 3169->3167 2524 4ac447 2525 4ac453 ___initmbctable _fast_error_exit 2524->2525 2526 4ac45f GetVersionExA 2525->2526 2527 4ac49b 2526->2527 2528 4ac4a7 GetModuleHandleA 2526->2528 2527->2528 2529 4ac4c3 2528->2529 2576 4b2637 HeapCreate 2529->2576 2531 4ac515 2532 4ac521 2531->2532 2645 4ac423 2531->2645 2653 4b252e 2532->2653 2535 4ac527 2536 4ac52b 2535->2536 2537 4ac533 2535->2537 2538 4ac423 _fast_error_exit 36 API calls 2536->2538 2584 4b20ca 2537->2584 2539 4ac532 2538->2539 2539->2537 2542 4ac54c GetCommandLineA 2599 4b1fa8 2542->2599 2543 4ac544 2544 4ac3fe __lock 36 API calls 2543->2544 2547 4ac54b 2544->2547 2547->2542 2549 4ac566 2550 4ac56a 2549->2550 2551 4ac572 2549->2551 2552 4ac3fe __lock 36 API calls 2550->2552 2622 4b1cd3 2551->2622 2554 4ac571 2552->2554 2554->2551 2556 4ac57b 2558 4ac3fe __lock 36 API calls 2556->2558 2557 4ac583 2634 4b0c3d 2557->2634 2560 4ac582 2558->2560 2560->2557 2562 4ac599 GetStartupInfoA 2638 4b1c76 2562->2638 2563 4ac592 2564 4ac3fe __lock 36 API calls 2563->2564 2566 4ac598 2564->2566 2566->2562 2567 4ac5ab 2568 4ac5b4 2567->2568 2569 4ac5bd GetModuleHandleA 2568->2569 2642 4bdc34 2569->2642 2572 4ac5db 2681 4b0d8c 2572->2681 2575 4ac5e0 ___initmbctable 2577 4b2681 2576->2577 2578 4b2657 2576->2578 2577->2531 2579 4b2666 2578->2579 2580 4b2684 2578->2580 2684 4b74a7 HeapAlloc 2579->2684 2580->2531 2583 4b2675 HeapDestroy 2583->2577 2585 4ae02c ___initmbctable 36 API calls 2584->2585 2587 4b20d9 2585->2587 2586 4b211f GetStartupInfoA 2588 4b2139 2586->2588 2594 4b2222 2586->2594 2587->2586 2592 4ac540 2587->2592 2591 4ae02c ___initmbctable 36 API calls 2588->2591 2588->2594 2595 4b21aa 2588->2595 2589 4b22b2 SetHandleCount 2589->2592 2590 4b2251 GetStdHandle 2593 4b225f GetFileType 2590->2593 2590->2594 2591->2588 2592->2542 2592->2543 2593->2594 2594->2589 2594->2590 2594->2592 2598 4bb39a __lock 2 API calls 2594->2598 2595->2592 2595->2594 2596 4b21d0 GetFileType 2595->2596 2597 4bb39a __lock 2 API calls 2595->2597 2596->2595 2597->2595 2598->2594 2600 4b1fe3 2599->2600 2601 4b1fc4 GetEnvironmentStringsW 2599->2601 2602 4b2073 2600->2602 2603 4b1fcc 2600->2603 2601->2603 2604 4b1fd8 GetLastError 2601->2604 2605 4b207f GetEnvironmentStrings 2602->2605 2608 4ac55c 2602->2608 2606 4b1ffa GetEnvironmentStringsW 2603->2606 2607 4b2002 WideCharToMultiByte 2603->2607 2604->2600 2605->2608 2609 4b208b 2605->2609 2606->2607 2606->2608 2611 4b2068 FreeEnvironmentStringsW 2607->2611 2612 4b2036 2607->2612 2671 4b1f06 2608->2671 2613 4ae02c ___initmbctable 36 API calls 2609->2613 2611->2608 2614 4ae02c ___initmbctable 36 API calls 2612->2614 2621 4b20a4 2613->2621 2615 4b203c 2614->2615 2615->2611 2616 4b2045 WideCharToMultiByte 2615->2616 2618 4b2056 2616->2618 2619 4b205f 2616->2619 2617 4b20ba FreeEnvironmentStringsA 2617->2608 2620 4adf14 ___free_lc_time 36 API calls 2618->2620 2619->2611 2620->2619 2621->2617 2623 4b1ce0 2622->2623 2627 4b1ce5 _strlen 2622->2627 2686 4b15ca 2623->2686 2625 4ac577 2625->2556 2625->2557 2626 4ae02c ___initmbctable 36 API calls 2631 4b1d16 _fast_error_exit _strlen 2626->2631 2627->2625 2627->2626 2628 4b1d5f 2629 4adf14 ___free_lc_time 36 API calls 2628->2629 2629->2625 2630 4ae02c ___initmbctable 36 API calls 2630->2631 2631->2625 2631->2628 2631->2630 2632 4b1d84 2631->2632 2633 4adf14 ___free_lc_time 36 API calls 2632->2633 2633->2625 2636 4b0c46 2634->2636 2637 4ac58a 2636->2637 2854 4ae2f3 2636->2854 2637->2562 2637->2563 2639 4b1c82 2638->2639 2641 4b1c87 __wincmdln 2638->2641 2640 4b15ca ___initmbctable 65 API calls 2639->2640 2640->2641 2641->2567 2916 4c6bbc 2642->2916 2646 4ac42c 2645->2646 2647 4ac431 2645->2647 2648 4b1ad9 _fast_error_exit 36 API calls 2646->2648 2649 4b1962 _fast_error_exit 36 API calls 2647->2649 2648->2647 2650 4ac43a 2649->2650 2651 4b0be3 _fast_error_exit 3 API calls 2650->2651 2652 4ac444 2651->2652 2652->2532 3117 4b5d55 2653->3117 2656 4b253f GetModuleHandleA 2659 4b25bd FlsAlloc 2656->2659 2660 4b2552 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 2656->2660 2657 4b2537 3121 4b2359 2657->3121 2661 4b2613 2659->2661 2662 4b25d2 2659->2662 2660->2659 2664 4b2595 2660->2664 2666 4b2359 39 API calls 2661->2666 2665 4aedc7 __lock 36 API calls 2662->2665 2664->2659 2667 4b25e0 2665->2667 2668 4b2618 2666->2668 2667->2661 2669 4b25e8 FlsSetValue 2667->2669 2668->2535 2669->2661 2670 4b25f9 GetCurrentThreadId 2669->2670 2670->2668 2672 4b1f18 2671->2672 2673 4b1f1d GetModuleFileNameA 2671->2673 2674 4b15ca ___initmbctable 65 API calls 2672->2674 2675 4b1f45 2673->2675 2674->2673 2676 4ae02c ___initmbctable 36 API calls 2675->2676 2677 4b1f70 2676->2677 2677->2549 2678 4b0d6a 2679 4b0ca7 _fast_error_exit 36 API calls 2678->2679 2680 4b0d77 2679->2680 2680->2572 2682 4b0ca7 _fast_error_exit 36 API calls 2681->2682 2683 4b0d97 2682->2683 2683->2575 2685 4b2670 2684->2685 2685->2580 2685->2583 2687 4b15d3 2686->2687 2688 4b15da 2686->2688 2690 4b147a 2687->2690 2688->2627 2691 4b1486 ___initmbctable 2690->2691 2692 4b5ea8 __lock 36 API calls 2691->2692 2693 4b1491 2692->2693 2694 4b14b7 2693->2694 2695 4b14a5 GetOEMCP 2693->2695 2696 4b14ce 2694->2696 2697 4b14bc GetACP 2694->2697 2695->2696 2698 4b15a9 2696->2698 2700 4b150c 2696->2700 2701 4ae02c ___initmbctable 36 API calls 2696->2701 2697->2696 2714 4b15c1 2698->2714 2704 4b151e 2700->2704 2706 4b12ea 2700->2706 2701->2700 2702 4b15b8 ___initmbctable 2702->2688 2704->2698 2705 4adf14 ___free_lc_time 36 API calls 2704->2705 2705->2698 2707 4b1308 2706->2707 2708 4b1333 ___initmbctable 2706->2708 2707->2708 2709 4b131f GetCPInfo 2707->2709 2711 4b1466 2708->2711 2717 4b10ef GetCPInfo 2708->2717 2709->2708 2712 4b7499 _fast_error_exit 36 API calls 2711->2712 2713 4b1478 2712->2713 2713->2704 2853 4b5df3 LeaveCriticalSection 2714->2853 2716 4b15c8 2716->2702 2718 4b11e1 2717->2718 2721 4b111f 2717->2721 2723 4b7499 _fast_error_exit 36 API calls 2718->2723 2720 4b1195 2750 4b6f28 2720->2750 2727 4ba92f 2721->2727 2724 4b1279 2723->2724 2724->2711 2725 4b11b9 2726 4b6f28 ___initmbctable 61 API calls 2725->2726 2726->2718 2728 4ba93b ___initmbctable 2727->2728 2729 4ba95d 2728->2729 2730 4ba945 GetStringTypeW 2728->2730 2732 4baa72 2729->2732 2733 4ba990 2729->2733 2730->2729 2731 4ba965 GetLastError 2730->2731 2731->2729 2794 4bc806 GetLocaleInfoA 2732->2794 2735 4ba9ac MultiByteToWideChar 2733->2735 2737 4baa6c ___initmbctable 2733->2737 2735->2737 2744 4ba9da ___initmbctable _fast_error_exit 2735->2744 2737->2720 2738 4baabe GetStringTypeA 2738->2737 2739 4baad7 2738->2739 2741 4adf14 ___free_lc_time 36 API calls 2739->2741 2741->2737 2742 4baab2 2742->2737 2742->2738 2743 4baa38 MultiByteToWideChar 2746 4baa4f GetStringTypeW 2743->2746 2747 4baa60 2743->2747 2744->2743 2745 4aedc7 __lock 36 API calls 2744->2745 2748 4baa29 2745->2748 2746->2747 2747->2737 2749 4adf14 ___free_lc_time 36 API calls 2747->2749 2748->2737 2748->2743 2749->2737 2751 4b6f34 ___initmbctable 2750->2751 2752 4b6f3e LCMapStringW 2751->2752 2753 4b6f59 2751->2753 2752->2753 2754 4b6f61 GetLastError 2752->2754 2755 4b6fac 2753->2755 2756 4b7180 2753->2756 2754->2753 2757 4b6fcd MultiByteToWideChar 2755->2757 2760 4b7178 ___initmbctable 2755->2760 2758 4bc806 ___initmbctable 50 API calls 2756->2758 2757->2760 2764 4b6ffb _fast_error_exit 2757->2764 2759 4b71aa 2758->2759 2759->2760 2761 4b71c3 2759->2761 2762 4b72b1 LCMapStringA 2759->2762 2760->2725 2763 4bc849 ___initmbctable 43 API calls 2761->2763 2765 4b72ae 2762->2765 2766 4b71d5 2763->2766 2767 4b705a MultiByteToWideChar 2764->2767 2769 4ae02c ___initmbctable 36 API calls 2764->2769 2765->2760 2772 4adf14 ___free_lc_time 36 API calls 2765->2772 2766->2760 2768 4b71df LCMapStringA 2766->2768 2770 4b715d 2767->2770 2771 4b7077 LCMapStringW 2767->2771 2774 4b7279 2768->2774 2786 4b71fe ___initmbctable _fast_error_exit 2768->2786 2775 4b7047 2769->2775 2773 4b716a 2770->2773 2777 4adf14 ___free_lc_time 36 API calls 2770->2777 2771->2770 2776 4b7096 2771->2776 2772->2760 2773->2760 2779 4adf14 ___free_lc_time 36 API calls 2773->2779 2774->2765 2781 4adf14 ___free_lc_time 36 API calls 2774->2781 2775->2760 2775->2767 2778 4b709c 2776->2778 2782 4b70c9 _fast_error_exit 2776->2782 2777->2773 2778->2770 2780 4b70ae LCMapStringW 2778->2780 2779->2760 2780->2770 2781->2765 2783 4b7124 LCMapStringW 2782->2783 2784 4ae02c ___initmbctable 36 API calls 2782->2784 2783->2770 2785 4b713c WideCharToMultiByte 2783->2785 2789 4b7115 2784->2789 2785->2770 2787 4b725c LCMapStringA 2786->2787 2790 4ae02c ___initmbctable 36 API calls 2786->2790 2787->2774 2788 4b727d 2787->2788 2791 4bc849 ___initmbctable 43 API calls 2788->2791 2789->2770 2789->2783 2793 4b7241 ___initmbctable 2790->2793 2791->2774 2793->2774 2793->2787 2795 4bc830 2794->2795 2796 4bc835 2794->2796 2798 4b7499 _fast_error_exit 36 API calls 2795->2798 2826 4ad2da 2796->2826 2799 4baa92 2798->2799 2799->2737 2799->2738 2800 4bc849 2799->2800 2801 4bc855 ___initmbctable 2800->2801 2802 4bc98c 2801->2802 2803 4bc87c GetCPInfo 2801->2803 2805 4bc946 2802->2805 2807 4adf14 ___free_lc_time 36 API calls 2802->2807 2804 4bc88d 2803->2804 2808 4bc8a0 _strlen 2803->2808 2806 4bc893 GetCPInfo 2804->2806 2804->2808 2810 4b7499 _fast_error_exit 36 API calls 2805->2810 2806->2808 2807->2805 2809 4bc8d4 MultiByteToWideChar 2808->2809 2812 4bc8ee ___initmbctable _fast_error_exit 2808->2812 2809->2805 2809->2812 2811 4bca0c ___initmbctable 2810->2811 2811->2742 2813 4bc954 MultiByteToWideChar 2812->2813 2815 4aedc7 __lock 36 API calls 2812->2815 2813->2802 2814 4bc96f 2813->2814 2816 4bc994 2814->2816 2817 4bc974 WideCharToMultiByte 2814->2817 2818 4bc93e 2815->2818 2819 4bc999 WideCharToMultiByte 2816->2819 2820 4bc9af 2816->2820 2817->2802 2818->2805 2818->2813 2819->2802 2819->2820 2821 4aedc7 __lock 36 API calls 2820->2821 2822 4bc9b7 2821->2822 2822->2802 2823 4bc9c0 WideCharToMultiByte 2822->2823 2823->2802 2824 4bc9d4 2823->2824 2825 4adf14 ___free_lc_time 36 API calls 2824->2825 2825->2802 2827 4b2376 __lock 36 API calls 2826->2827 2828 4ad2e1 2827->2828 2831 4ad2f1 2828->2831 2833 4b6e59 2828->2833 2832 4ad31f 2831->2832 2841 4b6c51 2831->2841 2832->2795 2834 4b6e65 ___initmbctable 2833->2834 2835 4b5ea8 __lock 36 API calls 2834->2835 2836 4b6e6c 2835->2836 2845 4b6d98 2836->2845 2840 4b6e82 ___initmbctable 2840->2831 2842 4b6c6f 2841->2842 2844 4b6c66 2841->2844 2843 4ba92f ___initmbctable 50 API calls 2842->2843 2843->2844 2844->2831 2846 4b2376 __lock 36 API calls 2845->2846 2848 4b6d9e 2846->2848 2847 4b6e53 2850 4b6e8b 2847->2850 2848->2847 2849 4b6cc8 ___initmbctable 36 API calls 2848->2849 2849->2847 2851 4b5df3 __lock LeaveCriticalSection 2850->2851 2852 4b6e92 2851->2852 2852->2840 2853->2716 2857 4ae2bb 2854->2857 2856 4ae2fc 2856->2637 2858 4ae2c7 ___initmbctable 2857->2858 2865 4b0c13 2858->2865 2864 4ae2e4 ___initmbctable 2864->2856 2866 4b5ea8 __lock 36 API calls 2865->2866 2867 4ae2cc 2866->2867 2868 4ae213 2867->2868 2878 4b0e54 2868->2878 2870 4ae21f 2874 4ae261 2870->2874 2886 4af42c 2870->2886 2872 4ae24c 2873 4af42c 39 API calls 2872->2873 2872->2874 2873->2874 2875 4ae2ed 2874->2875 2912 4b0c1c 2875->2912 2879 4b0e60 ___initmbctable 2878->2879 2880 4b0ea3 HeapSize 2879->2880 2882 4b5ea8 __lock 36 API calls 2879->2882 2881 4b0eb6 ___initmbctable 2880->2881 2881->2870 2883 4b0e70 ___free_lc_time 2882->2883 2904 4b0ec1 2883->2904 2887 4af438 ___initmbctable 2886->2887 2888 4af44f 2887->2888 2889 4af441 2887->2889 2891 4af462 2888->2891 2892 4af456 2888->2892 2890 4ae02c ___initmbctable 36 API calls 2889->2890 2894 4af449 ___initmbctable 2890->2894 2897 4af59d ___initmbctable 2891->2897 2900 4af46f ___sbh_resize_block ___initmbctable ___free_lc_time 2891->2900 2893 4adf14 ___free_lc_time 36 API calls 2892->2893 2893->2894 2894->2872 2895 4af5ab HeapReAlloc 2895->2897 2896 4b5ea8 __lock 36 API calls 2896->2900 2897->2894 2897->2895 2899 4af4fb HeapAlloc 2899->2900 2900->2894 2900->2896 2900->2899 2901 4af551 HeapReAlloc 2900->2901 2902 4b7cce ___initmbctable 5 API calls 2900->2902 2903 4b751a VirtualFree VirtualFree HeapFree ___free_lc_time 2900->2903 2908 4af594 2900->2908 2901->2900 2902->2900 2903->2900 2907 4b5df3 LeaveCriticalSection 2904->2907 2906 4b0e9d 2906->2880 2906->2881 2907->2906 2911 4b5df3 LeaveCriticalSection 2908->2911 2910 4af59b 2910->2900 2911->2910 2915 4b5df3 LeaveCriticalSection 2912->2915 2914 4ae2f2 2914->2864 2915->2914 2925 4c5920 2916->2925 2967 4cab4d 2925->2967 2928 4c5931 2930 4cab27 2928->2930 2929 4cab27 28 API calls 2929->2928 2931 4cb0af 21 API calls 2930->2931 2932 4cab36 2931->2932 2933 4c6bce 2932->2933 3024 4cb144 2932->3024 2935 4cb95c SetErrorMode SetErrorMode 2933->2935 2936 4cab27 28 API calls 2935->2936 2937 4cb973 2936->2937 2938 4cab27 28 API calls 2937->2938 2939 4cb982 2938->2939 2940 4cb9a8 2939->2940 3047 4cb9bf 2939->3047 2942 4cab27 28 API calls 2940->2942 2943 4cb9ad 2942->2943 2944 4c6be6 2943->2944 3066 4c5935 2943->3066 2946 4ce7bd 2944->2946 2947 4cab27 28 API calls 2946->2947 2948 4ce7c6 2947->2948 2949 4cbdd8 6 API calls 2948->2949 2953 4ce7cf 2949->2953 2950 4ce7fc 2951 4cbe48 LeaveCriticalSection 2950->2951 2954 4ce806 2951->2954 2953->2950 2955 4cab27 28 API calls 2953->2955 3112 4afcff 2953->3112 2956 4cab27 28 API calls 2954->2956 2957 4ce7ed UnregisterClassA 2955->2957 2958 4ce80b 2956->2958 2957->2953 2959 4ca8f5 21 API calls 2958->2959 2960 4ce823 2959->2960 2961 4cab27 28 API calls 2960->2961 2962 4ce848 2961->2962 2963 4ac5cb 2962->2963 2964 4ce85a UnhookWindowsHookEx 2962->2964 2965 4ce860 2962->2965 2963->2572 2963->2678 2964->2965 2965->2963 2966 4ce867 UnhookWindowsHookEx 2965->2966 2966->2963 2968 4cab27 28 API calls 2967->2968 2969 4cab52 2968->2969 2972 4cb0af 2969->2972 2973 4cb0b8 2972->2973 2974 4cb0e5 TlsGetValue 2972->2974 2976 4cb0d2 2973->2976 2993 4cacaf TlsAlloc 2973->2993 2975 4cb0f8 2974->2975 2979 4c5925 2975->2979 2980 4cb10b 2975->2980 2983 4cad48 EnterCriticalSection 2976->2983 2978 4cb0e3 2978->2974 2979->2928 2979->2929 2997 4caeb7 TlsGetValue 2980->2997 2985 4cad67 2983->2985 2984 4cae23 ___initmbctable 2988 4cae38 LeaveCriticalSection 2984->2988 2985->2984 2986 4cadb4 GlobalHandle GlobalUnlock GlobalReAlloc 2985->2986 2987 4cada1 GlobalAlloc 2985->2987 2989 4cadd6 2986->2989 2987->2989 2988->2978 2990 4cadff GlobalLock 2989->2990 2991 4cade4 GlobalHandle GlobalLock LeaveCriticalSection 2989->2991 2990->2984 3012 4be3c8 2991->3012 2994 4cacde 2993->2994 2995 4cace3 InitializeCriticalSection 2993->2995 2996 4be3c8 RaiseException 2994->2996 2995->2976 2996->2995 2998 4caee8 2997->2998 3002 4caece 2997->3002 3019 4cac7d LocalAlloc 2998->3019 2999 4caf8e 2999->2979 3002->2999 3003 4caf31 LocalAlloc 3002->3003 3004 4caf42 LocalReAlloc 3002->3004 3007 4caf52 3003->3007 3004->3007 3009 4caf5e ___initmbctable 3007->3009 3010 4be3c8 RaiseException 3007->3010 3008 4caf20 LeaveCriticalSection 3008->3002 3011 4caf7d TlsSetValue 3009->3011 3010->3009 3011->2999 3017 4af7dd RaiseException 3012->3017 3014 4be3e1 3018 4af7dd RaiseException 3014->3018 3016 4be3fa 3016->2990 3017->3014 3018->3016 3020 4cac95 EnterCriticalSection 3019->3020 3021 4cac90 3019->3021 3023 4cac24 3020->3023 3022 4be3c8 RaiseException 3021->3022 3022->3020 3023->3008 3025 4cb14e __EH_prolog 3024->3025 3026 4cb17c 3025->3026 3030 4cbdd8 3025->3030 3026->2933 3031 4cbde8 3030->3031 3032 4cbde3 3030->3032 3033 4cb165 3031->3033 3035 4cbe0c EnterCriticalSection 3031->3035 3036 4cbe35 EnterCriticalSection 3031->3036 3042 4cbd45 3032->3042 3039 4cbe48 3033->3039 3037 4cbe2d LeaveCriticalSection 3035->3037 3038 4cbe1a InitializeCriticalSection 3035->3038 3036->3033 3037->3036 3038->3037 3040 4cbe66 3039->3040 3041 4cbe51 LeaveCriticalSection 3039->3041 3040->3026 3041->3040 3043 4cbd4f GetVersion 3042->3043 3044 4cbd69 3042->3044 3045 4cbd71 InitializeCriticalSection 3043->3045 3046 4cbd62 3043->3046 3044->3031 3045->3044 3046->3044 3046->3045 3048 4cab27 28 API calls 3047->3048 3049 4cb9d2 GetModuleFileNameA 3048->3049 3077 4ae54d 3049->3077 3054 4cba36 3065 4cba70 3054->3065 3087 4c63e5 3054->3087 3057 4cba88 lstrcpyA 3059 4af969 36 API calls 3057->3059 3058 4cbab2 lstrcatA 3061 4af969 36 API calls 3058->3061 3060 4cbaa3 3059->3060 3060->3058 3063 4cbad0 3060->3063 3061->3063 3063->2940 3064 4af969 36 API calls 3064->3065 3065->3057 3065->3060 3067 4cab27 28 API calls 3066->3067 3068 4c593a 3067->3068 3076 4c5992 3068->3076 3109 4ca8f5 3068->3109 3071 4cb144 7 API calls 3072 4c5970 3071->3072 3073 4c597d 3072->3073 3074 4cab27 28 API calls 3072->3074 3075 4cb0af 21 API calls 3073->3075 3074->3073 3075->3076 3076->2944 3078 4b2376 __lock 36 API calls 3077->3078 3079 4ae558 3078->3079 3081 4ae520 3079->3081 3095 4b127b 3079->3095 3082 4cbadc 3081->3082 3086 4cbae4 3082->3086 3083 4cbb1c lstrcpynA 3085 4cba20 3083->3085 3084 4cbb12 lstrlenA 3084->3085 3085->3054 3091 4af969 3085->3091 3086->3083 3086->3084 3088 4cab27 28 API calls 3087->3088 3089 4c63eb LoadStringA 3088->3089 3090 4c6406 3089->3090 3090->3064 3092 4af972 _strlen 3091->3092 3094 4af97f _fast_error_exit 3091->3094 3093 4ae02c ___initmbctable 36 API calls 3092->3093 3093->3094 3094->3054 3096 4b1287 ___initmbctable 3095->3096 3097 4b5ea8 __lock 36 API calls 3096->3097 3098 4b128e 3097->3098 3099 4b2376 __lock 36 API calls 3098->3099 3102 4b1298 3099->3102 3100 4b12b9 3105 4b12e1 3100->3105 3102->3100 3104 4adf14 ___free_lc_time 36 API calls 3102->3104 3103 4b12d6 ___initmbctable 3103->3081 3104->3100 3108 4b5df3 LeaveCriticalSection 3105->3108 3107 4b12e8 3107->3103 3108->3107 3110 4cb0af 21 API calls 3109->3110 3111 4c5946 GetCurrentThreadId SetWindowsHookExA 3110->3111 3111->3071 3113 4b2376 __lock 36 API calls 3112->3113 3114 4afd07 3113->3114 3115 4b127b 36 API calls 3114->3115 3116 4afd17 3114->3116 3115->3116 3116->2953 3118 4b5d5e 3117->3118 3119 4bb39a __lock 2 API calls 3118->3119 3120 4b2533 3118->3120 3119->3118 3120->2656 3120->2657 3122 4b2363 FlsFree 3121->3122 3123 4b2371 3121->3123 3122->3123 3124 4b5db8 DeleteCriticalSection 3123->3124 3125 4b5dd0 3123->3125 3126 4adf14 ___free_lc_time 36 API calls 3124->3126 3127 4b5de2 DeleteCriticalSection 3125->3127 3128 4b253c 3125->3128 3126->3123 3127->3125 3128->2535 3129 4adf14 3130 4adf20 ___initmbctable 3129->3130 3131 4adf7f ___initmbctable 3130->3131 3132 4b5ea8 __lock 35 API calls 3130->3132 3138 4adf5c 3130->3138 3134 4adf37 ___free_lc_time 3132->3134 3133 4adf71 RtlFreeHeap 3133->3131 3135 4adf51 3134->3135 3136 4b751a ___free_lc_time 3 API calls 3134->3136 3137 4adf67 ___free_lc_time LeaveCriticalSection 3135->3137 3136->3135 3137->3138 3138->3131 3138->3133 3174 4ca7a3 3175 4cac7d 2 API calls 3174->3175 3176 4ca7aa 3175->3176

                                                                                                                                        Executed Functions

                                                                                                                                        Function 004CAD48 Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(01F5A1C0,01F5A194,00000000,?,01F5A1A4,01F5A1A4,004CB0E3,75570A60,00000000,004CAB36,004CA42A,004CAB52,004C5925,004C6BC7,75570A60,00000000), ref: 004CAD57
                                                                                                                                        • GlobalAlloc.KERNELBASE(00002002,00000000,?,?,01F5A1A4,01F5A1A4,004CB0E3,75570A60,00000000,004CAB36,004CA42A,004CAB52,004C5925,004C6BC7,75570A60,00000000), ref: 004CADAC
                                                                                                                                        • GlobalHandle.KERNEL32(02092BE8), ref: 004CADB5
                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004CADBE
                                                                                                                                        • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 004CADD0
                                                                                                                                        • GlobalHandle.KERNEL32(02092BE8), ref: 004CADE7
                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 004CADEE
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,01F5A1A4,01F5A1A4,004CB0E3,75570A60,00000000,004CAB36,004CA42A,004CAB52,004C5925,004C6BC7,75570A60,00000000), ref: 004CADF4
                                                                                                                                        • GlobalLock.KERNEL32(?), ref: 004CAE03
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 004CAE4C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2667261700-0
                                                                                                                                        • Opcode ID: e916358a34a8159a47c077b9ee545ce76c0b013e840e9d48261e706628477563
                                                                                                                                        • Instruction ID: b1b0cc1076c751b20dcf02fa0de57a1471d47e02644e1934b1e49643cd0fbfb7
                                                                                                                                        • Opcode Fuzzy Hash: e916358a34a8159a47c077b9ee545ce76c0b013e840e9d48261e706628477563
                                                                                                                                        • Instruction Fuzzy Hash: 4F3194752007099FD724DF28DC89E6AB7E9FB84305B000A2EF993C3A61E775E8148B55
                                                                                                                                        Function 004ADF14 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 19 4adf14-4adf25 call 4b2688 22 4adf7f-4adf84 call 4b26c3 19->22 23 4adf27-4adf2e 19->23 24 4adf70 23->24 25 4adf30-4adf48 call 4b5ea8 call 4b74ef 23->25 29 4adf71-4adf79 RtlFreeHeap 24->29 33 4adf4a-4adf52 call 4b751a 25->33 34 4adf53-4adf60 call 4adf67 25->34 29->22 33->34 34->22 39 4adf62-4adf65 34->39 39->29
                                                                                                                                        APIs
                                                                                                                                        • __lock.LIBCMT ref: 004ADF32
                                                                                                                                          • Part of subcall function 004B5EA8: EnterCriticalSection.KERNEL32(?,?,?,004ADF37,00000004,01EEB5D8,0000000C,004B5DC1,00000000,?,004B2618,?,01EEB4F8,00000060), ref: 004B5ED0
                                                                                                                                        • RtlFreeHeap.NTDLL(00000000,?,01EEB5D8,0000000C,004B5DC1,00000000,?,004B2618,?,01EEB4F8,00000060), ref: 004ADF79
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalEnterFreeHeapSection__lock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3012239193-0
                                                                                                                                        • Opcode ID: 6ba62f23058907f1439675d148bc94769042cdc9fa127953cdb26ee3947b627e
                                                                                                                                        • Instruction ID: 5901a22e2a08fea6019e35862a3884389c3459af7c404a51c6d3a5e9e20a59cf
                                                                                                                                        • Opcode Fuzzy Hash: 6ba62f23058907f1439675d148bc94769042cdc9fa127953cdb26ee3947b627e
                                                                                                                                        • Instruction Fuzzy Hash: 83F0F6B1C09205AEDF206B319C06BCF7B609F11364F10011BF106668D1CB3C5A418A6D
                                                                                                                                        Function 004ADF85 Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 40 4adf85-4adf9b call 4b2688 43 4adfcb-4adfcd 40->43 44 4adf9d-4adfa3 40->44 46 4adfcf 43->46 47 4adfd0-4adfd7 43->47 44->43 45 4adfa5-4adfc9 call 4b5ea8 call 4b7cce call 4adff7 44->45 45->43 51 4adfee-4adff3 call 4b26c3 45->51 46->47 48 4adfd9-4adfdc 47->48 49 4adfdf-4adfe8 RtlAllocateHeap 47->49 48->49 49->51
                                                                                                                                        APIs
                                                                                                                                        • __lock.LIBCMT ref: 004ADFA7
                                                                                                                                          • Part of subcall function 004B5EA8: EnterCriticalSection.KERNEL32(?,?,?,004ADF37,00000004,01EEB5D8,0000000C,004B5DC1,00000000,?,004B2618,?,01EEB4F8,00000060), ref: 004B5ED0
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,01EEB5E8,0000000C,004AE010,000000E0,004AE03B,?,004B5E2B,00000018,01EEFC18,00000008,004B5EC1,?,?), ref: 004ADFE8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateCriticalEnterHeapSection__lock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 409319249-0
                                                                                                                                        • Opcode ID: 3771dca2a186583077be47790d1e1a9cad69cdb927f893e6af3c22b773830fd2
                                                                                                                                        • Instruction ID: 56819f43e7f37c248a974c45ec631b153442b8f1e180c00749bb59aebc97694b
                                                                                                                                        • Opcode Fuzzy Hash: 3771dca2a186583077be47790d1e1a9cad69cdb927f893e6af3c22b773830fd2
                                                                                                                                        • Instruction Fuzzy Hash: 78F0FC71C412159FDB306B729D0978FB760AB22764F50011BF9127B6D1C7380E1187BC
                                                                                                                                        Function 004CB95C Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 59 4cb95c-4cb987 SetErrorMode * 2 call 4cab27 * 2 64 4cb9a8-4cb9b2 call 4cab27 59->64 65 4cb989-4cb9a3 call 4cb9bf 59->65 69 4cb9b9-4cb9bc 64->69 70 4cb9b4 call 4c5935 64->70 65->64 70->69
                                                                                                                                        APIs
                                                                                                                                        • SetErrorMode.KERNELBASE(00000000,00000000,004C6BE6,?,?,?,?,75570A60,00000000,?,004BDC49,?,?,?,?,004AC5CB), ref: 004CB965
                                                                                                                                        • SetErrorMode.KERNELBASE(00000000,?,004BDC49,?,?,?,?,004AC5CB,00000000), ref: 004CB96C
                                                                                                                                          • Part of subcall function 004CB9BF: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 004CB9F0
                                                                                                                                          • Part of subcall function 004CB9BF: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004CBA91
                                                                                                                                          • Part of subcall function 004CB9BF: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004CBABE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3389432936-0
                                                                                                                                        • Opcode ID: 39a225c5edbbdb66f69ca0b5dbc974685116c8a752fa2382b962a5f4af3b298d
                                                                                                                                        • Instruction ID: 34fa29b4c39794f65b9b1cb7489ee73bc8f9d7bb4b539e4205657b75a6fb291b
                                                                                                                                        • Opcode Fuzzy Hash: 39a225c5edbbdb66f69ca0b5dbc974685116c8a752fa2382b962a5f4af3b298d
                                                                                                                                        • Instruction Fuzzy Hash: FFF087B89142148FC790AF24D445F193BE8AF88318F05849FB1448B3A2CB78E880CB9A
                                                                                                                                        Function 004C5935 Relevance: 3.0, APIs: 2, Instructions: 27threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 004C5948
                                                                                                                                        • SetWindowsHookExA.USER32(000000FF,004C5C8A,00000000,00000000), ref: 004C5958
                                                                                                                                          • Part of subcall function 004CB144: __EH_prolog.LIBCMT ref: 004CB149
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentH_prologHookThreadWindows
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2183259885-0
                                                                                                                                        • Opcode ID: 8b0a23b243f1069195308780113b94263f56bdc95b599415eb05744b4afe5f2c
                                                                                                                                        • Instruction ID: 2975da07a41449ec6774bc13a80bbca136ea650d9f26499ef5a2f06a694285d5
                                                                                                                                        • Opcode Fuzzy Hash: 8b0a23b243f1069195308780113b94263f56bdc95b599415eb05744b4afe5f2c
                                                                                                                                        • Instruction Fuzzy Hash: 80F082795017109FDBE03FB19C0AF193690AB41368F15075FB642575E1CB7CA8D08B5E
                                                                                                                                        Function 004B2637 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 87 4b2637-4b2655 HeapCreate 88 4b2681-4b2683 87->88 89 4b2657-4b2664 call 4b261d 87->89 92 4b2666-4b2673 call 4b74a7 89->92 93 4b2684-4b2687 89->93 92->93 96 4b2675-4b267b HeapDestroy 92->96 96->88
                                                                                                                                        APIs
                                                                                                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000,004AC515,00000001,?,01EEB4F8,00000060), ref: 004B2648
                                                                                                                                          • Part of subcall function 004B74A7: HeapAlloc.KERNEL32(00000000,00000140,004B2670,000003F8,?,01EEB4F8,00000060), ref: 004B74B4
                                                                                                                                        • HeapDestroy.KERNEL32(?,01EEB4F8,00000060), ref: 004B267B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocCreateDestroy
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2236781399-0
                                                                                                                                        • Opcode ID: 360217e6e6b5acadfbd0c94e7f9c09330000cd6acaa1dddc6e4a744c752da258
                                                                                                                                        • Instruction ID: 785471599376a562c4177a3e463a53d5614194fba2cc7750f029a71aff2a8772
                                                                                                                                        • Opcode Fuzzy Hash: 360217e6e6b5acadfbd0c94e7f9c09330000cd6acaa1dddc6e4a744c752da258
                                                                                                                                        • Instruction Fuzzy Hash: C2E020707253015BDF245F705E0935A37D4E750786F00083BF504C8485EBB4C5109B38
                                                                                                                                        Function 004C63E5 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 97 4c63e5-4c6404 call 4cab27 LoadStringA 100 4c6408-4c6409 97->100 101 4c6406 97->101 101->100
                                                                                                                                        APIs
                                                                                                                                        • LoadStringA.USER32(?,?,?,?), ref: 004C63FC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LoadString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2948472770-0
                                                                                                                                        • Opcode ID: 769179cee252a686f7450cd98804aaa84f3d2d1cab138c8816796956fdfedbf4
                                                                                                                                        • Instruction ID: e955b24052c12cbcd7dfca633bf3c50c511719086acefe5e2d2f4b60bc0ec9d3
                                                                                                                                        • Opcode Fuzzy Hash: 769179cee252a686f7450cd98804aaa84f3d2d1cab138c8816796956fdfedbf4
                                                                                                                                        • Instruction Fuzzy Hash: 87D05E760093629B8A419F508804E5BBBA8AF54214B064C0FF49043111C3249894C67A

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 004BB425 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90libraryloaderCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 195 4bb425-4bb436 196 4bb438-4bb447 LoadLibraryA 195->196 197 4bb4a5-4bb4ac 195->197 198 4bb44d-4bb462 GetProcAddress 196->198 199 4bb4e0-4bb4e2 196->199 200 4bb4ea-4bb4f1 197->200 201 4bb4ae-4bb4b2 197->201 198->199 203 4bb464-4bb485 GetProcAddress * 2 198->203 202 4bb519-4bb51d 199->202 204 4bb509-4bb512 200->204 205 4bb4f3-4bb4f9 200->205 210 4bb4d1-4bb4d8 201->210 211 4bb4b4-4bb4c9 201->211 203->197 206 4bb487-4bb496 GetProcAddress 203->206 204->202 205->204 214 4bb4fb-4bb502 205->214 206->197 208 4bb498-4bb4a0 GetProcAddress 206->208 208->197 212 4bb4da-4bb4de 210->212 213 4bb4e4-4bb4e8 210->213 211->210 217 4bb4cb-4bb4cf 211->217 212->204 213->204 214->204 216 4bb504-4bb507 214->216 216->204 217->200 217->210
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(user32.dll,01EEBFF0,?,?), ref: 004BB43D
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004BB459
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004BB46A
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004BB477
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 004BB48D
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 004BB49E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                                                        • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
                                                                                                                                        • API String ID: 2238633743-1612076079
                                                                                                                                        • Opcode ID: 6fd98558e143812065c7d26dc205b67fe128e0b1715319df6de0bc86f168fac9
                                                                                                                                        • Instruction ID: 76d3f08b3f2593a70ff010d6d75e30123b44d52944fe927c85ccd181271aa11b
                                                                                                                                        • Opcode Fuzzy Hash: 6fd98558e143812065c7d26dc205b67fe128e0b1715319df6de0bc86f168fac9
                                                                                                                                        • Instruction Fuzzy Hash: 79219331600709EBDB309FB5DE85AAB3BA8EB04744B04052FFA01D3246E7B8C8559BF5
                                                                                                                                        Function 004CBD45 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetVersion.KERNEL32(?,004CBDE8,?,004CB165,00000010,75570A60,00000000,?,?,?,004CAB4C,004CABAF,004CA42A,004CAB52,004C5925,004C6BC7), ref: 004CBD58
                                                                                                                                        • InitializeCriticalSection.KERNEL32(01F5A338,?,004CBDE8,?,004CB165,00000010,75570A60,00000000,?,?,?,004CAB4C,004CABAF,004CA42A,004CAB52,004C5925), ref: 004CBD7D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalInitializeSectionVersion
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 385228656-0
                                                                                                                                        • Opcode ID: 0ea9af44b1ff5cd2ab78f0870b995040b2817e98df09430c67297e4cebae49d7
                                                                                                                                        • Instruction ID: 0213ec3b410a2d6e5da9cb915f5ab246730201f4ef9cc98deccad89102932c16
                                                                                                                                        • Opcode Fuzzy Hash: 0ea9af44b1ff5cd2ab78f0870b995040b2817e98df09430c67297e4cebae49d7
                                                                                                                                        • Instruction Fuzzy Hash: F7E04638081314CBE7718B89B80EB993F66E340326F10021BFA42532A8C3B954968FCA
                                                                                                                                        Function 004BC806 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetLocaleInfoA.KERNEL32(?,00001004,?,00000006), ref: 004BC826
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoLocale
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2299586839-0
                                                                                                                                        • Opcode ID: 2361b3c2392c9a46e525b512376bbb38f8146d79f41d7b8bfe59442ede660fdb
                                                                                                                                        • Instruction ID: 1b48fb2a82a27a9a6ddd2e6e11b63cc47876c72cf699def0ff9db1e8ba009026
                                                                                                                                        • Opcode Fuzzy Hash: 2361b3c2392c9a46e525b512376bbb38f8146d79f41d7b8bfe59442ede660fdb
                                                                                                                                        • Instruction Fuzzy Hash: E0E09231A04208EBDB10EBA4D946ADD7BB96B94319F0041A6F511E61C0E674D6048769
                                                                                                                                        Function 004B1962 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 115fileCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 133 4b1962-4b1986 134 4b1988-4b198f 133->134 135 4b1991-4b1995 134->135 136 4b1997-4b19a2 134->136 135->134 135->136 137 4b19a8-4b19b0 136->137 138 4b1abd-4b1ad8 call 4b7499 136->138 139 4b19b6-4b19b8 137->139 140 4b1a95-4b1ab7 call 4afe20 GetStdHandle WriteFile 137->140 142 4b19ba-4b19c1 139->142 143 4b19c7-4b19cd 139->143 140->138 142->140 142->143 143->138 147 4b19d3-4b19eb GetModuleFileNameA 143->147 148 4b19fd-4b1a0d call 4afe20 147->148 149 4b19ed-4b19fc call 4b6160 147->149 154 4b1a0f-4b1a2e call 4afe20 call 4addf0 148->154 155 4b1a31-4b1a93 call 4afe20 * 2 call 4adcd0 call 4b6160 call 4b6170 * 3 call 4bb425 148->155 149->148 154->155 155->138
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 004B19E3
                                                                                                                                        • _strlen.LIBCMT ref: 004B1A03
                                                                                                                                        • _strlen.LIBCMT ref: 004B1A12
                                                                                                                                        • _strncpy.LIBCMT ref: 004B1A29
                                                                                                                                        • _strlen.LIBCMT ref: 004B1A32
                                                                                                                                        • _strlen.LIBCMT ref: 004B1A3F
                                                                                                                                        • _strlen.LIBCMT ref: 004B1AA5
                                                                                                                                        • GetStdHandle.KERNEL32(000000F4,01EEBFA0,00000000,?,00000000,00000000,00000000,00000000), ref: 004B1AB0
                                                                                                                                        • WriteFile.KERNEL32(00000000), ref: 004B1AB7
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _strlen$File$HandleModuleNameWrite_strncpy
                                                                                                                                        • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                                        • API String ID: 190417973-4022980321
                                                                                                                                        • Opcode ID: 41782de2e8719bff3f63a94ee6a1dddb9380076e7d91ec694bb748f54eda7a5c
                                                                                                                                        • Instruction ID: ecffd712f85a1c852a24551aef80f353c8a52aa4afd53938bee92d126f4bb09c
                                                                                                                                        • Opcode Fuzzy Hash: 41782de2e8719bff3f63a94ee6a1dddb9380076e7d91ec694bb748f54eda7a5c
                                                                                                                                        • Instruction Fuzzy Hash: 823126725002046BDB20ABB59C96EEF37A9EB49314F10441FF955D7292EE3CA9448B78
                                                                                                                                        Function 004B252E Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 71libraryloadermemoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 176 4b252e-4b2535 call 4b5d55 179 4b253f-4b2550 GetModuleHandleA 176->179 180 4b2537-4b253e call 4b2359 176->180 182 4b25bd-4b25d0 FlsAlloc 179->182 183 4b2552-4b2593 GetProcAddress * 4 179->183 184 4b2613-4b2618 call 4b2359 182->184 185 4b25d2-4b25e6 call 4aedc7 182->185 183->182 187 4b2595-4b25b8 183->187 193 4b261a-4b261c 184->193 185->184 192 4b25e8-4b25f7 FlsSetValue 185->192 187->182 192->184 194 4b25f9-4b2611 GetCurrentThreadId 192->194 194->193
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,75570A60,00000000,004AC527,?,01EEB4F8,00000060), ref: 004B2546
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004B255E
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004B256B
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004B2578
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004B2585
                                                                                                                                        • FlsAlloc.KERNEL32(004B23E7,?,01EEB4F8,00000060), ref: 004B25C2
                                                                                                                                        • FlsSetValue.KERNEL32(00000000,?,01EEB4F8,00000060), ref: 004B25EF
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 004B2603
                                                                                                                                          • Part of subcall function 004B2359: FlsFree.KERNEL32(00000005,004B2618,?,01EEB4F8,00000060), ref: 004B2364
                                                                                                                                          • Part of subcall function 004B2359: DeleteCriticalSection.KERNEL32(00000000,00000000,00000000,?,004B2618,?,01EEB4F8,00000060), ref: 004B5DB9
                                                                                                                                          • Part of subcall function 004B2359: DeleteCriticalSection.KERNEL32(00000005,00000000,?,004B2618,?,01EEB4F8,00000060), ref: 004B5DE3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue
                                                                                                                                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$kernel32.dll
                                                                                                                                        • API String ID: 2635119114-282957996
                                                                                                                                        • Opcode ID: 5005fe302e458925a24c1ae3b2538cc8a4406c2e67f9134ff85c6653f13b349c
                                                                                                                                        • Instruction ID: 18a6775578bcb111cf6db80ef546d76b18df9bccddf1b2d63498a9297e369291
                                                                                                                                        • Opcode Fuzzy Hash: 5005fe302e458925a24c1ae3b2538cc8a4406c2e67f9134ff85c6653f13b349c
                                                                                                                                        • Instruction Fuzzy Hash: C4215E706013059BCB309F36BA08A5B7FF0EB81761710622FF966D3254DBB89811CBA8
                                                                                                                                        Function 004BCA78 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,01EF0AA8,00000118,004B7481,00000001,00000000,01EEFE50,00000008,004B1ACE,00000000,00000000,00000000), ref: 004BCAF9
                                                                                                                                        • _strlen.LIBCMT ref: 004BCB1F
                                                                                                                                        • _strlen.LIBCMT ref: 004BCB30
                                                                                                                                        • _strncpy.LIBCMT ref: 004BCB4A
                                                                                                                                        • _strlen.LIBCMT ref: 004BCB53
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _strlen$FileModuleName_strncpy
                                                                                                                                        • String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
                                                                                                                                        • API String ID: 2455649890-1673886896
                                                                                                                                        • Opcode ID: 8d91b1f67e059e332bbe37b459208ee3e7e8720c5c8f251717d2b942968f7d08
                                                                                                                                        • Instruction ID: 09f10cd300728b6c35e6c88a8621b0e2ffabd53ff542ddc624661bffd2c4251d
                                                                                                                                        • Opcode Fuzzy Hash: 8d91b1f67e059e332bbe37b459208ee3e7e8720c5c8f251717d2b942968f7d08
                                                                                                                                        • Instruction Fuzzy Hash: 6731F471A002186BDB11ABB59C83EEF37A99B45314F11005FF114AB283EA3CDE518BAD
                                                                                                                                        Function 004B6F28 Relevance: 16.8, APIs: 11, Instructions: 299COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 263 4b6f28-4b6f3c call 4b2688 266 4b6f3e-4b6f57 LCMapStringW 263->266 267 4b6f76-4b6f79 263->267 268 4b6f59-4b6f5f 266->268 269 4b6f61-4b6f6a GetLastError 266->269 270 4b6f7b-4b6f7e 267->270 271 4b6f96-4b6f9e 267->271 268->267 269->267 272 4b6f6c 269->272 273 4b6f81-4b6f84 270->273 274 4b7180-4b718b 271->274 275 4b6fa4-4b6fa6 271->275 272->267 279 4b6f8e-4b6f93 273->279 280 4b6f86-4b6f89 273->280 277 4b718d-4b7192 274->277 278 4b7195-4b7198 274->278 275->274 276 4b6fac-4b6faf 275->276 281 4b71b3-4b71b5 276->281 282 4b6fb5-4b6fc3 276->282 277->278 283 4b719a-4b719f 278->283 284 4b71a2-4b71b1 call 4bc806 278->284 279->271 280->273 285 4b6f8b 280->285 286 4b72db-4b72e3 call 4b26c3 281->286 287 4b6fcd-4b6ff5 MultiByteToWideChar 282->287 288 4b6fc5-4b6fca 282->288 283->284 284->281 295 4b71ba-4b71bd 284->295 285->279 287->281 291 4b6ffb-4b703c call 4adcd0 287->291 288->287 303 4b705a-4b7071 MultiByteToWideChar 291->303 304 4b703e-4b704d call 4ae02c 291->304 296 4b71c3-4b71dd call 4bc849 295->296 297 4b72b1-4b72c9 LCMapStringA 295->297 296->281 307 4b71df-4b71f8 LCMapStringA 296->307 301 4b72cb-4b72ce 297->301 305 4b72d9 301->305 306 4b72d0-4b72d8 call 4adf14 301->306 309 4b715d-4b7160 303->309 310 4b7077-4b7090 LCMapStringW 303->310 304->281 324 4b7053 304->324 305->286 306->305 314 4b71fe-4b7237 call 4adcd0 call 4afd80 307->314 315 4b72a0 307->315 312 4b716b-4b716e 309->312 313 4b7162-4b716a call 4adf14 309->313 310->309 317 4b7096-4b709a 310->317 320 4b7179-4b717b 312->320 321 4b7170-4b7178 call 4adf14 312->321 313->312 346 4b7239-4b7246 call 4ae02c 314->346 347 4b725c-4b7277 LCMapStringA 314->347 323 4b72a3-4b72a6 315->323 325 4b70c9-4b710a call 4adcd0 317->325 326 4b709c-4b709f 317->326 320->286 321->320 323->301 332 4b72a8-4b72af call 4adf14 323->332 324->303 341 4b710c-4b711b call 4ae02c 325->341 342 4b7124-4b713a LCMapStringW 325->342 326->309 327 4b70a5-4b70a8 326->327 327->309 333 4b70ae-4b70c4 LCMapStringW 327->333 332->301 333->309 341->309 355 4b711d 341->355 342->309 345 4b713c-4b7141 342->345 351 4b7143-4b7145 345->351 352 4b7147-4b714a 345->352 348 4b7279-4b727b 346->348 359 4b7248-4b7255 call 4afd80 346->359 347->348 349 4b727d-4b729e call 4bc849 347->349 348->323 349->323 356 4b714d-4b715b WideCharToMultiByte 351->356 352->356 355->342 356->309 359->347
                                                                                                                                        APIs
                                                                                                                                        • LCMapStringW.KERNEL32(00000000,00000100,01EEFE24,00000001,00000000,00000000,01EEFE28,00000038,004B11B9,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 004B6F4F
                                                                                                                                        • GetLastError.KERNEL32 ref: 004B6F61
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,01EEFE28,00000038,004B11B9,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 004B6FE8
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 004B7069
                                                                                                                                        • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 004B7083
                                                                                                                                        • LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 004B70BE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: String$ByteCharMultiWide$ErrorLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1775797328-0
                                                                                                                                        • Opcode ID: ecc85519fde3c6e8b025b46dadbe9e76996948478368bf05304f407fbf5a4721
                                                                                                                                        • Instruction ID: ccebc70ac6192e3d6d1267d3399eb3b709e21148cf053269bc775fbce7f99d11
                                                                                                                                        • Opcode Fuzzy Hash: ecc85519fde3c6e8b025b46dadbe9e76996948478368bf05304f407fbf5a4721
                                                                                                                                        • Instruction Fuzzy Hash: 01B15E72804219EFCF219FA8DC858EE7BB5FF48354F14412AF911A6260D7398D61DBB8
                                                                                                                                        Function 004BC849 Relevance: 12.2, APIs: 8, Instructions: 169COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 362 4bc849-4bc876 call 4b2688 365 4bc9ef 362->365 366 4bc87c-4bc88b GetCPInfo 362->366 367 4bc9f2-4bc9f5 365->367 368 4bc8ad-4bc8b0 366->368 369 4bc88d-4bc891 366->369 370 4bc9fe 367->370 371 4bc9f7-4bc9fd call 4adf14 367->371 373 4bc8cc 368->373 374 4bc8b2-4bc8b5 368->374 369->368 372 4bc893-4bc89e GetCPInfo 369->372 377 4bca01-4bca04 370->377 371->370 372->368 378 4bc8a0-4bc8a4 372->378 376 4bc8cf-4bc8d2 373->376 379 4bc8bb-4bc8c6 call 4afe20 374->379 380 4bc8b7-4bc8b9 374->380 383 4bc8ee-4bc934 call 4adcd0 call 4afd80 376->383 384 4bc8d4-4bc8ec MultiByteToWideChar 376->384 385 4bca07 call 4b7499 377->385 378->368 386 4bc8a6 378->386 387 4bc8c7-4bc8ca 379->387 380->387 398 4bc936-4bc937 383->398 399 4bc954-4bc969 MultiByteToWideChar 383->399 384->383 389 4bc946-4bc948 384->389 391 4bca0c-4bca11 call 4b26c3 385->391 386->368 387->376 389->377 401 4bc939 call 4aedc7 398->401 399->367 400 4bc96f-4bc972 399->400 402 4bc994-4bc997 400->402 403 4bc974-4bc98a WideCharToMultiByte 400->403 404 4bc93e-4bc944 401->404 406 4bc999-4bc9ad WideCharToMultiByte 402->406 407 4bc9af-4bc9b0 402->407 403->367 405 4bc98c-4bc992 403->405 404->389 408 4bc94d 404->408 405->367 406->367 406->407 409 4bc9b2 call 4aedc7 407->409 408->399 410 4bc9b7-4bc9be 409->410 410->367 411 4bc9c0-4bc9d2 WideCharToMultiByte 410->411 412 4bc9e2-4bc9e6 411->412 413 4bc9d4-4bc9e0 call 4adf14 411->413 412->367 415 4bc9e8-4bc9ed 412->415 413->367 415->367
                                                                                                                                        APIs
                                                                                                                                        • GetCPInfo.KERNEL32(?,?,01EF08F8,00000038,004BAAB2,?,00000000,?,?,00000000,00000000,01EF07B8,0000001C,004B1195,00000001,00000020), ref: 004BC887
                                                                                                                                        • GetCPInfo.KERNEL32(?,00000001), ref: 004BC89A
                                                                                                                                        • _strlen.LIBCMT ref: 004BC8BE
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 004BC8DF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Info$ByteCharMultiWide_strlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1335377746-0
                                                                                                                                        • Opcode ID: 21110b0ca699ba999a22464c2b4814275fe95fb8c06b556bd3383914a7356091
                                                                                                                                        • Instruction ID: f6f90171a2d4871dd24166ba0917135923bfdf386aeba851b9d403c20beb2bf4
                                                                                                                                        • Opcode Fuzzy Hash: 21110b0ca699ba999a22464c2b4814275fe95fb8c06b556bd3383914a7356091
                                                                                                                                        • Instruction Fuzzy Hash: CE518AB1801219ABDB219F96ECC49EFBBB9EF85360B24022BF815A2250D7345D41CB78
                                                                                                                                        Function 004AC447 Relevance: 12.1, APIs: 8, Instructions: 134COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetVersionExA.KERNEL32(?,01EEB4F8,00000060), ref: 004AC467
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,01EEB4F8,00000060), ref: 004AC4BA
                                                                                                                                        • _fast_error_exit.LIBCMT ref: 004AC51C
                                                                                                                                        • _fast_error_exit.LIBCMT ref: 004AC52D
                                                                                                                                        • GetCommandLineA.KERNEL32(?,01EEB4F8,00000060), ref: 004AC54C
                                                                                                                                        • GetStartupInfoA.KERNEL32(?), ref: 004AC5A0
                                                                                                                                        • __wincmdln.LIBCMT ref: 004AC5A6
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004AC5C3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule_fast_error_exit$CommandInfoLineStartupVersion__wincmdln
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3897392166-0
                                                                                                                                        • Opcode ID: c728deaf36662aa13db296f8f0356f6301e6ec791820f3513ceb8b625334ec05
                                                                                                                                        • Instruction ID: a4c07f616270dd78166514e4b8d35e795687787e05bba1a5c0cfe35b74021baa
                                                                                                                                        • Opcode Fuzzy Hash: c728deaf36662aa13db296f8f0356f6301e6ec791820f3513ceb8b625334ec05
                                                                                                                                        • Instruction Fuzzy Hash: 4341D3B0D00314DBDB61AF7AD9856AE3BB0AF55714F20442FF411AB281DB7C9942DBAC
                                                                                                                                        Function 004B1FA8 Relevance: 12.1, APIs: 8, Instructions: 131COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetEnvironmentStringsW.KERNEL32(75570A60,00000000,?,?,?,?,004AC55C,?,01EEB4F8,00000060), ref: 004B1FC4
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,004AC55C,?,01EEB4F8,00000060), ref: 004B1FD8
                                                                                                                                        • GetEnvironmentStringsW.KERNEL32(75570A60,00000000,?,?,?,?,004AC55C,?,01EEB4F8,00000060), ref: 004B1FFA
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,75570A60,00000000,?,?,?,?,004AC55C), ref: 004B202E
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,004AC55C,?,01EEB4F8,00000060), ref: 004B2050
                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,004AC55C,?,01EEB4F8,00000060), ref: 004B2069
                                                                                                                                        • GetEnvironmentStrings.KERNEL32(75570A60,00000000,?,?,?,?,004AC55C,?,01EEB4F8,00000060), ref: 004B207F
                                                                                                                                        • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004B20BB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 883850110-0
                                                                                                                                        • Opcode ID: c269848ed08847136d91c2ec277f90b3d7e040055a0511ee536a454567d023cf
                                                                                                                                        • Instruction ID: 443ba4fd8a155f5f6dbdf342bbfeaf13d200954073ec8b085bd5df74f2d5a326
                                                                                                                                        • Opcode Fuzzy Hash: c269848ed08847136d91c2ec277f90b3d7e040055a0511ee536a454567d023cf
                                                                                                                                        • Instruction Fuzzy Hash: 063124B26092196FD7303F796D848BBBA9CEB55354715052FF742C3211E6A98C41C379
                                                                                                                                        Function 004BA92F Relevance: 9.1, APIs: 6, Instructions: 145COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetStringTypeW.KERNEL32(00000001,01EEFE24,00000001,?,01EF07B8,0000001C,004B1195,00000001,00000020,00000100,?,00000000), ref: 004BA953
                                                                                                                                        • GetLastError.KERNEL32 ref: 004BA965
                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,01EF07B8,0000001C,004B1195,00000001,00000020,00000100,?,00000000), ref: 004BA9C7
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,?,00000000), ref: 004BAA45
                                                                                                                                        • GetStringTypeW.KERNEL32(?,?,00000000,?,?,00000000), ref: 004BAA57
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharMultiStringTypeWide$ErrorLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3581945363-0
                                                                                                                                        • Opcode ID: 97b696da13f0f85f7e95d5978cf8ba6590ed716f4475ffbb316c4d83d4b11486
                                                                                                                                        • Instruction ID: 8c77e07ef66451ad68198b505235a4597174df63769cdfaca34e778e69ecb996
                                                                                                                                        • Opcode Fuzzy Hash: 97b696da13f0f85f7e95d5978cf8ba6590ed716f4475ffbb316c4d83d4b11486
                                                                                                                                        • Instruction Fuzzy Hash: 2B41F031901219ABCB228F65CD45AEF3B75FF5C760F15021AF911A7290C7388D60DBBA
                                                                                                                                        Function 004CAEB7 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • TlsGetValue.KERNEL32(01F5A1A4,01F5A194,00000000,?,01F5A1A4,?,004CB11F,01F5A194,00000000,?,004BDC49,?,?,?,?,004AC5CB), ref: 004CAEC2
                                                                                                                                        • EnterCriticalSection.KERNEL32(01F5A1C0,00000010,?,01F5A1A4,?,004CB11F,01F5A194,00000000,?,004BDC49,?,?,?,?,004AC5CB,00000000), ref: 004CAF11
                                                                                                                                        • LeaveCriticalSection.KERNEL32(01F5A1C0,00000000,?,01F5A1A4,?,004CB11F,01F5A194,00000000,?,004BDC49,?,?,?,?,004AC5CB,00000000), ref: 004CAF24
                                                                                                                                        • LocalAlloc.KERNEL32(00000000,00000004,?,01F5A1A4,?,004CB11F,01F5A194,00000000,?,004BDC49,?,?,?,?,004AC5CB,00000000), ref: 004CAF3A
                                                                                                                                        • LocalReAlloc.KERNEL32(?,00000004,00000002,?,01F5A1A4,?,004CB11F,01F5A194,00000000,?,004BDC49,?,?,?,?,004AC5CB), ref: 004CAF4C
                                                                                                                                        • TlsSetValue.KERNEL32(01F5A1A4,00000000), ref: 004CAF88
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4117633390-0
                                                                                                                                        • Opcode ID: 55c5a1619c259003db37c652be8f1dd9bcd637dfe09918c34511778e67a23edf
                                                                                                                                        • Instruction ID: 2f890f646b3824886425bf31fc2b676cf94e0fba9bb9887810736f7a30a15456
                                                                                                                                        • Opcode Fuzzy Hash: 55c5a1619c259003db37c652be8f1dd9bcd637dfe09918c34511778e67a23edf
                                                                                                                                        • Instruction Fuzzy Hash: 6B31A075200209AFD724DF15C889F6AB7F8FB85368F00862EF45AC7650E734E814CBA6
                                                                                                                                        Function 004CB9BF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 004CB9F0
                                                                                                                                          • Part of subcall function 004CBADC: lstrlenA.KERNEL32(00000104,00000000,?,004CBA20), ref: 004CBB13
                                                                                                                                        • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004CBA91
                                                                                                                                        • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004CBABE
                                                                                                                                          • Part of subcall function 004AF969: _strlen.LIBCMT ref: 004AF973
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileModuleName_strlenlstrcatlstrcpylstrlen
                                                                                                                                        • String ID: .HLP$.INI
                                                                                                                                        • API String ID: 2215474543-3011182340
                                                                                                                                        • Opcode ID: ee7d9e938b820bc94a4cc8b7798e1c9786cf4f2ff7cb29374036348eb2df3951
                                                                                                                                        • Instruction ID: 0818f4982dcea327269881c37fcccdc1b18dcaf23d7d2830d87eee6b7b619bc1
                                                                                                                                        • Opcode Fuzzy Hash: ee7d9e938b820bc94a4cc8b7798e1c9786cf4f2ff7cb29374036348eb2df3951
                                                                                                                                        • Instruction Fuzzy Hash: C9316FB6900718AFDB61DBB1D885F8AB7ECEB08304F1049AFE199D2151DB78A9848B54
                                                                                                                                        Function 004B0BE3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(mscoree.dll,004B0D51,?,01EEBBA8,00000008,004B0D88,?,00000001,00000000,004BCBBF,00000003), ref: 004B0BE8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004B0BF8
                                                                                                                                        • ExitProcess.KERNEL32 ref: 004B0C0C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressExitHandleModuleProcProcess
                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                        • API String ID: 75539706-1276376045
                                                                                                                                        • Opcode ID: 11a1e5803c455d80e60df8036fccd9fd1581024244df96de4e3a8083633f84d3
                                                                                                                                        • Instruction ID: 63deffa82d0352f572841fe6d8c7ed351e44f39c57da2ccac71707626df54f21
                                                                                                                                        • Opcode Fuzzy Hash: 11a1e5803c455d80e60df8036fccd9fd1581024244df96de4e3a8083633f84d3
                                                                                                                                        • Instruction Fuzzy Hash: 65D0C930341200ABDA642B729E0DA2F3FB8AE90B42704852EB856D1024DB39CC04DA29
                                                                                                                                        Function 004B20CA Relevance: 7.7, APIs: 5, Instructions: 172COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetStartupInfoA.KERNEL32(?), ref: 004B2127
                                                                                                                                        • GetFileType.KERNEL32(?), ref: 004B21D1
                                                                                                                                        • GetStdHandle.KERNEL32(-000000F6), ref: 004B2252
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileHandleInfoStartupType
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2461013171-0
                                                                                                                                        • Opcode ID: acbc9b6b521ed5bf4f6ab5d3313dac3e4525ccf38b3673ac73014cac7e57b874
                                                                                                                                        • Instruction ID: 2bcf6617e221c1f3dd9ac33b655f3fbc637c6feea94df3781042e9f71b8839fb
                                                                                                                                        • Opcode Fuzzy Hash: acbc9b6b521ed5bf4f6ab5d3313dac3e4525ccf38b3673ac73014cac7e57b874
                                                                                                                                        • Instruction Fuzzy Hash: 855103701083018FD7248F68D9847A677E4FB11324F258AAED6A6CB2D2D7B8D946C729
                                                                                                                                        Function 004AF42C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3c1b8299b3f5cdef4faf2d9952d40f4ce32e37f492b4af0e4ead78d72941bbce
                                                                                                                                        • Instruction ID: 0f98403ec6aecce1449a9195aecec6d539c7d25e08710cae055f9b43ad847166
                                                                                                                                        • Opcode Fuzzy Hash: 3c1b8299b3f5cdef4faf2d9952d40f4ce32e37f492b4af0e4ead78d72941bbce
                                                                                                                                        • Instruction Fuzzy Hash: F141E4B1C05125ABCF30BFA68C848AF7B64AB67368710463FF954A6242D63C4D45CFAD
                                                                                                                                        Function 004B2376 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetLastError.KERNEL32(?,00000000,004AE8E7,004B5E6A,00000000,01EEFC18,00000008,004B5EC1,?,?,?,004ADF37,00000004,01EEB5D8,0000000C,004B5DC1), ref: 004B2378
                                                                                                                                        • FlsGetValue.KERNEL32(?,004ADF37,00000004,01EEB5D8,0000000C,004B5DC1,00000000,?,004B2618,?,01EEB4F8,00000060), ref: 004B2386
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,004ADF37,00000004,01EEB5D8,0000000C,004B5DC1,00000000,?,004B2618,?,01EEB4F8,00000060), ref: 004B23DC
                                                                                                                                          • Part of subcall function 004AEDC7: __lock.LIBCMT ref: 004AEE0B
                                                                                                                                          • Part of subcall function 004AEDC7: HeapAlloc.KERNEL32(00000008,?,01EEB660,00000010,004B239E,00000001,0000008C,?,004ADF37,00000004,01EEB5D8,0000000C,004B5DC1,00000000,?,004B2618), ref: 004AEE49
                                                                                                                                        • FlsSetValue.KERNEL32(00000000,?,004ADF37,00000004,01EEB5D8,0000000C,004B5DC1,00000000,?,004B2618,?,01EEB4F8,00000060), ref: 004B23AD
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 004B23C5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLastValue$AllocCurrentHeapThread__lock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3368326513-0
                                                                                                                                        • Opcode ID: c84113e2126115e2b5b09813a660603b9b434622e8ad1a69cfc2e5249f0dcf48
                                                                                                                                        • Instruction ID: d3489e98a128b20689b9292e3befd32e856594ed8c93a4ca841b5abe624012f8
                                                                                                                                        • Opcode Fuzzy Hash: c84113e2126115e2b5b09813a660603b9b434622e8ad1a69cfc2e5249f0dcf48
                                                                                                                                        • Instruction Fuzzy Hash: 00F06D316067159BDB312B74B9097467BE0EB047A1F101A2AF9D2D7694CBF88C409BA9
                                                                                                                                        Function 004BB39A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,01EF0860,00000010,004B5D80,00000000,00000FA0,75570A60,00000000,004B2533,004AC527,?,01EEB4F8,00000060), ref: 004BB3BD
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 004BB3CD
                                                                                                                                        Strings
                                                                                                                                        • kernel32.dll, xrefs: 004BB3B8
                                                                                                                                        • InitializeCriticalSectionAndSpinCount, xrefs: 004BB3C7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                        • String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
                                                                                                                                        • API String ID: 1646373207-3733552308
                                                                                                                                        • Opcode ID: 065c5ee9301acb99b336af0136d0fe804d84dc50aac6328f9ae0f09c3a203172
                                                                                                                                        • Instruction ID: 4cdd7522c63a12aae8b7fbc18abfd429a4e2e5dd736a8fa39830840a83f16290
                                                                                                                                        • Opcode Fuzzy Hash: 065c5ee9301acb99b336af0136d0fe804d84dc50aac6328f9ae0f09c3a203172
                                                                                                                                        • Instruction Fuzzy Hash: 10F01730610309EBCB209BA59D4969E3BE0FB40714F04922BF911E6251D7F88950DBB9
                                                                                                                                        Function 004B10EF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Info
                                                                                                                                        • String ID: $
                                                                                                                                        • API String ID: 1807457897-3032137957
                                                                                                                                        • Opcode ID: 65fab1d4401c3cbdcc152bfaed28b4dbb985a0a1143e5d2970fcb3026073a393
                                                                                                                                        • Instruction ID: f022e6281139956713d6fb6bd96b223fb4e9e694670d07aa8d20f86e5e28a4e6
                                                                                                                                        • Opcode Fuzzy Hash: 65fab1d4401c3cbdcc152bfaed28b4dbb985a0a1143e5d2970fcb3026073a393
                                                                                                                                        • Instruction Fuzzy Hash: F0416A3020434C5EEF15CA68EC69BFBBFE8EB06300F5408D2D645DB263C6184A498BB8
                                                                                                                                        Function 004B1F06 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • ___initmbctable.LIBCMT ref: 004B1F18
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PJ-0020241013_setup.exe,00000104,75570A60,00000000,?,?,?,?,004AC566,?,01EEB4F8,00000060), ref: 004B1F30
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileModuleName___initmbctable
                                                                                                                                        • String ID: C:\Users\user\Desktop\PJ-0020241013_setup.exe
                                                                                                                                        • API String ID: 767393020-2949297226
                                                                                                                                        • Opcode ID: f8d47a485110f8f04004245ee405dbb450fe3454539706fe5ba7ab652043adf2
                                                                                                                                        • Instruction ID: b07930725ae9f8ed4125b45f84040c6c4101c0c63f503677346ad439581b6ce2
                                                                                                                                        • Opcode Fuzzy Hash: f8d47a485110f8f04004245ee405dbb450fe3454539706fe5ba7ab652043adf2
                                                                                                                                        • Instruction Fuzzy Hash: 86112CB2A00204ABCB20CB99EC515EB7BF8EB95360F50016FFA06D3245D7749E00CB74
                                                                                                                                        Function 004B7832 Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • HeapReAlloc.KERNEL32(00000000,00000050,00000000,004B7E23,00000000,?,00000000), ref: 004B7859
                                                                                                                                        • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,004B7E23,00000000,?,00000000), ref: 004B7892
                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 004B78B0
                                                                                                                                        • HeapFree.KERNEL32(00000000,?), ref: 004B78C7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocHeap$FreeVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3499195154-0
                                                                                                                                        • Opcode ID: c62b21f4a327e88cd6d1344fefe4c3a5d2b5830c925714abc9bd961f267860b8
                                                                                                                                        • Instruction ID: 0b620833925219462604f75e2ab91163bc36a25b1ffce01cc44ee104bc79d5c1
                                                                                                                                        • Opcode Fuzzy Hash: c62b21f4a327e88cd6d1344fefe4c3a5d2b5830c925714abc9bd961f267860b8
                                                                                                                                        • Instruction Fuzzy Hash: 7E116AB0214305AFD7719F69EC49D66BBB6FBD03907500E2BF2A2C25A5C3709A16CF24
                                                                                                                                        Function 004CBDD8 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(01F5A338,?,00000000,?,?,004CB165,00000010,75570A60,00000000,?,?,?,004CAB4C,004CABAF,004CA42A,004CAB52), ref: 004CBE13
                                                                                                                                        • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,004CB165,00000010,75570A60,00000000,?,?,?,004CAB4C,004CABAF,004CA42A,004CAB52), ref: 004CBE25
                                                                                                                                        • LeaveCriticalSection.KERNEL32(01F5A338,?,00000000,?,?,004CB165,00000010,75570A60,00000000,?,?,?,004CAB4C,004CABAF,004CA42A,004CAB52), ref: 004CBE2E
                                                                                                                                        • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,004CB165,00000010,75570A60,00000000,?,?,?,004CAB4C,004CABAF,004CA42A,004CAB52,004C5925), ref: 004CBE40
                                                                                                                                          • Part of subcall function 004CBD45: GetVersion.KERNEL32(?,004CBDE8,?,004CB165,00000010,75570A60,00000000,?,?,?,004CAB4C,004CABAF,004CA42A,004CAB52,004C5925,004C6BC7), ref: 004CBD58
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1485805984.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000000.00000002.1485786443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000004D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000000ED4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000018D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019AC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019B9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.00000000019C8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001D6F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1485872799.0000000001DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488267133.0000000001EFD000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488287642.0000000001EFF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488307443.0000000001F00000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F12000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F20000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F3C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F58000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488332434.0000000001F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        • Associated: 00000000.00000002.1488439205.0000000001F60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_PJ-0020241013_setup.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1193629340-0
                                                                                                                                        • Opcode ID: 1abe1be90594b840c8f2781acb209c9712ca1a8e2ae745840785348a8c9e2fa8
                                                                                                                                        • Instruction ID: 9a2e46fb2d34c4a785c3bac81f1be093ff6d0d2a470f8d8a8daacd3edc35d0a1
                                                                                                                                        • Opcode Fuzzy Hash: 1abe1be90594b840c8f2781acb209c9712ca1a8e2ae745840785348a8c9e2fa8
                                                                                                                                        • Instruction Fuzzy Hash: 98F08C3500131EDFCB609FA9E885996B76DEB9431AB00013BE30583015E736A4A5CBE5

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:5%
                                                                                                                                        Dynamic/Decrypted Code Coverage:91%
                                                                                                                                        Signature Coverage:4.9%
                                                                                                                                        Total number of Nodes:1224
                                                                                                                                        Total number of Limit Nodes:35
                                                                                                                                        execution_graph 64382 1013340 RtlAllocateHeap 64383 1013360 64382->64383 64384 1013369 64382->64384 64386 100fee0 139 API calls 64383->64386 64386->64384 64387 1013440 64388 1013449 64387->64388 64389 101346e 64387->64389 64388->64389 64390 101345b RtlFreeHeap 64388->64390 64390->64389 64391 2f2bcb0 64394 2f2d540 64391->64394 64395 2f2d559 64394->64395 64398 fcc091 64395->64398 64401 fc8b4c 64398->64401 64400 fcc0aa 64402 fc8b5a 64401->64402 64409 fca458 64402->64409 64404 fc8ba5 64419 fcb08c 64404->64419 64406 fc8bad 64428 fcb220 64406->64428 64408 fc8bc1 64408->64400 64410 fca472 64409->64410 64448 fba590 64410->64448 64412 fca4a2 64452 fca7fc 64412->64452 64414 fca51c 64418 fca601 64414->64418 64456 fc5980 64414->64456 64417 fca6ae 64417->64404 64460 fca888 64418->64460 64420 fba590 GetLongPathNameA 64419->64420 64421 fcb0b2 64420->64421 64473 fbdf3c GetFileAttributesA 64421->64473 64423 fcb0e7 64424 fba590 GetLongPathNameA 64423->64424 64425 fcb180 64423->64425 64426 fcb11a 64424->64426 64425->64406 64427 fbdf3c GetFileAttributesA 64426->64427 64427->64425 64430 fcb242 64428->64430 64475 fcb730 64430->64475 64431 fcb27e 64484 fcbbf4 64431->64484 64433 fcb304 64434 fcbbf4 4 API calls 64433->64434 64435 fcb38a 64434->64435 64436 fcbbf4 4 API calls 64435->64436 64437 fcb40c 64436->64437 64438 fcbbf4 4 API calls 64437->64438 64439 fcb48e 64438->64439 64440 fcbbf4 4 API calls 64439->64440 64441 fcb510 64440->64441 64442 fcb08c 2 API calls 64441->64442 64443 fcb58a 64442->64443 64444 fba590 GetLongPathNameA 64443->64444 64447 fcb6b5 64443->64447 64445 fcb603 64444->64445 64493 fbdbc4 GetFileAttributesA 64445->64493 64447->64408 64449 fba5d7 64448->64449 64451 fba7e8 64449->64451 64463 fba960 64449->64463 64451->64412 64453 ffdd18 64452->64453 64454 fca80f GlobalMemoryStatusEx 64453->64454 64455 fca846 64454->64455 64455->64414 64457 fc5993 64456->64457 64458 fc5b71 GetDateFormatA 64457->64458 64459 fc5bed 64457->64459 64458->64459 64459->64418 64467 fca8ac 64460->64467 64462 fca8a2 64462->64417 64465 fba98b 64463->64465 64464 fba9a5 GetLongPathNameA 64466 fba9c8 64464->64466 64465->64464 64466->64451 64471 fca8db 64467->64471 64468 fca991 64469 fca904 64468->64469 64470 fca9b2 CloseHandle 64468->64470 64469->64462 64470->64469 64471->64468 64471->64469 64472 fca960 GetTokenInformation 64471->64472 64472->64468 64474 fbdf63 64473->64474 64474->64423 64476 fcb74a 64475->64476 64477 fcb76b CreateToolhelp32Snapshot 64476->64477 64478 fcb7a8 64477->64478 64479 fcb7f6 Process32First 64478->64479 64482 fcb7cc 64478->64482 64483 fcb885 64479->64483 64480 fcbb97 CloseHandle 64480->64482 64481 fcba33 Process32Next 64481->64483 64482->64431 64483->64480 64483->64481 64483->64482 64485 fcbc0e 64484->64485 64486 fcbc2f CreateToolhelp32Snapshot 64485->64486 64487 fcbc6c 64486->64487 64488 fcbcba Process32First 64487->64488 64491 fcbc90 64487->64491 64492 fcbd49 64488->64492 64489 fcc037 CloseHandle 64489->64491 64490 fcbed3 Process32Next 64490->64492 64491->64433 64492->64489 64492->64490 64492->64491 64493->64447 64494 2f2ff70 64497 2f3d400 64494->64497 64495 2f2ff92 64498 2f3d414 64497->64498 64499 2f3d5f5 64498->64499 64528 2f3d700 64498->64528 64499->64495 64501 2f3d423 64501->64499 64533 2f3d810 64501->64533 64504 2f3d599 WSAGetLastError 64510 2f3d501 64504->64510 64505 2f3d47e 64569 2f46080 64505->64569 64507 2f3d48e 64508 2f3d496 SetLastError 64507->64508 64509 2f3d57b WSAGetLastError 64507->64509 64512 2f3d4af 64508->64512 64509->64510 64511 2f3d5bf SetLastError 64510->64511 64513 2f3d5c1 GetLastError 64511->64513 64514 2f3d4b8 64512->64514 64515 2f3d54c GetLastError 64512->64515 64516 2f3d5e6 SetLastError 64513->64516 64580 2f3da60 64514->64580 64517 2f3d558 64515->64517 64516->64495 64520 2f3d56a SetLastError 64517->64520 64519 2f3d4c4 64521 2f3d526 WSAGetLastError 64519->64521 64522 2f3d4c8 64519->64522 64520->64513 64624 2f43550 64521->64624 64603 2f4de60 64522->64603 64525 2f3d53b SetLastError 64525->64513 64527 2f3d4e4 ResetEvent 64527->64495 64625 2f2ac90 InterlockedCompareExchange SwitchToThread 64528->64625 64530 2f3d714 64530->64501 64531 2f3d70c 64531->64530 64532 2f3d739 SetLastError 64531->64532 64532->64501 64626 2f39040 StrChrA 64533->64626 64535 2f3d859 64630 2f37100 64535->64630 64537 2f3d86a 64538 2f3d883 64537->64538 64539 2f3d875 64537->64539 64669 2f37350 73 API calls 4 library calls 64538->64669 64645 2f37240 64539->64645 64542 2f3d932 socket 64544 2f3d94f WSAIoctl 64542->64544 64568 2f3d89b 64542->64568 64543 2f3d87e 64543->64542 64546 2f37100 63 API calls 64543->64546 64543->64568 64550 2f3d994 WSAGetLastError 64544->64550 64551 2f3d9af 64544->64551 64549 2f3d8c2 64546->64549 64548 2f3d476 64548->64504 64548->64505 64552 2f3d8d4 WSASetLastError 64549->64552 64553 2f3d8e7 WSAStringToAddressA 64549->64553 64550->64551 64554 2f3d9a1 64550->64554 64654 2f37e20 64551->64654 64552->64568 64557 2f3d900 64553->64557 64553->64568 64554->64551 64670 2f223e0 RaiseException __CxxThrowException@8 64554->64670 64557->64552 64559 2f3d92f 64557->64559 64558 2f3d9ba 64561 2f3d9c8 setsockopt 64558->64561 64671 2f223e0 RaiseException __CxxThrowException@8 64558->64671 64559->64542 64563 2f3d9f0 WSACreateEvent 64561->64563 64564 2f3d9e6 64561->64564 64566 2f3da03 64563->64566 64672 2f223e0 RaiseException __CxxThrowException@8 64564->64672 64566->64566 64673 2f3d300 63 API calls 2 library calls 64566->64673 64661 2f4cff9 64568->64661 64570 2f4608f 64569->64570 64571 2f460c7 64570->64571 64572 2f46099 bind 64570->64572 64573 2f46133 InterlockedIncrement 64571->64573 64578 2f460d1 64571->64578 64572->64573 64574 2f460be 64572->64574 64576 2f46144 InterlockedIncrement 64573->64576 64577 2f4614b 64573->64577 64574->64507 64575 2f460e9 htons bind 64575->64573 64579 2f4612a 64575->64579 64576->64577 64577->64507 64578->64575 64579->64507 64581 2f3da72 WSAEventSelect 64580->64581 64582 2f3dadc ioctlsocket 64580->64582 64583 2f3da8b connect 64581->64583 64584 2f3dbb9 64581->64584 64585 2f3db04 connect 64582->64585 64586 2f3dafa 64582->64586 64587 2f3daab 64583->64587 64588 2f3dabd 64583->64588 64584->64519 64590 2f3db39 64585->64590 64591 2f3db2c GetLastError 64585->64591 64676 2f223e0 RaiseException __CxxThrowException@8 64586->64676 64587->64588 64592 2f3dab0 WSAGetLastError 64587->64592 64588->64519 64593 2f3db49 64590->64593 64677 2f38280 11 API calls __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 64590->64677 64591->64584 64591->64590 64592->64588 64594 2f3dbb2 WSASetLastError 64593->64594 64595 2f3db4f WSAEventSelect 64593->64595 64594->64584 64595->64584 64597 2f3db64 SetLastError 64595->64597 64598 2f3db83 64597->64598 64599 2f3dba5 64598->64599 64600 2f3db88 GetLastError 64598->64600 64599->64519 64601 2f3db93 WSASetLastError 64600->64601 64602 2f3db8e 64600->64602 64601->64519 64602->64601 64604 2f4de84 64603->64604 64605 2f4de70 64603->64605 64678 2f50382 TlsGetValue 64604->64678 64706 2f4ed31 62 API calls __getptd_noexit 64605->64706 64608 2f4de75 64707 2f4fd61 10 API calls __write_nolock 64608->64707 64612 2f3d4da 64612->64510 64612->64527 64614 2f4dee7 64708 2f4d16d 62 API calls 2 library calls 64614->64708 64617 2f4deed 64617->64612 64709 2f4ed57 62 API calls 2 library calls 64617->64709 64622 2f4deac CreateThread 64622->64612 64623 2f4dedf GetLastError 64622->64623 64763 2f4ddfb 64622->64763 64623->64614 64624->64525 64625->64531 64627 2f39066 lstrlenA 64626->64627 64628 2f39055 64626->64628 64629 2f3907c _memmove 64627->64629 64628->64535 64629->64535 64631 2f37114 64630->64631 64632 2f3718d 64630->64632 64631->64632 64634 2f37119 StrChrA 64631->64634 64633 2f4cff9 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64632->64633 64635 2f37199 64633->64635 64636 2f37126 64634->64636 64637 2f37139 64634->64637 64635->64537 64639 2f4cff9 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64636->64639 64674 2f4df98 62 API calls _swscanf 64637->64674 64640 2f37135 64639->64640 64640->64537 64641 2f3715a 64641->64632 64642 2f3717a 64641->64642 64643 2f4cff9 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64642->64643 64644 2f37189 64643->64644 64644->64537 64646 2f37262 WSAStringToAddressA 64645->64646 64647 2f3724c 64645->64647 64650 2f3725c 64646->64650 64651 2f37287 64646->64651 64647->64646 64648 2f37251 WSASetLastError 64647->64648 64648->64650 64650->64543 64652 2f37297 64651->64652 64653 2f3728c htons 64651->64653 64652->64543 64653->64652 64655 2f37e6a 64654->64655 64656 2f37e3a setsockopt setsockopt 64654->64656 64657 2f37e9f 64655->64657 64658 2f37e6f setsockopt setsockopt 64655->64658 64656->64558 64659 2f37ed4 SetLastError 64657->64659 64660 2f37ea4 setsockopt setsockopt 64657->64660 64658->64558 64659->64558 64660->64558 64662 2f4d001 64661->64662 64663 2f4d003 IsDebuggerPresent 64661->64663 64662->64548 64675 2f545be 64663->64675 64666 2f4e947 SetUnhandledExceptionFilter UnhandledExceptionFilter 64667 2f4e964 __call_reportfault 64666->64667 64668 2f4e96c GetCurrentProcess TerminateProcess 64666->64668 64667->64668 64668->64548 64669->64543 64673->64568 64674->64641 64675->64666 64677->64593 64679 2f50397 TlsSetValue 64678->64679 64680 2f4de8a 64678->64680 64679->64680 64682 2f50264 64680->64682 64684 2f5026d 64682->64684 64685 2f4de96 64684->64685 64686 2f5028b Sleep 64684->64686 64710 2f521ad 64684->64710 64685->64614 64688 2f5053d 64685->64688 64687 2f502a0 64686->64687 64687->64684 64687->64685 64719 2f504c4 GetLastError 64688->64719 64690 2f50545 64691 2f4dea3 64690->64691 64731 2f4d74d 62 API calls 5 library calls 64690->64731 64693 2f50410 64691->64693 64733 2f50030 64693->64733 64695 2f5041c GetModuleHandleW 64734 2f50c18 64695->64734 64697 2f5045a InterlockedIncrement 64741 2f504b2 64697->64741 64700 2f50c18 __lock 60 API calls 64701 2f5047b 64700->64701 64744 2f53c57 InterlockedIncrement 64701->64744 64703 2f50499 64756 2f504bb 64703->64756 64705 2f504a6 __CRT_INIT@12 64705->64622 64706->64608 64707->64612 64708->64617 64709->64612 64711 2f521b9 64710->64711 64715 2f521d4 _malloc 64710->64715 64712 2f521c5 64711->64712 64711->64715 64718 2f4ed31 62 API calls __getptd_noexit 64712->64718 64714 2f521e7 HeapAlloc 64714->64715 64717 2f5220e 64714->64717 64715->64714 64715->64717 64716 2f521ca 64716->64684 64717->64684 64718->64716 64720 2f50382 ___set_flsgetvalue 2 API calls 64719->64720 64721 2f504db 64720->64721 64722 2f50531 SetLastError 64721->64722 64723 2f50264 __calloc_crt 59 API calls 64721->64723 64722->64690 64724 2f504ef 64723->64724 64724->64722 64725 2f50510 64724->64725 64726 2f50528 64724->64726 64727 2f50410 __getptd_noexit 59 API calls 64725->64727 64732 2f4d16d 62 API calls 2 library calls 64726->64732 64729 2f50518 GetCurrentThreadId 64727->64729 64729->64722 64730 2f5052e 64730->64722 64731->64691 64732->64730 64733->64695 64735 2f50c40 EnterCriticalSection 64734->64735 64736 2f50c2d 64734->64736 64735->64697 64759 2f50b56 62 API calls 9 library calls 64736->64759 64738 2f50c33 64738->64735 64760 2f4d74d 62 API calls 5 library calls 64738->64760 64740 2f50c3f 64740->64735 64761 2f50b3f LeaveCriticalSection 64741->64761 64743 2f50474 64743->64700 64745 2f53c75 InterlockedIncrement 64744->64745 64746 2f53c78 64744->64746 64745->64746 64747 2f53c85 64746->64747 64748 2f53c82 InterlockedIncrement 64746->64748 64749 2f53c92 64747->64749 64750 2f53c8f InterlockedIncrement 64747->64750 64748->64747 64751 2f53c9c InterlockedIncrement 64749->64751 64753 2f53c9f 64749->64753 64750->64749 64751->64753 64752 2f53cb8 InterlockedIncrement 64752->64753 64753->64752 64754 2f53cc8 InterlockedIncrement 64753->64754 64755 2f53cd3 InterlockedIncrement 64753->64755 64754->64753 64755->64703 64762 2f50b3f LeaveCriticalSection 64756->64762 64758 2f504c2 64758->64705 64759->64738 64760->64740 64761->64743 64762->64758 64764 2f50382 ___set_flsgetvalue 2 API calls 64763->64764 64765 2f4de06 64764->64765 64776 2f50362 TlsGetValue 64765->64776 64768 2f4de15 ___fls_setvalue@8 64774 2f4de35 GetCurrentThreadId 64768->64774 64775 2f4de28 GetLastError ExitThread 64768->64775 64769 2f4de3f 64778 2f50557 64769->64778 64771 2f4de5a 64814 2f4ddba 64771->64814 64774->64771 64777 2f4de11 64776->64777 64777->64768 64777->64769 64780 2f50563 __CRT_INIT@12 64778->64780 64779 2f50665 __CRT_INIT@12 64779->64771 64780->64779 64781 2f5057b 64780->64781 64825 2f4d16d 62 API calls 2 library calls 64780->64825 64783 2f50589 64781->64783 64826 2f4d16d 62 API calls 2 library calls 64781->64826 64785 2f50597 64783->64785 64827 2f4d16d 62 API calls 2 library calls 64783->64827 64786 2f505a5 64785->64786 64828 2f4d16d 62 API calls 2 library calls 64785->64828 64789 2f505b3 64786->64789 64829 2f4d16d 62 API calls 2 library calls 64786->64829 64791 2f505c1 64789->64791 64830 2f4d16d 62 API calls 2 library calls 64789->64830 64793 2f505cf 64791->64793 64831 2f4d16d 62 API calls 2 library calls 64791->64831 64794 2f505e0 64793->64794 64832 2f4d16d 62 API calls 2 library calls 64793->64832 64797 2f50c18 __lock 62 API calls 64794->64797 64798 2f505e8 64797->64798 64799 2f505f4 InterlockedDecrement 64798->64799 64800 2f5060d 64798->64800 64799->64800 64801 2f505ff 64799->64801 64834 2f50671 LeaveCriticalSection _doexit 64800->64834 64801->64800 64833 2f4d16d 62 API calls 2 library calls 64801->64833 64803 2f5061a 64805 2f50c18 __lock 62 API calls 64803->64805 64806 2f50621 64805->64806 64813 2f50652 64806->64813 64835 2f53ce6 8 API calls 64806->64835 64809 2f5065f 64838 2f4d16d 62 API calls 2 library calls 64809->64838 64811 2f50636 64811->64813 64836 2f53d7f 62 API calls 4 library calls 64811->64836 64837 2f5067d LeaveCriticalSection _doexit 64813->64837 64815 2f4ddc6 __CRT_INIT@12 64814->64815 64816 2f5053d __getptd 62 API calls 64815->64816 64817 2f4ddcb 64816->64817 64839 2f3dbd0 SetLastError GetCurrentThreadId 64817->64839 64861 2f3e2c0 GetCurrentThreadId 64817->64861 64818 2f4ddd5 64873 2f4dd9b 64818->64873 64820 2f4dddb 64821 2f5222f __XcptFilter 62 API calls 64820->64821 64822 2f4ddec 64821->64822 64825->64781 64826->64783 64827->64785 64828->64786 64829->64789 64830->64791 64831->64793 64832->64794 64833->64800 64834->64803 64835->64811 64836->64813 64837->64809 64838->64779 64879 2f43550 64839->64879 64841 2f3dbf2 GetCurrentThreadId 64842 2f3dc07 64841->64842 64843 2f3dc46 64842->64843 64913 2f4d16d 62 API calls 2 library calls 64842->64913 64880 2f35670 64843->64880 64846 2f3dcd0 GetCurrentThreadId 64848 2f3dce5 GetCurrentThreadId 64846->64848 64847 2f3dc70 WSAWaitForMultipleEvents 64853 2f3dc5a 64847->64853 64851 2f3dd0a 64848->64851 64851->64818 64853->64846 64853->64847 64854 2f3dd27 64853->64854 64855 2f3dd18 64853->64855 64859 2f3dcb8 64853->64859 64891 2f3dd60 WSAEnumNetworkEvents 64853->64891 64914 2f3e050 64853->64914 64854->64846 64856 2f3dd31 WSAGetLastError 64855->64856 64857 2f3dd1d 64855->64857 64856->64846 64931 2f223e0 RaiseException __CxxThrowException@8 64857->64931 64930 2f3df00 recv SetLastError GetLastError WSAGetLastError 64859->64930 64993 2f3d760 64861->64993 64863 2f3e2d1 64864 2f3e2d5 64863->64864 64999 2f3e470 64863->64999 64864->64818 64867 2f3e305 WSACloseEvent 64868 2f3e30f 64867->64868 64869 2f3e331 64868->64869 64870 2f3e317 shutdown closesocket 64868->64870 65014 2f3e350 EnterCriticalSection 64869->65014 64870->64869 64871 2f3e33d 64871->64818 64874 2f504c4 __getptd_noexit 62 API calls 64873->64874 64875 2f4dda5 64874->64875 64876 2f4ddb0 ExitThread 64875->64876 65045 2f50686 74 API calls __freefls@4 64875->65045 64878 2f4ddaf 64878->64876 64879->64841 64881 2f3570b 64880->64881 64882 2f35681 64880->64882 64881->64853 64882->64881 64883 2f356ab 64882->64883 64884 2f356b8 64882->64884 64932 2f4dcee 64883->64932 64950 2f4d0d9 64884->64950 64887 2f356b3 64887->64881 64888 2f356d4 std::exception::exception 64887->64888 64964 2f4d16d 62 API calls 2 library calls 64887->64964 64965 2f4e82e RaiseException 64888->64965 64892 2f3dd93 64891->64892 64894 2f3dd9c 64891->64894 64982 2f46740 WSAGetLastError WSAResetEvent RaiseException 64892->64982 64895 2f3de68 64894->64895 64897 2f3ddc1 64894->64897 64976 2f3de80 64894->64976 64896 2f4cff9 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64895->64896 64900 2f3de77 64896->64900 64897->64895 64898 2f3ddd7 64897->64898 64899 2f3ddde 64897->64899 64983 2f3df00 recv SetLastError GetLastError WSAGetLastError 64898->64983 64899->64895 64903 2f3de0a 64899->64903 64905 2f3e050 14 API calls 64899->64905 64900->64853 64903->64895 64906 2f3de2a 64903->64906 64904 2f3dddc 64904->64899 64905->64903 64907 2f3de52 64906->64907 64908 2f3de3e 64906->64908 64910 2f4cff9 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64907->64910 64909 2f4cff9 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 64908->64909 64911 2f3de4e 64909->64911 64912 2f3de64 64910->64912 64911->64853 64912->64853 64913->64843 64919 2f3e087 64914->64919 64915 2f3e093 EnterCriticalSection 64915->64919 64916 2f3e1ae 64916->64853 64918 2f3e0e4 LeaveCriticalSection 64918->64919 64919->64915 64919->64916 64919->64918 64920 2f3e137 64919->64920 64921 2f3e168 EnterCriticalSection 64919->64921 64929 2f3e125 HeapFree 64919->64929 64984 2f3e1d0 64919->64984 64991 2f4c2c0 InterlockedCompareExchange InterlockedCompareExchange InterlockedCompareExchange 64919->64991 64992 2f4c2c0 InterlockedCompareExchange InterlockedCompareExchange InterlockedCompareExchange 64920->64992 64923 2f3e181 LeaveCriticalSection 64921->64923 64923->64916 64925 2f3e143 64927 2f3e147 HeapFree 64925->64927 64928 2f3e154 64925->64928 64927->64928 64928->64853 64929->64919 64930->64853 64933 2f4dd04 64932->64933 64934 2f4dcf9 64932->64934 64936 2f4dd0c 64933->64936 64941 2f4dd19 _malloc 64933->64941 64935 2f4d0d9 _malloc 62 API calls 64934->64935 64938 2f4dd01 64935->64938 64966 2f4d16d 62 API calls 2 library calls 64936->64966 64938->64887 64939 2f4dd14 __dosmaperr 64939->64887 64940 2f4dd51 _malloc 64967 2f4ed31 62 API calls __getptd_noexit 64940->64967 64941->64940 64942 2f4dd21 HeapReAlloc 64941->64942 64943 2f4dd81 64941->64943 64947 2f4dd69 64941->64947 64942->64939 64942->64941 64969 2f4ed31 62 API calls __getptd_noexit 64943->64969 64946 2f4dd86 GetLastError 64946->64939 64968 2f4ed31 62 API calls __getptd_noexit 64947->64968 64949 2f4dd6e GetLastError 64949->64939 64951 2f4d156 _malloc 64950->64951 64953 2f4d0e7 _malloc 64950->64953 64975 2f4ed31 62 API calls __getptd_noexit 64951->64975 64952 2f4d0f2 64952->64953 64970 2f4ec84 62 API calls __NMSG_WRITE 64952->64970 64971 2f4ead5 62 API calls 6 library calls 64952->64971 64972 2f4d4d0 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 64952->64972 64953->64952 64956 2f4d115 RtlAllocateHeap 64953->64956 64959 2f4d142 64953->64959 64962 2f4d140 64953->64962 64956->64953 64957 2f4d14e 64956->64957 64957->64887 64973 2f4ed31 62 API calls __getptd_noexit 64959->64973 64974 2f4ed31 62 API calls __getptd_noexit 64962->64974 64964->64888 64965->64881 64966->64939 64967->64939 64968->64949 64969->64946 64970->64952 64971->64952 64973->64962 64974->64957 64975->64957 64977 2f3dea3 64976->64977 64978 2f3de88 WSAEventSelect 64976->64978 64977->64897 64979 2f3de9d WSAGetLastError 64978->64979 64980 2f3debc SetLastError 64978->64980 64979->64977 64981 2f3dedb 64980->64981 64981->64897 64982->64894 64983->64904 64985 2f3e276 64984->64985 64986 2f3e1e4 64984->64986 64985->64919 64986->64985 64987 2f3e1f5 send 64986->64987 64989 2f3e281 WSAGetLastError 64986->64989 64987->64986 64988 2f3e209 EnterCriticalSection LeaveCriticalSection SetLastError 64987->64988 64988->64986 64990 2f3e28e 64989->64990 64990->64919 64991->64919 64992->64925 64994 2f3d78c 64993->64994 64996 2f3d79a 64993->64996 65029 2f2ac90 InterlockedCompareExchange SwitchToThread 64994->65029 64997 2f3d7e7 SetLastError 64996->64997 64998 2f3d7ae 64996->64998 64997->64863 64998->64863 65000 2f3e2e0 64999->65000 65001 2f3e484 64999->65001 65000->64867 65000->64868 65002 2f3e534 CloseHandle 65001->65002 65003 2f3e48d SetEvent 65001->65003 65002->65000 65004 2f3e4b4 MsgWaitForMultipleObjects 65003->65004 65005 2f3e4ce PeekMessageA 65004->65005 65007 2f3e500 65004->65007 65005->65004 65008 2f3e4df 65005->65008 65006 2f3e531 65006->65002 65007->65006 65010 2f3e51c SetLastError 65007->65010 65011 2f3e527 65007->65011 65030 2f223e0 RaiseException __CxxThrowException@8 65007->65030 65008->65004 65009 2f3e4e0 TranslateMessage DispatchMessageA PeekMessageA 65008->65009 65009->65008 65009->65009 65010->65011 65031 2f223e0 RaiseException __CxxThrowException@8 65011->65031 65015 2f3e372 65014->65015 65016 2f3e384 ResetEvent ResetEvent ResetEvent 65014->65016 65042 2f4d16d 62 API calls 2 library calls 65015->65042 65032 2f218a0 65016->65032 65019 2f3e378 65019->65016 65023 2f3e3c2 HeapDestroy 65024 2f3e3c9 HeapCreate 65023->65024 65025 2f3e3f2 65024->65025 65026 2f3e438 SetEvent LeaveCriticalSection 65024->65026 65027 2f3e409 65025->65027 65043 2f223e0 RaiseException __CxxThrowException@8 65025->65043 65026->64871 65027->65026 65029->64996 65033 2f218a7 65032->65033 65034 2f218e4 65032->65034 65033->65034 65035 2f218d1 HeapFree 65033->65035 65036 2f21970 65034->65036 65035->65033 65037 2f2199e 65036->65037 65038 2f21977 65036->65038 65039 2f219ae 65037->65039 65044 2f4d16d 62 API calls 2 library calls 65037->65044 65038->65037 65040 2f21985 HeapFree 65038->65040 65039->65023 65039->65024 65040->65038 65042->65019 65044->65039 65045->64878 65046 fb137f 65047 fb1389 65046->65047 65053 fb141a 65046->65053 65057 1012e20 65047->65057 65052 fb13dd 65054 fb14b3 65053->65054 65055 fb142a 65053->65055 65054->65047 65055->65054 65061 fb15b2 65055->65061 65095 100fb40 65057->65095 65059 fb138f 65059->65052 65060 fb1645 NtProtectVirtualMemory 65059->65060 65060->65052 65080 fb1527 GetPEB 65061->65080 65064 fb16ac 65067 fb1527 GetPEB 65064->65067 65065 fb1527 GetPEB 65066 fb15da 65065->65066 65066->65064 65069 fb1527 GetPEB 65066->65069 65068 fb16a6 65067->65068 65068->65054 65070 fb15f2 65069->65070 65070->65064 65071 fb1527 GetPEB 65070->65071 65072 fb160a 65071->65072 65072->65064 65073 fb1527 GetPEB 65072->65073 65074 fb1622 65073->65074 65074->65064 65082 fb16be 65074->65082 65077 fb163e 65091 fb1672 NtProtectVirtualMemory 65077->65091 65081 fb1540 65080->65081 65081->65064 65081->65065 65083 fb16d9 65082->65083 65084 fb1636 65083->65084 65085 fb16ee CreateFileW 65083->65085 65084->65064 65084->65077 65085->65084 65086 fb1731 65085->65086 65086->65084 65087 fb1773 SetFilePointer 65086->65087 65087->65084 65088 fb178d ReadFile 65087->65088 65088->65084 65089 fb17bc 65088->65089 65089->65084 65090 fb17ce CloseHandle 65089->65090 65090->65084 65092 fb16ac 65091->65092 65093 fb1645 NtProtectVirtualMemory 65091->65093 65094 fb1527 GetPEB 65092->65094 65093->65054 65094->65093 65096 100fc05 65095->65096 65097 100fb6b 65095->65097 65098 100fea6 65096->65098 65101 100fc33 65096->65101 65227 107afac 40 API calls __wcstoi64 65096->65227 65099 100fb8a 65097->65099 65100 100fb93 GetProcAddress 65097->65100 65098->65059 65172 107afac 40 API calls __wcstoi64 65099->65172 65105 100fbb3 65100->65105 65106 100fbe8 65100->65106 65108 100fd71 65101->65108 65116 100fc5e __mbschr_l 65101->65116 65173 1017ed0 51 API calls 65105->65173 65226 100fb20 33 API calls 65106->65226 65110 100fd76 LoadLibraryA 65108->65110 65118 100fdcc 65108->65118 65119 100fdb8 FreeLibrary 65108->65119 65110->65108 65113 100fd86 GetProcAddress 65110->65113 65111 100fbc3 65174 100ff20 wsprintfA 65111->65174 65112 100fbef 65112->65059 65113->65108 65117 100fd3c LoadLibraryA 65116->65117 65121 100fcb2 65116->65121 65122 100fc8a 65116->65122 65117->65118 65123 100fd49 GetProcAddress 65117->65123 65118->65098 65126 100fde1 FreeLibrary 65118->65126 65127 100fde8 65118->65127 65119->65108 65157 109a0af 65121->65157 65125 109a0af 36 API calls 65122->65125 65123->65118 65124 100fd59 65123->65124 65124->65118 65130 100fc96 LoadLibraryA 65125->65130 65126->65127 65133 100fe50 65127->65133 65134 100fdf9 65127->65134 65132 1099e66 30 API calls 65130->65132 65131 109a0af 36 API calls 65135 100fcdc LoadLibraryA 65131->65135 65136 100fca6 65132->65136 65229 1017ed0 51 API calls 65133->65229 65228 1017ed0 51 API calls 65134->65228 65167 1099e66 65135->65167 65136->65121 65136->65123 65140 100fe0e 65143 100ff20 138 API calls 65140->65143 65142 100fe64 65145 100ff20 138 API calls 65142->65145 65146 100fe29 65143->65146 65144 1099e66 30 API calls 65149 100fcfd 65144->65149 65147 100fe7f 65145->65147 65148 1099e66 30 API calls 65146->65148 65150 1099e66 30 API calls 65147->65150 65151 100fe3a 65148->65151 65149->65123 65152 100fd34 65149->65152 65154 109a0af 36 API calls 65149->65154 65153 100fe90 65150->65153 65151->65059 65152->65117 65152->65123 65153->65059 65155 100fd24 LoadLibraryA 65154->65155 65156 1099e66 30 API calls 65155->65156 65156->65152 65158 109a0b9 __EH_prolog 65157->65158 65159 109a0d8 lstrlenA 65158->65159 65160 109a0d4 65158->65160 65159->65160 65230 109a00b 65160->65230 65162 109a0f6 65234 1099bdb 65162->65234 65165 1099e66 30 API calls 65166 100fcc8 65165->65166 65166->65131 65168 100fcec 65167->65168 65169 1099e76 InterlockedDecrement 65167->65169 65168->65144 65169->65168 65170 1099e84 65169->65170 65283 1099d55 29 API calls 65170->65283 65172->65100 65173->65111 65284 109a1f6 33 API calls 65174->65284 65176 10100b9 65291 109a1f6 33 API calls 65176->65291 65178 10100c6 65201 101012a 65178->65201 65292 1099ed4 65178->65292 65179 1099ed4 76 API calls 65180 101013f 65179->65180 65190 101017a 65180->65190 65301 1017110 wsprintfA 65180->65301 65182 10100e8 65300 109a232 32 API calls 65182->65300 65183 100ff8b 65183->65176 65221 100ffbd 65183->65221 65285 109a1f6 33 API calls 65183->65285 65187 10100f8 65196 1099e66 30 API calls 65187->65196 65189 1010151 65302 109a1f6 33 API calls 65189->65302 65191 10101ad 65190->65191 65305 109a1f6 33 API calls 65190->65305 65308 109a232 32 API calls 65191->65308 65195 1010161 65303 109a1f6 33 API calls 65195->65303 65196->65201 65197 1010197 65306 109a1f6 33 API calls 65197->65306 65198 10101b9 65309 1018290 MessageBoxA 65198->65309 65200 101016d 65304 109a1f6 33 API calls 65200->65304 65201->65179 65205 10101d1 65201->65205 65310 1003910 GetProcessHeap HeapFree 65205->65310 65206 10101a0 65307 109a1f6 33 API calls 65206->65307 65207 10101c2 65208 1099e66 30 API calls 65207->65208 65208->65205 65211 100ffd4 65286 109a1f6 33 API calls 65211->65286 65214 10101ea 65311 1013320 131 API calls 65214->65311 65215 1010014 65287 109a1f6 33 API calls 65215->65287 65290 109a1f6 33 API calls 65221->65290 65222 1010021 65222->65221 65288 109a1f6 33 API calls 65222->65288 65224 1010074 65289 109a1f6 33 API calls 65224->65289 65226->65112 65227->65101 65228->65140 65229->65142 65231 109a01f 65230->65231 65232 109a025 _memmove 65230->65232 65239 1099cd3 65231->65239 65232->65162 65235 1099bf8 65234->65235 65236 1099bea InterlockedIncrement 65234->65236 65282 1099fa3 33 API calls 65235->65282 65237 1099c08 65236->65237 65237->65165 65241 1099ce8 65239->65241 65244 1099cdf 65239->65244 65240 1099cf0 65246 1079e0b 65240->65246 65241->65240 65243 1099d2f 65241->65243 65253 1099ba7 65243->65253 65244->65232 65257 107e634 65246->65257 65248 1079e15 EnterCriticalSection 65249 1079e64 LeaveCriticalSection 65248->65249 65250 1079e33 65248->65250 65249->65244 65258 1099690 27 API calls 65250->65258 65252 1079e45 65252->65249 65256 1099bad 65253->65256 65255 1099bcb 65255->65244 65256->65255 65259 107be8e 65256->65259 65257->65248 65258->65252 65260 107bf0b 65259->65260 65264 107be9c 65259->65264 65280 10885c6 DecodePointer 65260->65280 65262 107bf11 65281 107cd86 27 API calls __getptd_noexit 65262->65281 65266 107beca RtlAllocateHeap 65264->65266 65268 107bea7 65264->65268 65269 107bef7 65264->65269 65273 107bef5 65264->65273 65277 10885c6 DecodePointer 65264->65277 65266->65264 65267 107bf03 65266->65267 65267->65256 65268->65264 65275 1080f03 27 API calls __FF_MSGBANNER 65268->65275 65276 107fff7 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 65268->65276 65278 107cd86 27 API calls __getptd_noexit 65269->65278 65279 107cd86 27 API calls __getptd_noexit 65273->65279 65275->65268 65277->65264 65278->65273 65279->65267 65280->65262 65281->65267 65282->65237 65283->65168 65284->65183 65285->65211 65286->65215 65287->65222 65288->65224 65289->65221 65290->65176 65291->65178 65293 1099ee8 65292->65293 65294 1099efb _memmove 65292->65294 65295 1099efd lstrlenA 65293->65295 65296 1099ef2 65293->65296 65294->65182 65295->65294 65298 1099f0a 65295->65298 65312 109f682 65296->65312 65299 1099cd3 29 API calls 65298->65299 65299->65294 65300->65187 65301->65189 65302->65195 65303->65200 65304->65190 65305->65197 65306->65206 65307->65191 65308->65198 65309->65207 65310->65214 65323 109f706 65312->65323 65315 109f6c8 65319 109f706 74 API calls 65315->65319 65320 109f6ee 65315->65320 65328 109a24a 32 API calls _memmove 65315->65328 65316 109f6b0 65327 1099fa3 33 API calls 65316->65327 65319->65315 65329 109a299 33 API calls 65320->65329 65322 109f6bf 65322->65294 65330 10a3289 65323->65330 65326 109f6a5 65326->65315 65326->65316 65327->65322 65328->65315 65329->65322 65335 10a3811 65330->65335 65332 109f70c LoadStringA 65332->65326 65336 10a381a 65335->65336 65337 10a3847 TlsGetValue 65335->65337 65339 10a3834 65336->65339 65347 10a3411 73 API calls 65336->65347 65338 10a385a 65337->65338 65342 10a386d 65338->65342 65343 10a3298 65338->65343 65348 10a34aa EnterCriticalSection 65339->65348 65341 10a3845 65341->65337 65358 10a3619 73 API calls _memset 65342->65358 65343->65332 65346 10a38a6 7 API calls __EH_prolog 65343->65346 65346->65332 65347->65339 65349 10a34c9 65348->65349 65350 10a3503 GlobalAlloc 65349->65350 65351 10a3516 GlobalHandle GlobalUnlock GlobalReAlloc 65349->65351 65357 10a3585 _memset 65349->65357 65353 10a3538 65350->65353 65351->65353 65352 10a359a LeaveCriticalSection 65352->65341 65354 10a3561 GlobalLock 65353->65354 65355 10a3546 GlobalHandle GlobalLock LeaveCriticalSection 65353->65355 65354->65357 65359 1097fe7 73 API calls 3 library calls 65355->65359 65357->65352 65358->65343 65359->65354 65360 fba69d 65361 fba6a2 65360->65361 65362 fba960 GetLongPathNameA 65361->65362 65363 fba8bd 65361->65363 65362->65363 65364 fbaa72 65367 fba3d4 65364->65367 65366 fbaa7a 65368 fba590 GetLongPathNameA 65367->65368 65369 fba408 65368->65369 65371 fba55b 65369->65371 65373 fb3c84 65369->65373 65379 fbaa30 DeleteFileA 65369->65379 65371->65366 65374 fb3cba 65373->65374 65375 fb3e70 SetWaitableTimer 65374->65375 65377 fb3d53 65374->65377 65378 fb3e9d 65375->65378 65376 fb3f66 CloseHandle 65376->65377 65377->65369 65378->65376 65380 fbaa50 65379->65380 65380->65369 65381 fa5190 65382 fa534b 65381->65382 65383 fa519b 65381->65383 65382->65382 65384 fa52aa LoadLibraryA 65383->65384 65389 fa52e6 VirtualProtect VirtualProtect 65383->65389 65385 fa52c1 65384->65385 65385->65383 65386 fa52c8 GetProcAddress 65385->65386 65386->65385 65388 fa52e0 65386->65388 65389->65382 65390 fc1176 65391 fc117c 65390->65391 65392 fc11ae RegOpenKeyA 65391->65392 65393 fc11cc 65392->65393 65394 fc11f3 RegEnumKeyA 65393->65394 65397 fc1211 65394->65397 65395 fc1235 RegEnumKeyA 65395->65397 65396 fc1a95 65397->65395 65397->65396 65398 fcdcb1 65401 fcdb20 65398->65401 65404 fcdb3a 65401->65404 65402 fb3c84 2 API calls 65402->65404 65403 fcb220 10 API calls 65403->65404 65404->65402 65404->65403 65405 fb2eb4 65418 fb30cc SetProcessDEPPolicy 65405->65418 65407 fb2ec2 65420 fb313c 65407->65420 65409 fb2f2a 65428 fb54a8 65409->65428 65411 fb2f74 65412 fb3c84 2 API calls 65411->65412 65413 fb2fa8 65412->65413 65441 fb9a84 65413->65441 65415 fb3050 65416 fb9a84 2 API calls 65415->65416 65417 fb30ab 65416->65417 65419 fb30ec 65418->65419 65419->65407 65421 fb314f 65420->65421 65447 fb35d4 65421->65447 65423 fb3374 65424 fb3495 CreateThread 65423->65424 65425 fb34be 65424->65425 65459 fb5489 65424->65459 65426 fb3510 CloseHandle 65425->65426 65427 fb34e2 65425->65427 65426->65427 65427->65409 65429 fb54ea 65428->65429 65474 fb7608 OpenFileMappingA 65429->65474 65431 fb55ec 65432 fb55f9 65431->65432 65439 fb56d8 65431->65439 65433 fb2998 MapViewOfFile 65432->65433 65437 fb5621 65433->65437 65435 fb57c9 65438 fb5663 65435->65438 65480 fb2998 65435->65480 65437->65438 65484 fb76a4 SetWaitableTimer CloseHandle 65437->65484 65438->65411 65476 fb2894 65439->65476 65442 fb9aac 65441->65442 65443 fb9b8e CreateThread 65442->65443 65445 fb9bb7 65442->65445 65443->65445 65485 fb9ddc 65443->65485 65444 fb9c67 65444->65415 65445->65444 65446 fb9c9f CloseHandle 65445->65446 65446->65444 65448 fb3616 65447->65448 65451 fb39e8 65448->65451 65450 fb38dc 65450->65423 65452 fb39fe 65451->65452 65454 fb3a09 65451->65454 65455 fb3a74 65452->65455 65454->65450 65456 fb3ab1 65455->65456 65458 fb3ab6 65455->65458 65456->65454 65457 fb3c84 2 API calls 65457->65458 65458->65456 65458->65457 65462 fb4964 65459->65462 65461 fb54a2 65463 fb4977 65462->65463 65468 fb4f88 65463->65468 65465 fb49b2 65466 fb4e90 65465->65466 65472 fb5430 CoUninitialize 65465->65472 65466->65461 65469 fb4fd5 65468->65469 65471 fb4fcb 65468->65471 65470 fb39e8 2 API calls 65469->65470 65469->65471 65470->65471 65471->65465 65473 fb544b 65472->65473 65473->65466 65475 fb7632 65474->65475 65475->65431 65477 fb28c9 65476->65477 65478 fb290b CreateFileMappingA 65477->65478 65479 fb2936 65478->65479 65479->65435 65481 fb29f8 65480->65481 65482 fb2a6b MapViewOfFile 65481->65482 65483 fb2a8e 65482->65483 65483->65438 65484->65438 65486 fb9df5 65485->65486 65487 fcdb13 65490 fcc0e4 65487->65490 65491 fcc0f7 65490->65491 65497 fcc440 65491->65497 65493 fb3c84 2 API calls 65496 fcc300 65493->65496 65494 fcc147 65495 fcc440 GetPEB 65494->65495 65494->65496 65495->65496 65496->65493 65499 fcc476 65497->65499 65501 fcd7bc 65499->65501 65500 fcc6e8 65500->65494 65502 fcd819 65501->65502 65503 fcd81d 65501->65503 65502->65500 65505 fcd849 65503->65505 65507 fcd825 65503->65507 65508 fcd905 GetPEB 65503->65508 65505->65507 65509 fcd905 GetPEB 65505->65509 65507->65500 65508->65505 65509->65507 65510 2f2f040 65516 2f4d059 65510->65516 65513 2f2f08d 65518 2f4d063 _malloc 65516->65518 65517 2f4d0d9 _malloc 62 API calls 65517->65518 65518->65517 65519 2f2f04e 65518->65519 65520 2f4d07f std::exception::exception 65518->65520 65519->65513 65527 2f35460 65519->65527 65525 2f4d0bd 65520->65525 65530 2f4dbcb 65520->65530 65522 2f4d0c7 65534 2f4e82e RaiseException 65522->65534 65533 2f4d2cb 62 API calls std::exception::operator= 65525->65533 65526 2f4d0d8 65569 2f2bda0 65527->65569 65535 2f4db8f 65530->65535 65532 2f4dbd8 65532->65525 65533->65522 65534->65526 65536 2f4db9b __CRT_INIT@12 65535->65536 65543 2f4d4e8 65536->65543 65542 2f4dbbc __CRT_INIT@12 65542->65532 65544 2f50c18 __lock 62 API calls 65543->65544 65545 2f4d4ef 65544->65545 65546 2f4daa8 DecodePointer DecodePointer 65545->65546 65547 2f4db57 65546->65547 65548 2f4dad6 65546->65548 65559 2f4dbc5 65547->65559 65548->65547 65562 2f5217a 63 API calls __write_nolock 65548->65562 65550 2f4dae8 65551 2f4db3a EncodePointer EncodePointer 65550->65551 65552 2f4db12 65550->65552 65553 2f4db03 65550->65553 65551->65547 65552->65547 65555 2f4db0c 65552->65555 65563 2f502b0 66 API calls __recalloc 65553->65563 65555->65552 65557 2f4db28 EncodePointer 65555->65557 65564 2f502b0 66 API calls __recalloc 65555->65564 65557->65551 65558 2f4db22 65558->65547 65558->65557 65565 2f4d4f1 65559->65565 65562->65550 65563->65555 65564->65558 65568 2f50b3f LeaveCriticalSection 65565->65568 65567 2f4d4f8 65567->65542 65568->65567 65570 2f2bde2 65569->65570 65571 2f2bdfa 65570->65571 65595 2f223e0 RaiseException __CxxThrowException@8 65570->65595 65573 2f35670 66 API calls 65571->65573 65574 2f2be7a 65573->65574 65589 2f319e0 HeapCreate 65574->65589 65577 2f2bec5 65596 2f223e0 RaiseException __CxxThrowException@8 65577->65596 65578 2f2becf CreateEventA 65580 2f2bf12 CreateEventA 65578->65580 65581 2f2bf08 65578->65581 65583 2f2bf37 CreateEventA 65580->65583 65584 2f2bf2d 65580->65584 65597 2f223e0 RaiseException __CxxThrowException@8 65581->65597 65586 2f2bf55 65583->65586 65587 2f2bf4b 65583->65587 65598 2f223e0 RaiseException __CxxThrowException@8 65584->65598 65599 2f223e0 RaiseException __CxxThrowException@8 65587->65599 65590 2f31a00 65589->65590 65591 2f31a0a 65589->65591 65600 2f223e0 RaiseException __CxxThrowException@8 65590->65600 65593 2f2bea5 InitializeCriticalSectionAndSpinCount 65591->65593 65601 2f4d16d 62 API calls 2 library calls 65591->65601 65593->65577 65593->65578 65601->65593 65602 fb10e8 65605 fb1104 65602->65605 65604 fb10f0 65606 fb111a 65605->65606 65615 fb180c 65606->65615 65608 fb1131 65609 fb1149 GetSystemInfo 65608->65609 65610 fb11d7 65609->65610 65611 fb1fe0 RtlAdjustPrivilege 65610->65611 65612 fb1312 65611->65612 65613 fb2400 CreateFileMappingA MapViewOfFile 65612->65613 65614 fb132f 65613->65614 65614->65604 65617 fb1815 GetPEB 65615->65617 65618 fcdf4a 65619 fcdf54 65618->65619 65622 fce1d8 65619->65622 65621 fcdf84 65625 fce1f6 65622->65625 65624 fce1f0 65624->65621 65626 fce207 65625->65626 65627 fce212 65626->65627 65628 fce23b VirtualAlloc 65626->65628 65627->65624 65629 fce258 VirtualAlloc 65628->65629 65631 fce27a VirtualAlloc VirtualAlloc 65628->65631 65630 fce270 65629->65630 65629->65631 65630->65624 65634 fce303 65631->65634 65633 fce36e VirtualAlloc 65633->65634 65634->65633 65637 fce3bd 65634->65637 65636 fce554 65636->65624 65637->65636 65638 fce5a6 65637->65638 65641 fce5b5 65638->65641 65639 fce6a2 65639->65636 65640 fce634 VirtualFree 65640->65641 65641->65639 65641->65640 65642 fce67b VirtualProtect 65641->65642 65642->65641 65643 f91000 65646 f91010 65643->65646 65644 f910a6 65645 f91059 SetLastError 65646->65644 65646->65645 65648 f91069 65646->65648 65652 f9505a 101 API calls 2 library calls 65646->65652 65653 f91c80 65648->65653 65651 f91096 SetLastError 65652->65646 65654 f91090 65653->65654 65655 f91c97 65653->65655 65654->65645 65654->65651 65656 f91ccc RtlEnterCriticalSection 65655->65656 65657 f91ce4 65656->65657 65658 f91ceb RtlLeaveCriticalSection 65657->65658 65669 f94544 66 API calls 6 library calls 65657->65669 65658->65654 65661 f91d1a 65661->65658 65670 f91670 65661->65670 65663 f91d50 65664 f91dc5 65663->65664 65687 f91b30 65663->65687 65693 f94467 66 API calls 7 library calls 65664->65693 65667 f91da2 65667->65658 65692 f91860 GetModuleHandleA FreeLibrary VirtualFree ___DllMainCRTStartup 65667->65692 65669->65661 65675 f91686 65670->65675 65671 f9184c 65671->65663 65672 f91728 VirtualAlloc 65673 f9175d 65672->65673 65674 f91744 VirtualAlloc 65672->65674 65694 f94610 __VEC_memcpy 65673->65694 65674->65671 65674->65673 65675->65671 65675->65672 65677 f91782 65680 f917ce 65677->65680 65695 f94610 __VEC_memcpy 65677->65695 65679 f9183e VirtualFree 65679->65671 65680->65679 65681 f917f3 65680->65681 65682 f917e7 65680->65682 65696 f914e0 LoadLibraryExA GetProcAddress GetModuleHandleA FreeLibrary 65681->65696 65682->65663 65684 f91803 65684->65679 65684->65682 65697 f91620 GetModuleHandleA FreeLibrary 65684->65697 65686 f9183b 65686->65679 65688 f91b6d 65687->65688 65689 f91b42 65687->65689 65688->65667 65689->65688 65698 2f4e80b 65689->65698 65692->65664 65693->65658 65694->65677 65695->65677 65696->65684 65697->65686 65699 2f4e816 65698->65699 65700 2f4e81b 65698->65700 65712 2f54523 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 65699->65712 65704 2f4e715 65700->65704 65703 f91b64 65703->65667 65705 2f4e721 __CRT_INIT@12 65704->65705 65709 2f4e7be __CRT_INIT@12 65705->65709 65710 2f4e76e ___DllMainCRTStartup 65705->65710 65713 2f4e5b1 65705->65713 65707 2f4e79e 65708 2f4e5b1 __CRT_INIT@12 143 API calls 65707->65708 65707->65709 65708->65709 65709->65703 65710->65707 65710->65709 65711 2f4e5b1 __CRT_INIT@12 143 API calls 65710->65711 65711->65707 65712->65700 65714 2f4e5bd __CRT_INIT@12 65713->65714 65715 2f4e5c5 65714->65715 65716 2f4e63f 65714->65716 65761 2f4ecbd HeapCreate 65715->65761 65717 2f4e645 65716->65717 65718 2f4e6a0 65716->65718 65724 2f4e663 65717->65724 65729 2f4e5ce __CRT_INIT@12 65717->65729 65853 2f4d73e 62 API calls _doexit 65717->65853 65721 2f4e6a5 65718->65721 65722 2f4e6fe 65718->65722 65720 2f4e5ca 65720->65729 65762 2f506f4 GetModuleHandleW 65720->65762 65723 2f50382 ___set_flsgetvalue 2 API calls 65721->65723 65722->65729 65859 2f50686 74 API calls __freefls@4 65722->65859 65725 2f4e6aa 65723->65725 65730 2f4e677 65724->65730 65854 2f4ffb6 63 API calls _free 65724->65854 65731 2f50264 __calloc_crt 62 API calls 65725->65731 65729->65710 65857 2f4e68a 65 API calls __mtterm 65730->65857 65743 2f4e6b6 65731->65743 65732 2f4e5da __RTC_Initialize 65739 2f4e5ea GetCommandLineA 65732->65739 65753 2f4e5de 65732->65753 65735 2f4e66d 65855 2f503d3 65 API calls _free 65735->65855 65738 2f4e672 65856 2f4ecdb HeapDestroy 65738->65856 65787 2f5448c GetEnvironmentStringsW 65739->65787 65743->65729 65745 2f4e6f2 65743->65745 65746 2f4e6db 65743->65746 65858 2f4d16d 62 API calls 2 library calls 65745->65858 65748 2f50410 __getptd_noexit 62 API calls 65746->65748 65752 2f4e6e2 GetCurrentThreadId 65748->65752 65752->65729 65850 2f4ecdb HeapDestroy 65753->65850 65755 2f4e628 65755->65729 65852 2f4ffb6 63 API calls _free 65755->65852 65759 2f4e608 65851 2f503d3 65 API calls _free 65759->65851 65761->65720 65763 2f50711 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 65762->65763 65764 2f50708 65762->65764 65766 2f5075b TlsAlloc 65763->65766 65860 2f503d3 65 API calls _free 65764->65860 65769 2f507a9 TlsSetValue 65766->65769 65770 2f5086a 65766->65770 65767 2f5070d 65767->65732 65769->65770 65771 2f507ba 65769->65771 65770->65732 65861 2f4d4fa EncodePointer EncodePointer __init_pointers __initp_misc_winsig FindHandlerForForeignException 65771->65861 65773 2f507bf EncodePointer EncodePointer EncodePointer EncodePointer 65862 2f50a9e InitializeCriticalSectionAndSpinCount 65773->65862 65775 2f507fe 65776 2f50865 65775->65776 65777 2f50802 DecodePointer 65775->65777 65863 2f503d3 65 API calls _free 65776->65863 65779 2f50817 65777->65779 65779->65776 65780 2f50264 __calloc_crt 62 API calls 65779->65780 65781 2f5082d 65780->65781 65781->65776 65782 2f50835 DecodePointer 65781->65782 65783 2f50846 65782->65783 65783->65776 65784 2f5084a 65783->65784 65785 2f50410 __getptd_noexit 62 API calls 65784->65785 65786 2f50852 GetCurrentThreadId 65785->65786 65786->65770 65788 2f544a8 WideCharToMultiByte 65787->65788 65792 2f4e5fa 65787->65792 65790 2f54515 FreeEnvironmentStringsW 65788->65790 65791 2f544dd 65788->65791 65790->65792 65864 2f5021f 62 API calls _malloc 65791->65864 65800 2f4fd71 GetStartupInfoW 65792->65800 65794 2f544e3 65794->65790 65795 2f544eb WideCharToMultiByte 65794->65795 65796 2f544fd 65795->65796 65797 2f54509 FreeEnvironmentStringsW 65795->65797 65865 2f4d16d 62 API calls 2 library calls 65796->65865 65797->65792 65799 2f54505 65799->65797 65801 2f50264 __calloc_crt 62 API calls 65800->65801 65810 2f4fd8f 65801->65810 65802 2f4e604 65802->65759 65813 2f543d1 65802->65813 65803 2f4ff3a GetStdHandle 65806 2f4ff04 65803->65806 65804 2f50264 __calloc_crt 62 API calls 65804->65810 65805 2f4ff9e SetHandleCount 65805->65802 65806->65803 65806->65805 65807 2f4ff4c GetFileType 65806->65807 65811 2f4ff72 InitializeCriticalSectionAndSpinCount 65806->65811 65807->65806 65808 2f4feb0 GetFileType 65809 2f4febb InitializeCriticalSectionAndSpinCount 65808->65809 65812 2f4fe84 65808->65812 65809->65802 65809->65812 65810->65802 65810->65804 65810->65806 65810->65812 65811->65802 65811->65806 65812->65806 65812->65808 65812->65809 65814 2f543e6 65813->65814 65815 2f543eb GetModuleFileNameA 65813->65815 65872 2f53c39 90 API calls __setmbcp 65814->65872 65817 2f54412 65815->65817 65866 2f54237 65817->65866 65820 2f4e614 65820->65755 65826 2f5415b 65820->65826 65821 2f5444e 65873 2f5021f 62 API calls _malloc 65821->65873 65823 2f54454 65823->65820 65824 2f54237 _parse_cmdline 72 API calls 65823->65824 65825 2f5446e 65824->65825 65825->65820 65827 2f54164 65826->65827 65828 2f54169 _strlen 65826->65828 65875 2f53c39 90 API calls __setmbcp 65827->65875 65830 2f4e61d 65828->65830 65831 2f50264 __calloc_crt 62 API calls 65828->65831 65830->65755 65842 2f4d551 65830->65842 65838 2f5419e _strlen 65831->65838 65832 2f541ed 65877 2f4d16d 62 API calls 2 library calls 65832->65877 65834 2f50264 __calloc_crt 62 API calls 65834->65838 65835 2f54213 65878 2f4d16d 62 API calls 2 library calls 65835->65878 65838->65830 65838->65832 65838->65834 65838->65835 65839 2f5422a 65838->65839 65876 2f4ed7a 62 API calls __write_nolock 65838->65876 65879 2f4fd0f 10 API calls __call_reportfault 65839->65879 65841 2f54236 65844 2f4d55f __IsNonwritableInCurrentImage 65842->65844 65880 2f50f4f 65844->65880 65845 2f4d57d __initterm_e 65846 2f4dbcb __cinit 72 API calls 65845->65846 65847 2f4d5be __IsNonwritableInCurrentImage 65845->65847 65848 2f4d59e 65846->65848 65847->65755 65848->65847 65883 2f5d3b0 65848->65883 65850->65729 65851->65753 65852->65759 65853->65724 65854->65735 65855->65738 65856->65730 65857->65729 65858->65729 65859->65729 65860->65767 65861->65773 65862->65775 65863->65770 65864->65794 65865->65799 65868 2f54256 65866->65868 65870 2f542c3 65868->65870 65874 2f56603 72 API calls x_ismbbtype_l 65868->65874 65869 2f543c1 65869->65820 65869->65821 65870->65869 65871 2f56603 72 API calls _parse_cmdline 65870->65871 65871->65870 65872->65815 65873->65823 65874->65868 65875->65828 65876->65838 65877->65830 65878->65830 65879->65841 65881 2f50f55 EncodePointer 65880->65881 65881->65881 65882 2f50f6f 65881->65882 65882->65845 65890 2f56b10 65883->65890 65885 2f5d3c8 WSAStartup 65886 2f4dbcb __cinit 72 API calls 65885->65886 65887 2f5d3e3 65886->65887 65888 2f4cff9 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@@Z 5 API calls 65887->65888 65889 2f5d3f3 65888->65889 65889->65848 65891 f94c25 65892 f94c30 65891->65892 65893 f94c35 65891->65893 65909 f97671 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 65892->65909 65897 f94b2f 65893->65897 65896 f94c43 65899 f94b3b __initptd 65897->65899 65898 f94b88 65902 f94bd8 __initptd 65898->65902 65959 f91200 71 API calls ___DllMainCRTStartup 65898->65959 65899->65898 65899->65902 65910 f949fa 65899->65910 65901 f94b9b 65904 f94bb8 65901->65904 65960 f91200 71 API calls ___DllMainCRTStartup 65901->65960 65902->65896 65904->65902 65906 f949fa __CRT_INIT@12 154 API calls 65904->65906 65906->65902 65907 f94baf 65908 f949fa __CRT_INIT@12 154 API calls 65907->65908 65908->65904 65909->65893 65911 f94a09 65910->65911 65912 f94a85 65910->65912 65961 f95101 HeapCreate 65911->65961 65914 f94a8b 65912->65914 65915 f94abc 65912->65915 65921 f94aa6 65914->65921 65926 f94a14 65914->65926 65972 f96127 66 API calls _doexit 65914->65972 65916 f94b1a 65915->65916 65917 f94ac1 65915->65917 65916->65926 65980 f96abe 78 API calls 2 library calls 65916->65980 65975 f967a4 8 API calls __decode_pointer 65917->65975 65920 f94a1b 65963 f96b2c 75 API calls 8 library calls 65920->65963 65921->65926 65973 f96fec 67 API calls __crtLCMapStringA_stat 65921->65973 65923 f94ac6 65976 f96cfe 66 API calls __calloc_impl 65923->65976 65926->65898 65928 f94a20 __RTC_Initialize 65936 f94a30 GetCommandLineA 65928->65936 65951 f94a24 65928->65951 65930 f94ad2 65930->65926 65977 f96729 6 API calls __crt_waiting_on_module_handle 65930->65977 65931 f94ab0 65974 f967d8 7 API calls __decode_pointer 65931->65974 65965 f9736d 76 API calls 3 library calls 65936->65965 65938 f94af0 65943 f94b0e 65938->65943 65944 f94af7 65938->65944 65940 f94a40 65966 f96d98 71 API calls 3 library calls 65940->65966 65942 f94a4a 65956 f94a4e 65942->65956 65968 f972b2 111 API calls 3 library calls 65942->65968 65979 f94467 66 API calls 7 library calls 65943->65979 65978 f96815 66 API calls 4 library calls 65944->65978 65947 f94a29 65947->65926 65950 f94afe GetCurrentThreadId 65950->65926 65964 f95131 VirtualFree HeapFree HeapFree HeapDestroy 65951->65964 65952 f94a5a 65953 f94a6e 65952->65953 65969 f9703a 110 API calls 6 library calls 65952->65969 65953->65947 65971 f96fec 67 API calls __crtLCMapStringA_stat 65953->65971 65967 f967d8 7 API calls __decode_pointer 65956->65967 65957 f94a63 65957->65953 65970 f95f60 74 API calls 5 library calls 65957->65970 65959->65901 65960->65907 65962 f94a0f 65961->65962 65962->65920 65962->65926 65963->65928 65964->65947 65965->65940 65966->65942 65968->65952 65969->65957 65970->65953 65971->65956 65972->65921 65973->65931 65975->65923 65976->65930 65977->65938 65978->65950 65979->65947 65980->65926

                                                                                                                                        Executed Functions

                                                                                                                                        Function 00FCBBF4 Relevance: 6.4, APIs: 4, Instructions: 406processCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,?,?,00FCB304,00FC8BC1,00000000,00000000), ref: 00FCBC62
                                                                                                                                        • Process32First.KERNEL32(00000000,00000000,00000000,?,?,00FCB304,00FC8BC1,00000000,00000000), ref: 00FCBD3F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFirstProcess32SnapshotToolhelp32
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2353314856-0
                                                                                                                                        • Opcode ID: 1e97415388c5a317bb21edce637a156cd3474bd7dae95e6b023034e9fbcf40e5
                                                                                                                                        • Instruction ID: 3399fd3186eeb27e788898abb8c4096476f969fa4dd72905367abdae1a9d4527
                                                                                                                                        • Opcode Fuzzy Hash: 1e97415388c5a317bb21edce637a156cd3474bd7dae95e6b023034e9fbcf40e5
                                                                                                                                        • Instruction Fuzzy Hash: B7D13CB1A812469BFF00CF98DCC2B99B7E5EF58324F290474E506AB341D379B960DB51
                                                                                                                                        Function 00FB1104 Relevance: 1.7, APIs: 1, Instructions: 170COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemInfo.KERNELBASE(00000000), ref: 00FB11CD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoSystem
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 31276548-0
                                                                                                                                        • Opcode ID: 514f7736e35159f00159cc90d0e4638c4092ab114c67be39d47256c31115be1d
                                                                                                                                        • Instruction ID: ba91942df3d6b813687fcfbbaaf6cc9ad7688a654535b48457b71586947694fe
                                                                                                                                        • Opcode Fuzzy Hash: 514f7736e35159f00159cc90d0e4638c4092ab114c67be39d47256c31115be1d
                                                                                                                                        • Instruction Fuzzy Hash: C251F8F5A813428BEB10EFA9EC817897BE1FF55320B691471E5059B305E378B4A1EF11
                                                                                                                                        Function 00FB15B2 Relevance: 1.6, APIs: 1, Instructions: 61nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00FB16BE: CreateFileW.KERNELBASE ref: 00FB1720
                                                                                                                                          • Part of subcall function 00FB1672: NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?,00FB1645,00000000), ref: 00FB168E
                                                                                                                                        • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00FB13DD,?,00000020,00000040), ref: 00FB1660
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryProtectVirtual$CreateFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 979487009-0
                                                                                                                                        • Opcode ID: 9ef6091144c9afae0ab994df32d14f3ae22e5e43afb5f51c928a34d101794d04
                                                                                                                                        • Instruction ID: 9bc954c3f09f4c3c1adfdc937164c139d4de64345359a90f4f067ac5e3897a9f
                                                                                                                                        • Opcode Fuzzy Hash: 9ef6091144c9afae0ab994df32d14f3ae22e5e43afb5f51c928a34d101794d04
                                                                                                                                        • Instruction Fuzzy Hash: BA115BB19183015ED750BF768E1166E77E9BE91320F8D4A2CB885C6242EB34C801AFA7
                                                                                                                                        Function 00FB1672 Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?,00FB1645,00000000), ref: 00FB168E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2706961497-0
                                                                                                                                        • Opcode ID: d5b745597194fb917b8803b6d9f05f94d8236baaacbc0cb1f6b3fda40ae84708
                                                                                                                                        • Instruction ID: 2e71242e4e9562928a9f35e897a0a3499f4a930459b941b84059d5f7ae71d650
                                                                                                                                        • Opcode Fuzzy Hash: d5b745597194fb917b8803b6d9f05f94d8236baaacbc0cb1f6b3fda40ae84708
                                                                                                                                        • Instruction Fuzzy Hash: 5FE0E5F2814100ABE608AF76AD119563B50AB56324F54436CEA168A2D1E63285069FD2
                                                                                                                                        Function 00FB1645 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00FB13DD,?,00000020,00000040), ref: 00FB1660
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MemoryProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2706961497-0
                                                                                                                                        • Opcode ID: 5e1597baeab308979a9b62bdf8f4fc8007fee12c7127983bc406f1d035a79bc2
                                                                                                                                        • Instruction ID: e23b0667e1b424627f915e50792851ca1fc6d94a9efee915e1a0738eb004ff01
                                                                                                                                        • Opcode Fuzzy Hash: 5e1597baeab308979a9b62bdf8f4fc8007fee12c7127983bc406f1d035a79bc2
                                                                                                                                        • Instruction Fuzzy Hash: 0BD05EB20182447FE380DEA88A00D2B73DCAB85324F501A2DB191C61C0D520D4009B22
                                                                                                                                        Function 00FCAE68 Relevance: .1, Instructions: 107COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 9d85f2ef5a790b6b7d48d071bb8bbc346a2f4d2839d8e8e3bb58878e9f00853c
                                                                                                                                        • Instruction ID: 7441dc7850ef96502cd742fb3bd8f8bb19c8c6f34de7ec1c62e5e3d9439254d0
                                                                                                                                        • Opcode Fuzzy Hash: 9d85f2ef5a790b6b7d48d071bb8bbc346a2f4d2839d8e8e3bb58878e9f00853c
                                                                                                                                        • Instruction Fuzzy Hash: 7741717190474AEEDB01DFE8D8457ADFFB4BF24300F14859DD058A7242D738A624D7A2
                                                                                                                                        Function 02F3D400 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 170networkCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 02F3D49D
                                                                                                                                        • ResetEvent.KERNEL32(?,?,?,?), ref: 02F3D4EF
                                                                                                                                        • WSAGetLastError.WS2_32(00000005,?,?,?,?,?,?), ref: 02F3D526
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F3D546
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 02F3D54C
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F3D575
                                                                                                                                          • Part of subcall function 02F3DA60: WSAEventSelect.WS2_32(?,?,00000030), ref: 02F3DA7C
                                                                                                                                          • Part of subcall function 02F3DA60: connect.WS2_32(?,?,-0000001D), ref: 02F3DAA1
                                                                                                                                          • Part of subcall function 02F3DA60: WSAGetLastError.WS2_32(?,?,02F3D4C4,00000005,?,?,?,?,?,?), ref: 02F3DAB0
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 02F3D57B
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?), ref: 02F3D599
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F3D5BF
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F3D5D5
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F3D5E7
                                                                                                                                          • Part of subcall function 02F46080: bind.WS2_32(?,?,-0000001D), ref: 02F460B3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$Event$ResetSelectbindconnect
                                                                                                                                        • String ID: CTcpClient::Start
                                                                                                                                        • API String ID: 1052395590-3740072585
                                                                                                                                        • Opcode ID: bf61686a2b7bee024420c0a3a0810ec7cbb51ce5ca039e2ac421735023394af2
                                                                                                                                        • Instruction ID: 9e6242128e9fb5f702ed6eeda2f55091e9e2974de185a2e8d99d1a85a3efc7d5
                                                                                                                                        • Opcode Fuzzy Hash: bf61686a2b7bee024420c0a3a0810ec7cbb51ce5ca039e2ac421735023394af2
                                                                                                                                        • Instruction Fuzzy Hash: 3D51B4B6A01615ABE711EF68DC84EAABBB9FF49784F004255EB0593340DB70E914CBE1
                                                                                                                                        Function 02F3DA60 Relevance: 16.6, APIs: 11, Instructions: 133networkCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • WSAEventSelect.WS2_32(?,?,00000030), ref: 02F3DA7C
                                                                                                                                        • connect.WS2_32(?,?,-0000001D), ref: 02F3DAA1
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,02F3D4C4,00000005,?,?,?,?,?,?), ref: 02F3DAB0
                                                                                                                                        • ioctlsocket.WS2_32(?,8004667E,?), ref: 02F3DAF0
                                                                                                                                        • connect.WS2_32(?,?,-0000001D), ref: 02F3DB1A
                                                                                                                                        • GetLastError.KERNEL32(?,?,02F3D4C4,00000005,?,?,?,?,?,?), ref: 02F3DB2C
                                                                                                                                        • WSAEventSelect.WS2_32(?,?,00000023), ref: 02F3DB59
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,02F3D4C4,00000005,?,?,?,?,?,?), ref: 02F3DB71
                                                                                                                                        • GetLastError.KERNEL32(?,?,02F3D4C4,00000005,?,?,?,?,?,?), ref: 02F3DB88
                                                                                                                                        • WSASetLastError.WS2_32(00000000,?,?,02F3D4C4,00000005,?,?,?,?,?,?), ref: 02F3DB94
                                                                                                                                        • WSASetLastError.WS2_32(00000000,?,?,02F3D4C4,00000005,?,?,?,?,?,?), ref: 02F3DBB3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$EventSelectconnect$ioctlsocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4229407392-0
                                                                                                                                        • Opcode ID: a44f46a7fbf451bc0aab902234fb952ced9dd44b70a757087b323576cfe6b17a
                                                                                                                                        • Instruction ID: 708f77c980b470971fade14add454e6d7aa5e13dc03a52aed61dc74b13a8f38d
                                                                                                                                        • Opcode Fuzzy Hash: a44f46a7fbf451bc0aab902234fb952ced9dd44b70a757087b323576cfe6b17a
                                                                                                                                        • Instruction Fuzzy Hash: CE41A772E01629EBD710DFA8D884AAAF7A4FB083A4B144755FA14D7280D735DE60CBD0
                                                                                                                                        Function 010A34AA Relevance: 16.6, APIs: 11, Instructions: 99memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 101 10a34aa-10a34c7 EnterCriticalSection 102 10a34c9-10a34d0 101->102 103 10a34d6-10a34db 101->103 102->103 104 10a358f-10a3592 102->104 105 10a34f8-10a3501 103->105 106 10a34dd-10a34e0 103->106 109 10a359a-10a35bb LeaveCriticalSection 104->109 110 10a3594-10a3597 104->110 107 10a3503-10a3514 GlobalAlloc 105->107 108 10a3516-10a3532 GlobalHandle GlobalUnlock GlobalReAlloc 105->108 111 10a34e3-10a34e6 106->111 112 10a3538-10a3544 107->112 108->112 110->109 113 10a34e8-10a34ee 111->113 114 10a34f0-10a34f2 111->114 115 10a3561-10a358e GlobalLock call 107e720 112->115 116 10a3546-10a355c GlobalHandle GlobalLock LeaveCriticalSection call 1097fe7 112->116 113->111 113->114 114->104 114->105 115->104 116->115
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(011D61A8,011D617C,00000100,?,011D618C,011D618C,010A3845,?,00000100,010A3298,010A2B97,0109F70C,00000100,0109F6A5,0118FEC4,?), ref: 010A34B9
                                                                                                                                        • GlobalAlloc.KERNELBASE(00002002,00000000,0118FEC4,?,011D618C,011D618C,010A3845,?,00000100,010A3298,010A2B97,0109F70C,00000100,0109F6A5,0118FEC4,?), ref: 010A350E
                                                                                                                                        • GlobalHandle.KERNEL32(01212A30), ref: 010A3517
                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 010A3520
                                                                                                                                        • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 010A3532
                                                                                                                                        • GlobalHandle.KERNEL32(01212A30), ref: 010A3549
                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 010A3550
                                                                                                                                        • LeaveCriticalSection.KERNEL32(0118FEC4,?,011D618C,011D618C,010A3845,?,00000100,010A3298,010A2B97,0109F70C,00000100,0109F6A5,0118FEC4,?,00000100,?), ref: 010A3556
                                                                                                                                        • GlobalLock.KERNEL32(?), ref: 010A3565
                                                                                                                                        • _memset.LIBCMT ref: 010A3580
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?), ref: 010A35AE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 496899490-0
                                                                                                                                        • Opcode ID: c488ab11a105c5102737c5dc240553f2e151f9e4fb6233c7214db8378c5ed969
                                                                                                                                        • Instruction ID: 9d69837909128f6951b59785546535963f9f8d7eac23433aedbe8059bc7afc90
                                                                                                                                        • Opcode Fuzzy Hash: c488ab11a105c5102737c5dc240553f2e151f9e4fb6233c7214db8378c5ed969
                                                                                                                                        • Instruction Fuzzy Hash: 2231C175200B05AFD7249F68DC89A6ABBE9FF44301B444A2EE9D2C7651EB76F9048B10
                                                                                                                                        Function 0100FB40 Relevance: 15.3, APIs: 10, Instructions: 287libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 120 100fb40-100fb65 121 100fc05-100fc14 120->121 122 100fb6b-100fb76 120->122 125 100fec9-100feda 121->125 126 100fc1a-100fc2a 121->126 123 100fb85-100fb88 122->123 124 100fb78-100fb82 122->124 127 100fb8a-100fb9b call 107afc2 123->127 128 100fb9d 123->128 124->123 129 100fc3b-100fc58 call 10040d0 126->129 130 100fc2c-100fc36 call 107afc2 126->130 131 100fb9f-100fbb1 GetProcAddress 127->131 128->131 141 100fd71 129->141 142 100fc5e-100fc71 call 107c350 129->142 130->129 137 100fbb3-100fbe3 call 1017ed0 call 100ff20 call 1099e66 131->137 138 100fbe8-100fc02 call 100fb20 131->138 137->138 144 100fd76-100fd84 LoadLibraryA 141->144 155 100fc77-100fc88 142->155 156 100fd3c-100fd43 LoadLibraryA 142->156 148 100fdc1-100fdca 144->148 149 100fd86-100fd94 GetProcAddress 144->149 148->144 157 100fdcc-100fdd7 148->157 152 100fd96-100fda1 149->152 153 100fdac-100fdb6 149->153 152->153 158 100fda3-100fda9 152->158 153->157 159 100fdb8-100fdbf FreeLibrary 153->159 161 100fcb2-100fcff call 109a0af * 2 LoadLibraryA call 1099e66 * 2 155->161 162 100fc8a-100fca8 call 109a0af LoadLibraryA call 1099e66 155->162 156->157 165 100fd49-100fd57 GetProcAddress 156->165 163 100fea6-100fea8 157->163 164 100fddd-100fddf 157->164 158->153 159->148 161->165 199 100fd01-100fd12 161->199 162->165 188 100fcae 162->188 171 100fec0-100fec6 163->171 172 100feaa-100feb5 163->172 168 100fde1-100fde2 FreeLibrary 164->168 169 100fde8-100fdf7 call 10040d0 164->169 165->157 166 100fd59-100fd64 165->166 166->157 175 100fd66-100fd6f 166->175 168->169 181 100fe50-100fea3 call 1017ed0 call 100ff20 call 1099e66 169->181 182 100fdf9-100fe4d call 1017ed0 call 100ff20 call 1099e66 169->182 171->125 172->171 174 100feb7-100febd 172->174 174->171 175->157 188->161 202 100fd34-100fd36 199->202 203 100fd14-100fd2f call 109a0af LoadLibraryA call 1099e66 199->203 202->165 206 100fd38 202->206 203->202 206->156
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,0119FEC4), ref: 0100FBA7
                                                                                                                                        • LoadLibraryA.KERNEL32(?,?,011AE7D8), ref: 0100FC99
                                                                                                                                        • LoadLibraryA.KERNELBASE(?,?), ref: 0100FCDF
                                                                                                                                        • LoadLibraryA.KERNELBASE(?,?,011AE6E0,00000001), ref: 0100FD27
                                                                                                                                        • LoadLibraryA.KERNEL32(00000001), ref: 0100FD3D
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0100FD4F
                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 0100FDE2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$Load$AddressProc$Free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3120990465-0
                                                                                                                                        • Opcode ID: 954aa4142a065694b81f2c98f9fce851f176bd39111d17c2f1f62f2a956326d9
                                                                                                                                        • Instruction ID: 70ebad3fc18090a1c7f440d7196c5d4273fed024e3cfbe7dfaa754487a49e421
                                                                                                                                        • Opcode Fuzzy Hash: 954aa4142a065694b81f2c98f9fce851f176bd39111d17c2f1f62f2a956326d9
                                                                                                                                        • Instruction Fuzzy Hash: 13A1A271600703ABE725EF68C890BABF7E9BF94710F044A1EF99597281DB34E9058B91
                                                                                                                                        Function 02F3E350 Relevance: 13.6, APIs: 9, Instructions: 97memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F3E363
                                                                                                                                        • _free.LIBCMT ref: 02F3E373
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 02F3E391
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 02F3E39A
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 02F3E3A3
                                                                                                                                        • HeapDestroy.KERNELBASE(?), ref: 02F3E3C3
                                                                                                                                        • HeapCreate.KERNELBASE(?,?,?), ref: 02F3E3DB
                                                                                                                                        • SetEvent.KERNEL32 ref: 02F3E455
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3E45F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Event$HeapReset$CriticalSection$CreateDestroyEnterErrorFreeLastLeave_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 465610239-0
                                                                                                                                        • Opcode ID: d073883a9682c3268cce40fcc64bb69631f358bc3bfe88e94f7a6916f22c5010
                                                                                                                                        • Instruction ID: 5c96815ec7245e4fda2f3144d6e45ac318113c897e0d07360f78ebd7786c0294
                                                                                                                                        • Opcode Fuzzy Hash: d073883a9682c3268cce40fcc64bb69631f358bc3bfe88e94f7a6916f22c5010
                                                                                                                                        • Instruction Fuzzy Hash: A5314875A00A06EFD705DF69D888996FBE8FF4C350B10866AEA19C7210DB31B925CF90
                                                                                                                                        Function 02F3DBD0 Relevance: 12.1, APIs: 8, Instructions: 131threadnetworkCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 230 2f3dbd0-2f3dc3e SetLastError GetCurrentThreadId call 2f43550 GetCurrentThreadId 234 2f3dc53-2f3dc65 call 2f35670 230->234 235 2f3dc40-2f3dc50 call 2f4d16d 230->235 241 2f3dcd0-2f3dcea GetCurrentThreadId 234->241 242 2f3dc67-2f3dc6d 234->242 235->234 250 2f3dd02-2f3dd15 GetCurrentThreadId call 2f43550 241->250 251 2f3dcec-2f3dcf7 241->251 243 2f3dc70-2f3dc81 WSAWaitForMultipleEvents 242->243 244 2f3dc83-2f3dc85 call 2f3dd60 243->244 245 2f3dc8c-2f3dc8f 243->245 253 2f3dc8a 244->253 248 2f3dc91-2f3dc98 call 2f3e050 245->248 249 2f3dc9a-2f3dc9d 245->249 258 2f3dcbf-2f3dcc1 248->258 255 2f3dca3-2f3dca6 249->255 256 2f3dd27-2f3dd2f 249->256 251->250 266 2f3dcf9-2f3dcfe 251->266 253->258 261 2f3dd18-2f3dd1b 255->261 262 2f3dca8-2f3dcb6 255->262 256->241 258->241 265 2f3dcc3-2f3dcce 258->265 263 2f3dd31-2f3dd4f WSAGetLastError 261->263 264 2f3dd1d-2f3dd22 call 2f223e0 261->264 262->241 269 2f3dcb8-2f3dcba call 2f3df00 262->269 263->241 264->256 265->241 265->243 266->250 269->258
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 02F3DBDE
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F3DBEA
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F3DBFA
                                                                                                                                        • _free.LIBCMT ref: 02F3DC41
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 02F3DC7D
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F3DCD8
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F3DD02
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F3DD31
                                                                                                                                          • Part of subcall function 02F3E050: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E09A
                                                                                                                                          • Part of subcall function 02F3E050: LeaveCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E0E5
                                                                                                                                          • Part of subcall function 02F3E050: HeapFree.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E12C
                                                                                                                                          • Part of subcall function 02F3E050: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E14E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentThread$ErrorFreeHeapLast$CriticalSection$EnterEventsLeaveMultipleWait_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2087126906-0
                                                                                                                                        • Opcode ID: c6cc0bdce143464e5e30edfcd8f42696054180d956abb8e5140c6cfb1db8c5ec
                                                                                                                                        • Instruction ID: 9d9dd663cc8f7a88ea1424727b86d92fab3d687d224488a98b34961139ca3145
                                                                                                                                        • Opcode Fuzzy Hash: c6cc0bdce143464e5e30edfcd8f42696054180d956abb8e5140c6cfb1db8c5ec
                                                                                                                                        • Instruction Fuzzy Hash: C4416B74B002029FD715EF28C880B2AB7E5BF88394F148618DA19C7380DB74E925CFE2
                                                                                                                                        Function 02F3E470 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 272 2f3e470-2f3e47e 273 2f3e546-2f3e54a 272->273 274 2f3e484-2f3e487 272->274 275 2f3e534-2f3e543 CloseHandle 274->275 276 2f3e48d-2f3e4b1 SetEvent 274->276 275->273 277 2f3e4b4-2f3e4cc MsgWaitForMultipleObjects 276->277 278 2f3e500-2f3e504 277->278 279 2f3e4ce-2f3e4dd PeekMessageA 277->279 280 2f3e531 278->280 281 2f3e506-2f3e50b 278->281 279->277 282 2f3e4df 279->282 280->275 284 2f3e50d-2f3e510 281->284 285 2f3e51c-2f3e521 SetLastError 281->285 283 2f3e4e0-2f3e4fc TranslateMessage DispatchMessageA PeekMessageA 282->283 283->283 286 2f3e4fe 283->286 287 2f3e512-2f3e517 call 2f223e0 284->287 288 2f3e527-2f3e52c call 2f223e0 284->288 285->288 286->277 287->285 288->280
                                                                                                                                        APIs
                                                                                                                                        • SetEvent.KERNEL32(?,00000000), ref: 02F3E496
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 02F3E4C3
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F3E4D9
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F3E4E4
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F3E4EA
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F3E4F8
                                                                                                                                        • SetLastError.KERNEL32(000005B4), ref: 02F3E521
                                                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 02F3E538
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$Peek$CloseDispatchErrorEventHandleLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1713936993-0
                                                                                                                                        • Opcode ID: 2b9da36e7bd59d02036c6810b941b4325e1e6e7d970fa6179b898817e5ab7734
                                                                                                                                        • Instruction ID: c00920afbfeeeb76599b52d2128e0c51e35453fdf50a97fcd27b84aaa1af0043
                                                                                                                                        • Opcode Fuzzy Hash: 2b9da36e7bd59d02036c6810b941b4325e1e6e7d970fa6179b898817e5ab7734
                                                                                                                                        • Instruction Fuzzy Hash: A821A772A40324AFEB24DB64DC45FAA73B8AF48790F144919EF01E72C0E774E944CB61
                                                                                                                                        Function 02F3D810 Relevance: 10.7, APIs: 7, Instructions: 201networkCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 291 2f3d810-2f3d873 call 2f39040 call 2f37100 296 2f3d883-2f3d891 call 2f37350 291->296 297 2f3d875-2f3d879 call 2f37240 291->297 302 2f3d894-2f3d899 296->302 300 2f3d87e-2f3d881 297->300 300->302 303 2f3d8b1-2f3d8b6 302->303 304 2f3d89b-2f3d89f 302->304 307 2f3d932-2f3d949 socket 303->307 308 2f3d8b8-2f3d8bb 303->308 305 2f3d8a1-2f3d8a7 call 2f4dbe2 304->305 306 2f3d8aa-2f3d8ac 304->306 305->306 310 2f3da40-2f3da5b call 2f4cff9 306->310 307->304 312 2f3d94f-2f3d954 307->312 308->307 311 2f3d8bd-2f3d8cc call 2f37100 308->311 322 2f3d8db-2f3d8e0 311->322 323 2f3d8ce-2f3d8d2 311->323 316 2f3d963 312->316 317 2f3d956-2f3d95a 312->317 319 2f3d965-2f3d992 WSAIoctl 316->319 317->316 318 2f3d95c-2f3d961 317->318 318->319 324 2f3d994-2f3d99f WSAGetLastError 319->324 325 2f3d9af-2f3d9bc call 2f37e20 319->325 328 2f3d8e7-2f3d8fe WSAStringToAddressA 322->328 326 2f3d8e2 323->326 327 2f3d8d4-2f3d8d9 323->327 324->325 329 2f3d9a1-2f3d9a3 324->329 340 2f3d9c8-2f3d9e4 setsockopt 325->340 341 2f3d9be-2f3d9c3 call 2f223e0 325->341 326->328 331 2f3d910 WSASetLastError 327->331 332 2f3d900-2f3d909 328->332 333 2f3d916-2f3d91a 328->333 329->325 334 2f3d9a5-2f3d9aa call 2f223e0 329->334 331->333 336 2f3d90b 332->336 337 2f3d92f 332->337 333->306 339 2f3d91c-2f3d92a call 2f4dbe2 333->339 334->325 336->331 337->307 339->310 344 2f3d9f0-2f3da01 WSACreateEvent 340->344 345 2f3d9e6-2f3d9eb call 2f223e0 340->345 341->340 346 2f3da03-2f3da05 344->346 347 2f3da07-2f3da0c 344->347 345->344 350 2f3da19-2f3da30 call 2f3d300 346->350 351 2f3da10-2f3da15 347->351 355 2f3da32-2f3da38 call 2f4dbe2 350->355 356 2f3da3b 350->356 351->351 352 2f3da17 351->352 352->350 355->356 356->310
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F39040: StrChrA.SHLWAPI(00000000,0000005E,00000000,?,?,02F449D4,?,6EBCDBE2,?,00000000,?,?,?,?), ref: 02F3904B
                                                                                                                                          • Part of subcall function 02F37100: StrChrA.SHLWAPI(?,0000003A,?,02F375E6,6EBCDBE2), ref: 02F3711C
                                                                                                                                          • Part of subcall function 02F37240: WSASetLastError.WS2_32(00002741,?,?,02F44A13,?,?,6EBCDBE2,?,00000000,?,?,?), ref: 02F37256
                                                                                                                                        • WSAStringToAddressA.WS2_32(?,?,00000000,02F5D2D8,02F5D2D8,?,?,02F5D2D8,000000FF,?,02F3D476,?,?,?,?), ref: 02F3D8F6
                                                                                                                                        • WSASetLastError.WS2_32(0000273F,?,00000000,02F5D2D8,02F5D2D8,?,?,02F5D2D8,000000FF,?,02F3D476,?,?,?,?), ref: 02F3D910
                                                                                                                                        • socket.WS2_32(?,00000001,00000006), ref: 02F3D93D
                                                                                                                                        • WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 02F3D989
                                                                                                                                        • WSAGetLastError.WS2_32(?,00000001,00000006,?,?,02F5D2D8,000000FF,?,02F3D476,?,?,?,?), ref: 02F3D994
                                                                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02F3D9DC
                                                                                                                                        • WSACreateEvent.WS2_32 ref: 02F3D9F0
                                                                                                                                          • Part of subcall function 02F37100: _swscanf.LIBCMT ref: 02F37155
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$AddressCreateEventIoctlString_swscanfsetsockoptsocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 449100552-0
                                                                                                                                        • Opcode ID: 3c9ac8281e54fec5f9e9b48bae16cb93747e2e1aa5e49d3894e99c60e226e38b
                                                                                                                                        • Instruction ID: f68e4db9f3d043b5e2adb6879aa503378cfcc03ad32b026e11bcba3abc2808ad
                                                                                                                                        • Opcode Fuzzy Hash: 3c9ac8281e54fec5f9e9b48bae16cb93747e2e1aa5e49d3894e99c60e226e38b
                                                                                                                                        • Instruction Fuzzy Hash: 6771E071E00219ABDB15EFA4C884BEEB7B5FF48790F044519EB12AB384D735A940CFA1
                                                                                                                                        Function 02F37E20 Relevance: 10.6, APIs: 7, Instructions: 87COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • setsockopt.WS2_32(?,0000FFFF,000000FB,00000001,00000004), ref: 02F37E4E
                                                                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000004,00000000,00000004), ref: 02F37E60
                                                                                                                                        • setsockopt.WS2_32(?,0000FFFF,000000FB,00000000,00000004), ref: 02F37E83
                                                                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000004,00000000,00000004), ref: 02F37E95
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: setsockopt
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3981526788-0
                                                                                                                                        • Opcode ID: fce528c82d0d0d9b98f4f475861f5487c619119a5c95aefb04309bf1075f5e0a
                                                                                                                                        • Instruction ID: 9a4a2cdb03086e19a8718bea0bd3f28e25ef7b357392cc47bc95835a97d1867a
                                                                                                                                        • Opcode Fuzzy Hash: fce528c82d0d0d9b98f4f475861f5487c619119a5c95aefb04309bf1075f5e0a
                                                                                                                                        • Instruction Fuzzy Hash: 8F21EB72B8420A7AEA10D5949C82FBDB3A8DF86770F200775F714DB1C0DAB14E1943A5
                                                                                                                                        Function 02F4DE60 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 366 2f4de60-2f4de6e 367 2f4de84-2f4de9c call 2f50382 call 2f50264 366->367 368 2f4de70-2f4de82 call 2f4ed31 call 2f4fd61 366->368 378 2f4dee7-2f4def0 call 2f4d16d 367->378 379 2f4de9e-2f4dec0 call 2f5053d call 2f50410 367->379 377 2f4defc-2f4deff 368->377 384 2f4def2-2f4def8 call 2f4ed57 378->384 385 2f4def9 378->385 391 2f4dec5-2f4dedd CreateThread 379->391 392 2f4dec2 379->392 384->385 388 2f4defb 385->388 388->377 391->388 393 2f4dedf-2f4dee5 GetLastError 391->393 392->391 393->378
                                                                                                                                        APIs
                                                                                                                                        • ___set_flsgetvalue.LIBCMT ref: 02F4DE85
                                                                                                                                        • __calloc_crt.LIBCMT ref: 02F4DE91
                                                                                                                                        • __getptd.LIBCMT ref: 02F4DE9E
                                                                                                                                        • CreateThread.KERNELBASE(?,?,02F4DDFB,00000000,?,?), ref: 02F4DED5
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 02F4DEDF
                                                                                                                                        • _free.LIBCMT ref: 02F4DEE8
                                                                                                                                        • __dosmaperr.LIBCMT ref: 02F4DEF3
                                                                                                                                          • Part of subcall function 02F4ED31: __getptd_noexit.LIBCMT ref: 02F4ED31
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 155776804-0
                                                                                                                                        • Opcode ID: 1bc87767c66bb1d62fbec4f2717cb829e4032470af3914459c9f6050e9a8828c
                                                                                                                                        • Instruction ID: f99cfe36f1a0e8ce09cea65c3563855f4917c24bd95df946cf6e044beaeaa9a3
                                                                                                                                        • Opcode Fuzzy Hash: 1bc87767c66bb1d62fbec4f2717cb829e4032470af3914459c9f6050e9a8828c
                                                                                                                                        • Instruction Fuzzy Hash: 9B11E53260471AAFEB10AFA49C40D9B7FA9EF197E4B10052DFF1586140DFB1D8118AA0
                                                                                                                                        Function 02F4DDFB Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • ___set_flsgetvalue.LIBCMT ref: 02F4DE01
                                                                                                                                          • Part of subcall function 02F50382: TlsGetValue.KERNEL32(00000000,02F504DB,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?,?), ref: 02F5038B
                                                                                                                                          • Part of subcall function 02F50382: DecodePointer.KERNEL32(?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?,?,?,02F4D5FB,00000008), ref: 02F5039D
                                                                                                                                          • Part of subcall function 02F50382: TlsSetValue.KERNEL32(00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?,?,?,02F4D5FB), ref: 02F503AC
                                                                                                                                        • ___fls_getvalue@4.LIBCMT ref: 02F4DE0C
                                                                                                                                          • Part of subcall function 02F50362: TlsGetValue.KERNEL32(?,?,02F4DE11,00000000), ref: 02F50370
                                                                                                                                        • ___fls_setvalue@8.LIBCMT ref: 02F4DE1F
                                                                                                                                          • Part of subcall function 02F503B6: DecodePointer.KERNEL32(?,?,?,02F4DE24,00000000,?,00000000), ref: 02F503C7
                                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 02F4DE28
                                                                                                                                        • ExitThread.KERNEL32 ref: 02F4DE2F
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F4DE35
                                                                                                                                        • __freefls@4.LIBCMT ref: 02F4DE55
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2383549826-0
                                                                                                                                        • Opcode ID: ac8b7df1f8c92e0d2dea6814be4e3f1c68d44d52da651ac6009f523817858f0e
                                                                                                                                        • Instruction ID: 6eda578cd6a35ea6cb2210be541b0d11497eb3251228a2f02a3cfdec52fd0b3c
                                                                                                                                        • Opcode Fuzzy Hash: ac8b7df1f8c92e0d2dea6814be4e3f1c68d44d52da651ac6009f523817858f0e
                                                                                                                                        • Instruction Fuzzy Hash: 54F01D74905624ABD708BFB1C94885E7FAAAF4C3D4711849CEF4587216DF34D9428EA1
                                                                                                                                        Function 00FC1176 Relevance: 10.4, APIs: 3, Strings: 2, Instructions: 1603registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyA.ADVAPI32(80000002,00000000,00000000,?), ref: 00FC11C2
                                                                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,00000000,000000FF), ref: 00FC1207
                                                                                                                                        • RegEnumKeyA.ADVAPI32(?,?,?,000000FF), ref: 00FC1250
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Enum$Open
                                                                                                                                        • String ID: Microsoft$}.KB
                                                                                                                                        • API String ID: 2886760741-3680007166
                                                                                                                                        • Opcode ID: 76acaad5ea67c43f3cbbf9bd858dcf2c5d8a09d5e3b89501285e0a0c3ef2483c
                                                                                                                                        • Instruction ID: 9a30ed51f544178d160c0bad2b77a0ae30b4835f1bc7782145d7d8567743e750
                                                                                                                                        • Opcode Fuzzy Hash: 76acaad5ea67c43f3cbbf9bd858dcf2c5d8a09d5e3b89501285e0a0c3ef2483c
                                                                                                                                        • Instruction Fuzzy Hash: CCC230B1E00309ABEF109FE4ED82FADB7B5FF14310F140429F605B6292E7B99954AB51
                                                                                                                                        Function 02F3E050 Relevance: 7.6, APIs: 6, Instructions: 121memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1051 2f3e050-2f3e084 1052 2f3e087-2f3e091 1051->1052 1053 2f3e093-2f3e0ac EnterCriticalSection 1052->1053 1054 2f3e0eb-2f3e0f7 1052->1054 1057 2f3e0c0-2f3e0c2 1053->1057 1058 2f3e0ae-2f3e0be 1053->1058 1055 2f3e1ae-2f3e1c4 1054->1055 1056 2f3e0fd-2f3e102 call 2f3e1d0 1054->1056 1064 2f3e107-2f3e109 1056->1064 1060 2f3e0d2-2f3e0d6 1057->1060 1061 2f3e0c4-2f3e0cc 1057->1061 1058->1060 1062 2f3e0e4-2f3e0e5 LeaveCriticalSection 1060->1062 1063 2f3e0d8-2f3e0de 1060->1063 1061->1060 1062->1054 1063->1062 1065 2f3e137-2f3e145 call 2f4c2c0 1064->1065 1066 2f3e10b-2f3e10f 1064->1066 1076 2f3e147-2f3e14e HeapFree 1065->1076 1077 2f3e154-2f3e167 1065->1077 1067 2f3e111-2f3e11f call 2f4c2c0 1066->1067 1068 2f3e168-2f3e17f EnterCriticalSection 1066->1068 1067->1052 1078 2f3e125-2f3e132 HeapFree 1067->1078 1070 2f3e181-2f3e18d 1068->1070 1071 2f3e18f-2f3e195 1068->1071 1074 2f3e19b-2f3e1a8 LeaveCriticalSection 1070->1074 1071->1074 1074->1055 1076->1077 1078->1052
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E09A
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E0E5
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E12C
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E14E
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E16F
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3E1A8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterFreeHeapLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3296397286-0
                                                                                                                                        • Opcode ID: b7bbf19082bc7b233f4da46968c2149ec0843b6b6de87adc61f6d9e9cc5eaf1e
                                                                                                                                        • Instruction ID: 1fbcb6fc096d4e2766c0b947100ef335db163d52cdeb083a4fa39bd743beb5ba
                                                                                                                                        • Opcode Fuzzy Hash: b7bbf19082bc7b233f4da46968c2149ec0843b6b6de87adc61f6d9e9cc5eaf1e
                                                                                                                                        • Instruction Fuzzy Hash: 48414EB2A04704DFE715DFA4D984BABBBF8EF49754F40492EEA1ADB200D730A440CB60
                                                                                                                                        Function 02F3E1D0 Relevance: 7.6, APIs: 5, Instructions: 85networkCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1079 2f3e1d0-2f3e1de 1080 2f3e276-2f3e27e 1079->1080 1081 2f3e1e4-2f3e1f1 1079->1081 1082 2f3e1f3 1081->1082 1083 2f3e1f5-2f3e207 send 1081->1083 1082->1083 1084 2f3e265-2f3e268 1083->1084 1085 2f3e209-2f3e242 EnterCriticalSection LeaveCriticalSection SetLastError 1083->1085 1086 2f3e281-2f3e28c WSAGetLastError 1084->1086 1087 2f3e26a-2f3e270 1084->1087 1091 2f3e250-2f3e25a 1085->1091 1092 2f3e244-2f3e24d call 2f43550 1085->1092 1089 2f3e2a2-2f3e2bc 1086->1089 1090 2f3e28e-2f3e29f 1086->1090 1087->1080 1087->1081 1094 2f3e25e-2f3e263 1091->1094 1095 2f3e25c 1091->1095 1092->1091 1094->1087 1095->1094
                                                                                                                                        APIs
                                                                                                                                        • send.WS2_32(00000000,?,?,00000000), ref: 02F3E1FD
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,02F3E107,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E210
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,02F3E107,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E21D
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,02F3E107,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E225
                                                                                                                                        • WSAGetLastError.WS2_32(?,02F3E107,00000000,00000000,6EBCDBE2,?,?), ref: 02F3E281
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterLeavesend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 421069059-0
                                                                                                                                        • Opcode ID: 3af1904b478d1973e1d971adf0cd8b6f88d01d56673b68464ea9ddea1ca2147b
                                                                                                                                        • Instruction ID: f865b41d27dcabc52487abcb06ba574ec2d9b5231c57d0e7b2c915dbc0586c4f
                                                                                                                                        • Opcode Fuzzy Hash: 3af1904b478d1973e1d971adf0cd8b6f88d01d56673b68464ea9ddea1ca2147b
                                                                                                                                        • Instruction Fuzzy Hash: F6316D72A002048FD729CF68E9C4A1BBBA5FF98350F104A59EA45CB345D771E951CBA1
                                                                                                                                        Function 00FCE5A6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83memoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1097 fce5a6-fce60b call fce756 1100 fce6a4-fce6a9 1097->1100 1101 fce611-fce613 1097->1101 1102 fce616-fce632 1101->1102 1103 fce634-fce645 VirtualFree 1102->1103 1104 fce647-fce656 1102->1104 1105 fce68a-fce69c 1103->1105 1106 fce65e-fce665 1104->1106 1107 fce658 1104->1107 1105->1102 1110 fce6a2-fce6a3 1105->1110 1108 fce679 1106->1108 1109 fce667-fce669 1106->1109 1107->1106 1108->1105 1113 fce67b-fce686 VirtualProtect 1108->1113 1111 fce66b-fce66e 1109->1111 1112 fce670-fce672 1109->1112 1110->1100 1114 fce677 1111->1114 1112->1105 1115 fce674 1112->1115 1113->1105 1114->1108 1115->1114
                                                                                                                                        APIs
                                                                                                                                        • VirtualFree.KERNELBASE(?,?,00004000,?,00000000), ref: 00FCE641
                                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,00000008,?,00000000), ref: 00FCE686
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$FreeProtect
                                                                                                                                        • String ID: $@
                                                                                                                                        • API String ID: 2581862158-1077428164
                                                                                                                                        • Opcode ID: 915545cbe567c01626b14eff9675be2d98f27318c9a73fb88666fa9e01ed22a5
                                                                                                                                        • Instruction ID: 09a12231066daaf06eede71b8e024d148dce8122a4536d5feec2fc7d81ab4eee
                                                                                                                                        • Opcode Fuzzy Hash: 915545cbe567c01626b14eff9675be2d98f27318c9a73fb88666fa9e01ed22a5
                                                                                                                                        • Instruction Fuzzy Hash: DE31CEB1A243028FE714CF00C999F6BB7E5FF84308F00860CE9859B280D775E948EB92
                                                                                                                                        Function 00FCE1F6 Relevance: 6.6, APIs: 5, Instructions: 338COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 73f8058f31a70a57219413918c6832f6b942fb9bc0d4648c68e87190fb238d92
                                                                                                                                        • Instruction ID: ecf629ed4dbf38888d35f64ed5f39933b4ddbc9a62758d715237c4081106df5f
                                                                                                                                        • Opcode Fuzzy Hash: 73f8058f31a70a57219413918c6832f6b942fb9bc0d4648c68e87190fb238d92
                                                                                                                                        • Instruction Fuzzy Hash: 41C17971A043029FDB24CF28C986F6AB7E5AF84724F18882DFA55CB390E774E805DB51
                                                                                                                                        Function 00FCB730 Relevance: 6.4, APIs: 4, Instructions: 419processCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,?,?,?,?,00FCB27E), ref: 00FCB79E
                                                                                                                                        • Process32First.KERNEL32(000000FF,00000000,00000000,?,?,?,?,00FCB27E), ref: 00FCB87B
                                                                                                                                        • Process32Next.KERNEL32(000000FF,00000000), ref: 00FCBAB8
                                                                                                                                        • CloseHandle.KERNELBASE(000000FF,?,?,?,?,?,?,?,00FCB27E), ref: 00FCBBA2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 420147892-0
                                                                                                                                        • Opcode ID: 1a9c8fd91e62214f6e5526776fbbffa3cd4ed6f095ece1c77ba71ae75f891bd2
                                                                                                                                        • Instruction ID: 8f6c67356ea9d8836329b0decefc4a233c3f18b2ae5acc2e1be3c479f7b51f56
                                                                                                                                        • Opcode Fuzzy Hash: 1a9c8fd91e62214f6e5526776fbbffa3cd4ed6f095ece1c77ba71ae75f891bd2
                                                                                                                                        • Instruction Fuzzy Hash: 95E14CF1A412469BFB00CF58DCC2BA9B7A5EF64324F280474E646AB340D379B960DB52
                                                                                                                                        Function 00FA5190 Relevance: 6.2, APIs: 4, Instructions: 189COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2715965943.0000000000FA4000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_f90000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1e5232f104b32326ab540193b4c569144aebba3f03f0de8646892721a73bb20f
                                                                                                                                        • Instruction ID: 697979e03603cb06b93817690401624991c4c916cb2783873662b28ca3ec3ebd
                                                                                                                                        • Opcode Fuzzy Hash: 1e5232f104b32326ab540193b4c569144aebba3f03f0de8646892721a73bb20f
                                                                                                                                        • Instruction Fuzzy Hash: 47512CF2A54B515BDB218AB8CC807B57BE0EB53730B280739C9E1CB3C6E7945806A750
                                                                                                                                        Function 00FB16BE Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CloseCreateHandlePointerRead
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4133201480-0
                                                                                                                                        • Opcode ID: 62edd3f8937766797592dcbd965f52fb709341c2fc7cd198a362f9a3edd5b525
                                                                                                                                        • Instruction ID: 7b2bca01fc2e7d7df0b7e8a8ebb1390627c8e062ef985e550c48ffd6771e016f
                                                                                                                                        • Opcode Fuzzy Hash: 62edd3f8937766797592dcbd965f52fb709341c2fc7cd198a362f9a3edd5b525
                                                                                                                                        • Instruction Fuzzy Hash: D64158B2A003098FCB00DF69C89469EBBF5BF48310F64896DE899E7241DB38D844DF91
                                                                                                                                        Function 02F35670 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Exception@8Throw_free_mallocstd::exception::exception
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2028091880-0
                                                                                                                                        • Opcode ID: 217588096dc96445ca99d1a704243b4c2fdade0b71a57f9d179e675da82e927d
                                                                                                                                        • Instruction ID: 84d26cb78bf2a536a20957b8471c8f241383a77cce9d8d0d7ee508e9be481805
                                                                                                                                        • Opcode Fuzzy Hash: 217588096dc96445ca99d1a704243b4c2fdade0b71a57f9d179e675da82e927d
                                                                                                                                        • Instruction Fuzzy Hash: 2F1181B1A007049BDB31DF68D88466EB7E5AF986C4B50882DDA5AC7200FA70E544CFA1
                                                                                                                                        Function 02F3E2C0 Relevance: 6.0, APIs: 4, Instructions: 50threadnetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F3E2C4
                                                                                                                                        • WSACloseEvent.WS2_32(?), ref: 02F3E306
                                                                                                                                        • shutdown.WS2_32(02F2BFC7,00000001), ref: 02F3E31A
                                                                                                                                        • closesocket.WS2_32(02F2BFC7), ref: 02F3E324
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCurrentEventThreadclosesocketshutdown
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 802825583-0
                                                                                                                                        • Opcode ID: d94a2c7332aee80bc8e8210b966c6d9288888ea28a437ee083a6b7e917970feb
                                                                                                                                        • Instruction ID: 8375d2e3e13ac3a3fb6fdff5e142d2dbda89bd4ad9ba701ed5a784f8520f31a8
                                                                                                                                        • Opcode Fuzzy Hash: d94a2c7332aee80bc8e8210b966c6d9288888ea28a437ee083a6b7e917970feb
                                                                                                                                        • Instruction Fuzzy Hash: 31018034A007108FC6359F2DD84895AF7FABF883607104F1AF6A6C3794DB74E8028BA0
                                                                                                                                        Function 00FB3C84 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetWaitableTimer.KERNELBASE(00000000,00000003,00000000,00000000,00000000,00000000), ref: 00FB3E93
                                                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 00FB3F71
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandleTimerWaitable
                                                                                                                                        • String ID: `
                                                                                                                                        • API String ID: 3962215526-1850852036
                                                                                                                                        • Opcode ID: 47ceb1b6e5ddceaca8c52f3775b86afb11c7f8aabc7b0392c08a8ddf423b6585
                                                                                                                                        • Instruction ID: 25c3b56db066d2c0b224a347ab0d1c7f257fb081a3f5d55b8f7a3c466c63dd4d
                                                                                                                                        • Opcode Fuzzy Hash: 47ceb1b6e5ddceaca8c52f3775b86afb11c7f8aabc7b0392c08a8ddf423b6585
                                                                                                                                        • Instruction Fuzzy Hash: 8B711970D8030EEBEF109F92D84ABFEBAB0BB04715F204555E51439190D7B65BA4EF92
                                                                                                                                        Function 02F3DE80 Relevance: 4.5, APIs: 3, Instructions: 42networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSAEventSelect.WS2_32(?,?,00000023), ref: 02F3DE92
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F3DE9D
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F3DEC9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$EventSelect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2131222767-0
                                                                                                                                        • Opcode ID: 6a7e0d05c4ca2a0764b7672475df89ba7a10590b782b1aca28e4c918f9891733
                                                                                                                                        • Instruction ID: b6ce51fadf1a15bd577bfd93ec61ac21518c3fb0adf1c4335a75d372130b196c
                                                                                                                                        • Opcode Fuzzy Hash: 6a7e0d05c4ca2a0764b7672475df89ba7a10590b782b1aca28e4c918f9891733
                                                                                                                                        • Instruction Fuzzy Hash: EC0108B1A01B108FD3308F29E448B1BBBF1FB94764F104A5DE58687A94C7B5E5498B90
                                                                                                                                        Function 02F37240 Relevance: 4.5, APIs: 3, Instructions: 37networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSASetLastError.WS2_32(00002741,?,?,02F44A13,?,?,6EBCDBE2,?,00000000,?,?,?), ref: 02F37256
                                                                                                                                        • WSAStringToAddressA.WS2_32(00000000,00000000,00000000,?,?,?,?,02F44A13,?,?,6EBCDBE2,?,00000000,?,?,?), ref: 02F3727D
                                                                                                                                        • htons.WS2_32(?), ref: 02F3728D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastStringhtons
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1418563660-0
                                                                                                                                        • Opcode ID: 67504853475261917cd35c151032e6e0bb24839c6f3fa04c3e47abd6c1069489
                                                                                                                                        • Instruction ID: 5b9a6d7b80f6b44a35b9323979e57b870f5320242c11ca6eadbdd9d4e0634153
                                                                                                                                        • Opcode Fuzzy Hash: 67504853475261917cd35c151032e6e0bb24839c6f3fa04c3e47abd6c1069489
                                                                                                                                        • Instruction Fuzzy Hash: 22F0B470E44208A7D7259F54D80AB7BF7E8FB05784F100459FA4DC7280E765D9508B91
                                                                                                                                        Function 02F4DD9B Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd_noexit.LIBCMT ref: 02F4DDA0
                                                                                                                                          • Part of subcall function 02F504C4: GetLastError.KERNEL32(00000001,00000000,02F4ED36,02F4D162,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F504C8
                                                                                                                                          • Part of subcall function 02F504C4: ___set_flsgetvalue.LIBCMT ref: 02F504D6
                                                                                                                                          • Part of subcall function 02F504C4: __calloc_crt.LIBCMT ref: 02F504EA
                                                                                                                                          • Part of subcall function 02F504C4: DecodePointer.KERNEL32(00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?,?,?,02F4D5FB), ref: 02F50504
                                                                                                                                          • Part of subcall function 02F504C4: GetCurrentThreadId.KERNEL32 ref: 02F5051A
                                                                                                                                          • Part of subcall function 02F504C4: SetLastError.KERNEL32(00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?,?,?,02F4D5FB), ref: 02F50532
                                                                                                                                        • __freeptd.LIBCMT ref: 02F4DDAA
                                                                                                                                          • Part of subcall function 02F50686: TlsGetValue.KERNEL32(?,?,02F4E709,00000000,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F506A7
                                                                                                                                          • Part of subcall function 02F50686: TlsGetValue.KERNEL32(?,?,02F4E709,00000000,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F506B9
                                                                                                                                          • Part of subcall function 02F50686: DecodePointer.KERNEL32(00000000,?,02F4E709,00000000,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F506CF
                                                                                                                                          • Part of subcall function 02F50686: __freefls@4.LIBCMT ref: 02F506DA
                                                                                                                                          • Part of subcall function 02F50686: TlsSetValue.KERNEL32(00000027,00000000,?,02F4E709,00000000,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F506EC
                                                                                                                                        • ExitThread.KERNEL32 ref: 02F4DDB3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4224061863-0
                                                                                                                                        • Opcode ID: 5519d4b5a3502fe5158d61ed27a2a9ed72635b17141ad2a813554c8991c41805
                                                                                                                                        • Instruction ID: 4a011f75ca9943c61dbcbb1ae8255c2f18a2648f6713d59a06be3b845978cb01
                                                                                                                                        • Opcode Fuzzy Hash: 5519d4b5a3502fe5158d61ed27a2a9ed72635b17141ad2a813554c8991c41805
                                                                                                                                        • Instruction Fuzzy Hash: C7C08C304012282AEA1037318D0991A3A9E9D803C07410014BF0881042DE70E8508894
                                                                                                                                        Function 00F91670 Relevance: 3.9, APIs: 3, Instructions: 174memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • VirtualAlloc.KERNELBASE(?,?,00003000,00000040,?,?,00000001), ref: 00F91738
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00F9174D
                                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00F91846
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2715965943.0000000000FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_f90000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Virtual$Alloc$Free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3668210933-0
                                                                                                                                        • Opcode ID: a840156568594d10a00d7e6de64093038903b8becdb3eb13bdb90f6027d35e73
                                                                                                                                        • Instruction ID: 71da943e5532367040b2a7e70ae6db6dc73078c6b19a6b7dad62f6d807c08b57
                                                                                                                                        • Opcode Fuzzy Hash: a840156568594d10a00d7e6de64093038903b8becdb3eb13bdb90f6027d35e73
                                                                                                                                        • Instruction Fuzzy Hash: C151F134A042039BEB24DF55DC80EA7B3E9FF88718F04853DE8449B641E735E906DBA2
                                                                                                                                        Function 02F3DD60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 02F3DD88
                                                                                                                                          • Part of subcall function 02F46740: WSAGetLastError.WS2_32(00000001,00000001,?,02F3DD9C,?), ref: 02F46745
                                                                                                                                          • Part of subcall function 02F46740: WSAResetEvent.WS2_32(?,?,02F3DD9C,?), ref: 02F46782
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EnumErrorEventEventsLastNetworkReset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1050048411-3916222277
                                                                                                                                        • Opcode ID: 555d52cf6ffebab15d171f2accb90de77319cff09299ee71f789789e713902d4
                                                                                                                                        • Instruction ID: 4ddd732324b3a9db43b2f1a91faca0552532b57d3ad0edca40c52939a4eedb10
                                                                                                                                        • Opcode Fuzzy Hash: 555d52cf6ffebab15d171f2accb90de77319cff09299ee71f789789e713902d4
                                                                                                                                        • Instruction Fuzzy Hash: AB317371A007089BC721DF79E980B6AFBF6FF84694F14066EDA4AD7640EB31D944CB90
                                                                                                                                        Function 00FB313C Relevance: 3.3, APIs: 2, Instructions: 339threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateThread.KERNELBASE(00000000,00000001,00000000,00000000,00010000,?,Function_00005489,00000001,00000000,00000001,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00FB34B4
                                                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 00FB351B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateHandleThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3032276028-0
                                                                                                                                        • Opcode ID: 399e6fd2caf0d83464bc86654ae436ad1e165d106a0bdf7ccff734e0659b1512
                                                                                                                                        • Instruction ID: 92150ac92225f8db3ba784ddeda03f8670a8d78df8b072132aa6eea6f46f90c0
                                                                                                                                        • Opcode Fuzzy Hash: 399e6fd2caf0d83464bc86654ae436ad1e165d106a0bdf7ccff734e0659b1512
                                                                                                                                        • Instruction Fuzzy Hash: 08C14DB1E8030AAFEF10DF95CCC2BEE77B4EF18314F140025EB05AA252D6759A54AF91
                                                                                                                                        Function 00FB9A84 Relevance: 3.2, APIs: 2, Instructions: 154threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateThread.KERNELBASE(00000000,00000001,00000000,00000000,00010000,00000001,00000000,Function_00009DDC,00000001,00000000), ref: 00FB9BAD
                                                                                                                                        • CloseHandle.KERNELBASE(00000000,00000000,00000001,00000000,00000000,00010000,00000001,00FB9F0E,00000000,00000004,00000000,00000000,00000000,00000000,00000008), ref: 00FB9CAA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateHandleThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3032276028-0
                                                                                                                                        • Opcode ID: d2841cd7e08c3f0ae6e3121f711273a5f3f23dfd48bbbe8a036668fdfa7c05d1
                                                                                                                                        • Instruction ID: 84dfacc8f7875088c9221420b6f0565547978bd95149cd469ba1fc6cf317a3bc
                                                                                                                                        • Opcode Fuzzy Hash: d2841cd7e08c3f0ae6e3121f711273a5f3f23dfd48bbbe8a036668fdfa7c05d1
                                                                                                                                        • Instruction Fuzzy Hash: C3512A70D44209EBEF119F92DC46BEEBBB1FF04314F104065FA146A291C3BA5AA0EF91
                                                                                                                                        Function 00FCA8AC Relevance: 3.1, APIs: 2, Instructions: 85COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000014,?,00000004,00000000,00000000), ref: 00FCA987
                                                                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 00FCA9BD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandleInformationToken
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3954737543-0
                                                                                                                                        • Opcode ID: 6d95270d488f0e6887b1c462e1aee4054fa41016da30de719e3831a1a16271f5
                                                                                                                                        • Instruction ID: d2b00d3889465aab611ddb40e3e684db9548031ee19e653b19fd1c156ca41284
                                                                                                                                        • Opcode Fuzzy Hash: 6d95270d488f0e6887b1c462e1aee4054fa41016da30de719e3831a1a16271f5
                                                                                                                                        • Instruction Fuzzy Hash: 78312F71D4020EEBEB10AF94CA0BFEDBA75EF04309F108059E5153A191D7796B94EF92
                                                                                                                                        Function 02F319E0 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • HeapCreate.KERNELBASE(?,?,?,?,00000004,00000000,00000000,?,02F2BEA5), ref: 02F319F4
                                                                                                                                        • _free.LIBCMT ref: 02F31A33
                                                                                                                                          • Part of subcall function 02F223E0: __CxxThrowException@8.LIBCMT ref: 02F223F0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateException@8HeapThrow_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1065114656-0
                                                                                                                                        • Opcode ID: d9ff86b0b2bacaf0dc79d174ad3a7f85db48c8330caf81ebffadb4fdfb7cbaaf
                                                                                                                                        • Instruction ID: 5143ef448d411154f6923ca16f8d2732cbda4beab63ad56bc24789c59237b3bb
                                                                                                                                        • Opcode Fuzzy Hash: d9ff86b0b2bacaf0dc79d174ad3a7f85db48c8330caf81ebffadb4fdfb7cbaaf
                                                                                                                                        • Instruction Fuzzy Hash: 1F0199B0A00B408FD7318F2A9844607FAF8FF94781F104A1EE6DA87B10D3B4A149CF91
                                                                                                                                        Function 02F4DDBA Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 02F4DDC6
                                                                                                                                          • Part of subcall function 02F5053D: __getptd_noexit.LIBCMT ref: 02F50540
                                                                                                                                          • Part of subcall function 02F5053D: __amsg_exit.LIBCMT ref: 02F5054D
                                                                                                                                          • Part of subcall function 02F4DD9B: __getptd_noexit.LIBCMT ref: 02F4DDA0
                                                                                                                                          • Part of subcall function 02F4DD9B: __freeptd.LIBCMT ref: 02F4DDAA
                                                                                                                                          • Part of subcall function 02F4DD9B: ExitThread.KERNEL32 ref: 02F4DDB3
                                                                                                                                        • __XcptFilter.LIBCMT ref: 02F4DDE7
                                                                                                                                          • Part of subcall function 02F5222F: __getptd_noexit.LIBCMT ref: 02F52235
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 418257734-0
                                                                                                                                        • Opcode ID: ca66222f2367a5baf91f3e3b6577caad8d5821e8352edf0d3527e23839959f96
                                                                                                                                        • Instruction ID: cdb5faae1476d7e4db3c395b4f2f81202d34473475f038dc6e4e1554ba3fe459
                                                                                                                                        • Opcode Fuzzy Hash: ca66222f2367a5baf91f3e3b6577caad8d5821e8352edf0d3527e23839959f96
                                                                                                                                        • Instruction Fuzzy Hash: FEE0ECB5910600AFEB08BBA0DC49F6E7776EF09785F21008CE7025B2A0CF75AD40DE20
                                                                                                                                        Function 00FC5980 Relevance: 1.9, APIs: 1, Instructions: 441COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetDateFormatA.KERNELBASE(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FC5BE3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DateFormat
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2793631785-0
                                                                                                                                        • Opcode ID: 75ba5d69247a1d4ceb41e55be284763d384791613a97374032b39c6ab191632e
                                                                                                                                        • Instruction ID: ff0fa8138202d774371810a8f2489fc2e325fc007110d8b463c41b9644d9694e
                                                                                                                                        • Opcode Fuzzy Hash: 75ba5d69247a1d4ceb41e55be284763d384791613a97374032b39c6ab191632e
                                                                                                                                        • Instruction Fuzzy Hash: C9F14BF5A402479BEF10DF98DC82B9E77B1FF28320F281465E9456B311E3786961DB22
                                                                                                                                        Function 00FB2998 Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 00FB2AD8: __allrem.LIBCMT ref: 00FB2B0A
                                                                                                                                        • MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000000,?,00000000), ref: 00FB2A84
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileView__allrem
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2160234482-0
                                                                                                                                        • Opcode ID: b71bc46273ae3658a49bc02133889fe18bf6bf67d90389543632009249275100
                                                                                                                                        • Instruction ID: 8e27bde040adfa95860fdf3d812f5594b38fe3cd5ae9ed5390e8fb7dd14fcaf6
                                                                                                                                        • Opcode Fuzzy Hash: b71bc46273ae3658a49bc02133889fe18bf6bf67d90389543632009249275100
                                                                                                                                        • Instruction Fuzzy Hash: E141BE70D0060DEBDF00DF95E985BEEBBB5FF48300F618095E5903A195CB7A0A64DBA5
                                                                                                                                        Function 00FBA960 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetLongPathNameA.KERNELBASE(00FBA8BD,00000000,00000104,?,?,?,?,?,?,?,00FBA8BD), ref: 00FBA9BE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LongNamePath
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 82841172-0
                                                                                                                                        • Opcode ID: 09a5ecb608a94e0811c0900625616b94ce388fcd5df3e0e61e4f20a236ce825b
                                                                                                                                        • Instruction ID: 9cac1f2d1f7ef969c8150ada4e0ef4aa7c95a47331a7976406f2bfc07e8923b9
                                                                                                                                        • Opcode Fuzzy Hash: 09a5ecb608a94e0811c0900625616b94ce388fcd5df3e0e61e4f20a236ce825b
                                                                                                                                        • Instruction Fuzzy Hash: BD1136B1E00308FBEB10EAA5DD82BED76A89F14310F140465EB08A7252E6B55A54BB52
                                                                                                                                        Function 00FB2894 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileMappingA.KERNEL32(FFFFFFFF,?,00000004,00000000,00000000,?,00000000,00000000,00000001,?,00FB2518,?,00000001), ref: 00FB292C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFileMapping
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 524692379-0
                                                                                                                                        • Opcode ID: 65d7651f672f0feb172237f02a68e952360dc85969c99353004db6a83398470a
                                                                                                                                        • Instruction ID: 08db1daf8e5bfc01aed51b83492c417cd4c747567e132d99d7dbaab4bd654c09
                                                                                                                                        • Opcode Fuzzy Hash: 65d7651f672f0feb172237f02a68e952360dc85969c99353004db6a83398470a
                                                                                                                                        • Instruction Fuzzy Hash: DB110275D0020DAFEF119F95CD42BEEBBB5EB04350F104165E624AA2A0D3B64A64EF91
                                                                                                                                        Function 00FCA7FC Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GlobalMemoryStatusEx.KERNELBASE(00FCA51C,?,?,00FCA51C,00000000,00000000), ref: 00FCA83C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: GlobalMemoryStatus
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1890195054-0
                                                                                                                                        • Opcode ID: 23943a8293839671e7b3be72a30f9f679bc0007751b625ee16fb4c4eeb0d46e6
                                                                                                                                        • Instruction ID: bbf646407bc205f2714541874122153969aae2abb0fbc8a91a57ca47f9252155
                                                                                                                                        • Opcode Fuzzy Hash: 23943a8293839671e7b3be72a30f9f679bc0007751b625ee16fb4c4eeb0d46e6
                                                                                                                                        • Instruction Fuzzy Hash: 9B0162B1E4020CBBEB50EBA4DC43F5DB7E9EF08311F2040A5EB08A7291E6755A10A792
                                                                                                                                        Function 00FBDF3C Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesA.KERNELBASE(00FBDC13,?,?,00FBDC13), ref: 00FBDF59
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AttributesFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                        • Opcode ID: 3df4c91583c6b33f028c9ea77e73b363a5af1c44387cf3ef7ededa757a2e65a4
                                                                                                                                        • Instruction ID: 6049df9901ff1a437179dd2037fd18f3908b3c30860f4b70a03d62a0d8bcfd1c
                                                                                                                                        • Opcode Fuzzy Hash: 3df4c91583c6b33f028c9ea77e73b363a5af1c44387cf3ef7ededa757a2e65a4
                                                                                                                                        • Instruction Fuzzy Hash: ECF03075D0920CFBDB20AFA5D9067ECBB70AB04320F2085A5E5552B2D1E77A1A50FF86
                                                                                                                                        Function 00FB20F0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAdjustPrivilege.NTDLL(00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00FB10F0), ref: 00FB2137
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AdjustPrivilege
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3260937286-0
                                                                                                                                        • Opcode ID: ded100313c8d0b8770e3be95a31d8178d345f337c2450bb4a022bea9d2caf085
                                                                                                                                        • Instruction ID: c3878275d75d75908ea98d2d4d4a4ba5836653072454d9672835c504f1ed2147
                                                                                                                                        • Opcode Fuzzy Hash: ded100313c8d0b8770e3be95a31d8178d345f337c2450bb4a022bea9d2caf085
                                                                                                                                        • Instruction Fuzzy Hash: 85F0F93180120CEBEF519F44DC46BED7B75FB10705F108059FA042A150D3B65AA8AB92
                                                                                                                                        Function 00FB30CC Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetProcessDEPPolicy.KERNEL32(00000000,?,?,?,00FB2EC2), ref: 00FB30E2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: PolicyProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 691626081-0
                                                                                                                                        • Opcode ID: dd8c862d3bfb9a479f8ef585b3fde28a2c68fbe4ccf65fe345c03454065f2bb5
                                                                                                                                        • Instruction ID: 97252914a105390eb25f9e9a286b4efe08fdd04c1b2c0d44641fa44688de48c5
                                                                                                                                        • Opcode Fuzzy Hash: dd8c862d3bfb9a479f8ef585b3fde28a2c68fbe4ccf65fe345c03454065f2bb5
                                                                                                                                        • Instruction Fuzzy Hash: 6EE08634D8120CF7E710AF55D807BECB7A8DB40714F0044A5E5042B280D67A0B14AFD2
                                                                                                                                        Function 02F5D3B0 Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSAStartup.WS2_32(00000202), ref: 02F5D3CE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Startup
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 724789610-0
                                                                                                                                        • Opcode ID: ac398934515175ca961f0044664e4e6a7b37888b449cb2d466df289d75fda60b
                                                                                                                                        • Instruction ID: 6812897219931d1e1f741dc57dd03c2d9b6d8c00f4ddb726fbaf62001f4a74b8
                                                                                                                                        • Opcode Fuzzy Hash: ac398934515175ca961f0044664e4e6a7b37888b449cb2d466df289d75fda60b
                                                                                                                                        • Instruction Fuzzy Hash: FAE0D830E4020CEBD704EFA5FC0694DB7A9EB09380F40046AEB0987201DD71AA248E92
                                                                                                                                        Function 01099BA7 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 01099BAE
                                                                                                                                          • Part of subcall function 0107BE8E: __FF_MSGBANNER.LIBCMT ref: 0107BEA7
                                                                                                                                          • Part of subcall function 0107BE8E: RtlAllocateHeap.NTDLL(00000000,00000001,0109A216,0109A216,?,?,01099BB3,0109A216,00000200,0109A216,01099D38,0109A223,011AE608,?,011AE608,0109A025), ref: 0107BED3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap_malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 501242067-0
                                                                                                                                        • Opcode ID: 9079f141b052daec65daa0a870e35811809d1c7d85e87e28a27fe1b286719d6e
                                                                                                                                        • Instruction ID: 1ceb6457c532d0848b4ba3bad940e3cbc65835f309836b569d315d3960788665
                                                                                                                                        • Opcode Fuzzy Hash: 9079f141b052daec65daa0a870e35811809d1c7d85e87e28a27fe1b286719d6e
                                                                                                                                        • Instruction Fuzzy Hash: 22D05E227045321A1B72916E69A096F67E88BC1974305446DE590D7204EA28C80293A0
                                                                                                                                        Function 00FB7608 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • OpenFileMappingA.KERNEL32(000F001F,00000001,00000001,00000001,00000001), ref: 00FB7628
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileMappingOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1680863896-0
                                                                                                                                        • Opcode ID: 5b309260a8a54823d9060362ffe4317a518d8ef51565b8dc40d70fc2e95761d9
                                                                                                                                        • Instruction ID: 2987a720281075c254d2a9ec3101e76c0837e06b0fcceb9a3bba9021e3d0a64e
                                                                                                                                        • Opcode Fuzzy Hash: 5b309260a8a54823d9060362ffe4317a518d8ef51565b8dc40d70fc2e95761d9
                                                                                                                                        • Instruction Fuzzy Hash: 9FE08671A85308E7DB20AA959C43FA87725DB45B00F104065BB042E191D9B21550BAC7
                                                                                                                                        Function 01013340 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(01200000,00000000,?), ref: 01013351
                                                                                                                                          • Part of subcall function 0100FEE0: wsprintfA.USER32 ref: 0100FEF2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeapwsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1352872168-0
                                                                                                                                        • Opcode ID: 74431b015b91445293b6079eb7beb1ced6e0175eaaa3aeea39f544ca235fad05
                                                                                                                                        • Instruction ID: 9ebffe89002510237c3352fe31e3f1f80183daf64bbcaf13af6d483f0ca37e75
                                                                                                                                        • Opcode Fuzzy Hash: 74431b015b91445293b6079eb7beb1ced6e0175eaaa3aeea39f544ca235fad05
                                                                                                                                        • Instruction Fuzzy Hash: 40E08CB5900208FFDB10DF98E841AAE77B8EB08750F008198F9084B340D636EE409B91
                                                                                                                                        Function 00F95101 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00F94A0F,?), ref: 00F95116
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2715965943.0000000000FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_f90000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 10892065-0
                                                                                                                                        • Opcode ID: 45113b4967226cf6ec4dbd910dea2eaaca2c3683a0ce78f974044461e3b133cf
                                                                                                                                        • Instruction ID: 3b6f380ad3446d0a2793ebce8c7c8bf96ea0c331ee1e410ab762ac1fe35ae453
                                                                                                                                        • Opcode Fuzzy Hash: 45113b4967226cf6ec4dbd910dea2eaaca2c3683a0ce78f974044461e3b133cf
                                                                                                                                        • Instruction Fuzzy Hash: EFD05E76A5034C9AEB105F717C087233BDCD788795F008437B81CC61A0E674CA40AA50
                                                                                                                                        Function 00FBAA30 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • DeleteFileA.KERNELBASE(00000000,00000000,00000000), ref: 00FBAA46
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DeleteFile
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4033686569-0
                                                                                                                                        • Opcode ID: 48cdda17e43a3c4620d2cd4f93779c483ee2e03b6eec9dbaf10f6a9c9caa8cb2
                                                                                                                                        • Instruction ID: 37f7184c268afd18c89f5b8343ff1f91aba2b9bb883203736bc5320392ccbadf
                                                                                                                                        • Opcode Fuzzy Hash: 48cdda17e43a3c4620d2cd4f93779c483ee2e03b6eec9dbaf10f6a9c9caa8cb2
                                                                                                                                        • Instruction Fuzzy Hash: 7CE0CD31A0130CE7D7109F94DD03BAD77249B05B00F408065EA481A141D6312A20FFD7
                                                                                                                                        Function 01013440 Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlFreeHeap.NTDLL(01200000,00000000,00000000,00000000), ref: 01013468
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3298025750-0
                                                                                                                                        • Opcode ID: af64b8bab7a48f1c395812877355e12395f497e53a4dffea8cc16eb3c7f5e1ba
                                                                                                                                        • Instruction ID: 00cc57fcb599272451700ff8b457bc4d3b41d73347aa3fff6fa6a69154b8bfea
                                                                                                                                        • Opcode Fuzzy Hash: af64b8bab7a48f1c395812877355e12395f497e53a4dffea8cc16eb3c7f5e1ba
                                                                                                                                        • Instruction Fuzzy Hash: 8AD02B74101204ABD728CE4CC559BBA3BECB784640F40C004F70C4E548DB38E480C790
                                                                                                                                        Function 0109F706 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadStringA.USER32(?,?,?,?), ref: 0109F71D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LoadString
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2948472770-0
                                                                                                                                        • Opcode ID: 2e6f5047e645e8c55bfc394e94771782724be88e7d625413469a4c6b691bb6ad
                                                                                                                                        • Instruction ID: d36d66058c068f86a7e67a3350ba51e0bcdd7db9ca2a5f177043c826a9a4e186
                                                                                                                                        • Opcode Fuzzy Hash: 2e6f5047e645e8c55bfc394e94771782724be88e7d625413469a4c6b691bb6ad
                                                                                                                                        • Instruction Fuzzy Hash: AED0A9760083A29BCB52DFA0C808C8FBFE8BF54220B084C4EF8D083101C324C454EBA2
                                                                                                                                        Function 00FB5430 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CoUninitialize.COMBASE(00FB4E90,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FB5441
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Uninitialize
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3861434553-0
                                                                                                                                        • Opcode ID: f0e8fbe24556ab091b50e9567db5e4aa4db5838a805a827e8e61f03dba669b86
                                                                                                                                        • Instruction ID: 459aabb08efcac114da9def2bd54b4eb55bbed07354ac3c5f58fb1d61bff4770
                                                                                                                                        • Opcode Fuzzy Hash: f0e8fbe24556ab091b50e9567db5e4aa4db5838a805a827e8e61f03dba669b86
                                                                                                                                        • Instruction Fuzzy Hash: 18D0A770D4120CF7DB20BB606C03B7CB7289B00B00F1481E5EA4C2A181D576192095CB

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 02F3EE60 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 195networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • socket.WS2_32(?,00000001,00000006), ref: 02F3EEB8
                                                                                                                                        • WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 02F3EF04
                                                                                                                                        • WSAGetLastError.WS2_32(?,00000001,00000006), ref: 02F3EF15
                                                                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02F3EF5C
                                                                                                                                        • ioctlsocket.WS2_32(?,8004667E,?), ref: 02F3EF84
                                                                                                                                        • bind.WS2_32(?,00000002,-0000001D), ref: 02F3EFB2
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,00000001,00000006), ref: 02F3EFC9
                                                                                                                                        • listen.WS2_32(?,00000000), ref: 02F3EFE8
                                                                                                                                        • WSAGetLastError.WS2_32(?,00000001,00000006), ref: 02F3F020
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F3F02C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$Ioctlbindioctlsocketlistensetsockoptsocket
                                                                                                                                        • String ID: 0.0.0.0$CTcpServer::CreateListenSocket
                                                                                                                                        • API String ID: 3957589473-4023130488
                                                                                                                                        • Opcode ID: 1ef561e2b9c5e7771ef6777019348338254034caf6ed6bb8cbada5de6003e02c
                                                                                                                                        • Instruction ID: dda5665cc6c163525e05fdd12f4fb201789a36a7bc9dd071732b604ec592a273
                                                                                                                                        • Opcode Fuzzy Hash: 1ef561e2b9c5e7771ef6777019348338254034caf6ed6bb8cbada5de6003e02c
                                                                                                                                        • Instruction Fuzzy Hash: 94618E71E00309ABE720ABA9CC44B6BB7F5EF44794F14491DE756D7680DBB0E940CB61
                                                                                                                                        Function 02F47630 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 189networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • socket.WS2_32(?,00000002,00000011), ref: 02F47642
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?), ref: 02F47653
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F47666
                                                                                                                                        • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 02F476A3
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?), ref: 02F476AE
                                                                                                                                        • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02F476E0
                                                                                                                                        • bind.WS2_32(?,?,-0000001D), ref: 02F47729
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?), ref: 02F47734
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F47747
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$Ioctlbindioctlsocketsocket
                                                                                                                                        • String ID: CUdpNode::CreateListenSocket
                                                                                                                                        • API String ID: 3090496342-3901271356
                                                                                                                                        • Opcode ID: c6e335c73655ac12375dcab5b9f00a67db33eb2d68e9e657aed702af95443220
                                                                                                                                        • Instruction ID: b872c7368a26f62428263f7ea2cc4d2cad6cdd2151318a4cb193438699458a46
                                                                                                                                        • Opcode Fuzzy Hash: c6e335c73655ac12375dcab5b9f00a67db33eb2d68e9e657aed702af95443220
                                                                                                                                        • Instruction Fuzzy Hash: 1E51DA71D402159FE710AF78DC49BAABBA8DF457A0F1405A4FF08DF285EBB09940CBA1
                                                                                                                                        Function 02F49300 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 146networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • socket.WS2_32(?,00000002,00000011), ref: 02F4934C
                                                                                                                                        • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 02F49380
                                                                                                                                        • WSAGetLastError.WS2_32(?,00000002,00000011), ref: 02F49391
                                                                                                                                        • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02F493DC
                                                                                                                                        • bind.WS2_32(?,00000002,-0000001D), ref: 02F4940D
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,00000002,00000011), ref: 02F49420
                                                                                                                                        • GetLastError.KERNEL32(?,00000002,00000011), ref: 02F49448
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F49464
                                                                                                                                        • WSAGetLastError.WS2_32(?,00000002,00000011), ref: 02F4946B
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F4947A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$Ioctlbindioctlsocketsocket
                                                                                                                                        • String ID: 0.0.0.0$CUdpServer::CreateListenSocket
                                                                                                                                        • API String ID: 3090496342-2294428431
                                                                                                                                        • Opcode ID: 6ed6be5d9441404aabd7757f25b4cfb37aa10c5fe1ce2b88fffa0255b1549eac
                                                                                                                                        • Instruction ID: 180dac93fe9799d4cdab8b1ebc5905ded52e036f0e8102249e22ac0f2d72164f
                                                                                                                                        • Opcode Fuzzy Hash: 6ed6be5d9441404aabd7757f25b4cfb37aa10c5fe1ce2b88fffa0255b1549eac
                                                                                                                                        • Instruction Fuzzy Hash: 5341E771B00215ABD710DB68DD44BEEBBA8EF093A4F144154FB18D72D0DBB09E50CBA1
                                                                                                                                        Function 02F397B0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 139networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSASetLastError.WS2_32(00002741), ref: 02F39806
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F3980C
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F3981C
                                                                                                                                        • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02F39858
                                                                                                                                        • socket.WS2_32(?,00000001,00000006), ref: 02F3986B
                                                                                                                                        • bind.WS2_32(00000000,?,-0000001D), ref: 02F39893
                                                                                                                                        • _memmove.LIBCMT ref: 02F398D9
                                                                                                                                        • closesocket.WS2_32(00000000), ref: 02F398E7
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F398F5
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F39905
                                                                                                                                        • closesocket.WS2_32(00000000), ref: 02F3991F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$closesocket$AddressString_memmovebindsocket
                                                                                                                                        • String ID: 0.0.0.0$CTcpAgent::ParseBindAddress
                                                                                                                                        • API String ID: 625981617-2878307296
                                                                                                                                        • Opcode ID: dcba37cd6219fe25ded604693aca526fbde820012af3f5801a19c9f959ac6135
                                                                                                                                        • Instruction ID: 23e180798f0fcf3eb9e9f0100bf8910c4c0af0f45cd37993e839857148d92fa8
                                                                                                                                        • Opcode Fuzzy Hash: dcba37cd6219fe25ded604693aca526fbde820012af3f5801a19c9f959ac6135
                                                                                                                                        • Instruction Fuzzy Hash: 2A411A72E01219A7EB156F789C45BEEBB78DF847A0F080565EF05E32C0E7F4894087A1
                                                                                                                                        Function 010108C0 Relevance: 18.3, APIs: 12, Instructions: 273windowthreadnetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 010108E5
                                                                                                                                        • IsWindow.USER32(00020462), ref: 01010901
                                                                                                                                        • SendMessageA.USER32(00020462,000083E7,?,00000000), ref: 0101091A
                                                                                                                                        • ExitProcess.KERNEL32 ref: 0101092F
                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 01010A13
                                                                                                                                        • FreeLibrary.KERNEL32 ref: 01010A67
                                                                                                                                        • DestroyIcon.USER32(00000000), ref: 01010AB7
                                                                                                                                        • DestroyIcon.USER32(00000000), ref: 01010ACE
                                                                                                                                        • IsWindow.USER32(00020462), ref: 01010AE5
                                                                                                                                        • DestroyIcon.USER32(?,00000001,00000000,000000FF), ref: 01010B94
                                                                                                                                        • WSACleanup.WS2_32 ref: 01010BDF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DestroyIcon$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3816745216-0
                                                                                                                                        • Opcode ID: 7a079b33c469ac57faac88ff08db38f849d345985fc6343b893fa1c1df5ffefb
                                                                                                                                        • Instruction ID: 2fb223c5f2bd06793f819ebe82ef6b64e55595ab6fff235d1ba1815d434c28b2
                                                                                                                                        • Opcode Fuzzy Hash: 7a079b33c469ac57faac88ff08db38f849d345985fc6343b893fa1c1df5ffefb
                                                                                                                                        • Instruction Fuzzy Hash: B9B16D702007029FE765DF78C8D4BEAB7E5BF58304F50496DE6EA97288DB34A981CB50
                                                                                                                                        Function 02F3B610 Relevance: 16.7, APIs: 11, Instructions: 188networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSASetLastError.WS2_32(00002741,?,?), ref: 02F3B661
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,02F3B57A,?,?), ref: 02F3B667
                                                                                                                                        • WSAStringToAddressA.WS2_32(?,?,00000000,?,?,?,?), ref: 02F3B68D
                                                                                                                                        • WSAGetLastError.WS2_32(?,00000000,?,?,?,?), ref: 02F3B697
                                                                                                                                        • socket.WS2_32(?,00000001,00000006), ref: 02F3B6CB
                                                                                                                                        • WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 02F3B72C
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F3B737
                                                                                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02F3B77F
                                                                                                                                        • htons.WS2_32(00000000), ref: 02F3B7F6
                                                                                                                                        • bind.WS2_32(-0000001D,00000002,-0000001D), ref: 02F3B819
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F3B824
                                                                                                                                          • Part of subcall function 02F37100: StrChrA.SHLWAPI(?,0000003A,?,02F375E6,6EBCDBE2), ref: 02F3711C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$AddressIoctlStringbindhtonssetsockoptsocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2139590513-0
                                                                                                                                        • Opcode ID: 88b1afc30cd22d6dc2b0a40b79e1864458b981be9904f59df83794a99ca37f43
                                                                                                                                        • Instruction ID: ac7fe317872c925f0f7a788f77eae5b0e050bc861983c7c884a74db14cfa90c4
                                                                                                                                        • Opcode Fuzzy Hash: 88b1afc30cd22d6dc2b0a40b79e1864458b981be9904f59df83794a99ca37f43
                                                                                                                                        • Instruction Fuzzy Hash: 7561DE71E002199BEB15DFA8C865BAEB3B5EF44398F104659E712EB2C0D7749A40CFA1
                                                                                                                                        Function 02F46080 Relevance: 7.6, APIs: 5, Instructions: 86networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • bind.WS2_32(?,?,-0000001D), ref: 02F460B3
                                                                                                                                        • htons.WS2_32(?), ref: 02F460F7
                                                                                                                                        • bind.WS2_32(?,00000002,-0000001D), ref: 02F4611E
                                                                                                                                        • InterlockedIncrement.KERNEL32(02F781CC), ref: 02F4613E
                                                                                                                                        • InterlockedIncrement.KERNEL32(02F781CC), ref: 02F46149
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: IncrementInterlockedbind$htons
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1901664375-0
                                                                                                                                        • Opcode ID: 98f46e2ed50010cad9a25e4fc46540a7639744f75ba47f924f47f7224e115797
                                                                                                                                        • Instruction ID: d24a0fb943691be8ee7f6f87b1803529754aae36fe432d7578f318c742e765b4
                                                                                                                                        • Opcode Fuzzy Hash: 98f46e2ed50010cad9a25e4fc46540a7639744f75ba47f924f47f7224e115797
                                                                                                                                        • Instruction Fuzzy Hash: 6C210832D1011997A714EB7CDC41A6FBBACDB4A7B0B108616FA15C7181EB74E991C790
                                                                                                                                        Function 02F4CFF9 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 02F4E935
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02F4E94A
                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(02F5E3C0), ref: 02F4E955
                                                                                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 02F4E971
                                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 02F4E978
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2579439406-0
                                                                                                                                        • Opcode ID: d43e6fc2439ea82c8e81fa481d6da57498eace9558f879c2674577cbb950f454
                                                                                                                                        • Instruction ID: d2eb539933af5c51c40fcff46590fdcdbb89704f5ca0272367f2527de371c526
                                                                                                                                        • Opcode Fuzzy Hash: d43e6fc2439ea82c8e81fa481d6da57498eace9558f879c2674577cbb950f454
                                                                                                                                        • Instruction Fuzzy Hash: 7321C0B4CA1318DFD740EF29F888644FBB0BB08790F105C6AEA0987355E7B056A8CF45
                                                                                                                                        Function 00F94DE7 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 00F97A68
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F97A7D
                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(00F9C9B8), ref: 00F97A88
                                                                                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 00F97AA4
                                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 00F97AAB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2715965943.0000000000FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_f90000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2579439406-0
                                                                                                                                        • Opcode ID: 45726687fe3bd9751b014c92d911babc1beff0b6f6ac44f063d9421e575d2b12
                                                                                                                                        • Instruction ID: b85121373d9bcdff2f11ac543efd2c4f49d59269569e8d68a67044f2a0c65ea5
                                                                                                                                        • Opcode Fuzzy Hash: 45726687fe3bd9751b014c92d911babc1beff0b6f6ac44f063d9421e575d2b12
                                                                                                                                        • Instruction Fuzzy Hash: 2C21CEF491130CDFDB40DF28F9856483BA4BB4E314F50902AEA0897271EBB45989EF59
                                                                                                                                        Function 10009ED0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 388COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2717966199.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2717983727.0000000010011000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718021812.0000000010012000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718041790.0000000010013000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_10000000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: 1.1.4
                                                                                                                                        • API String ID: 0-362073112
                                                                                                                                        • Opcode ID: 7b2669ec5a07210ef3a1515af3e2399c19d500ee6eaa4f8595677c4efd39a6f7
                                                                                                                                        • Instruction ID: 3617a8f8068ecf95d4a988e5d92851fbf26098c01bbf3bfe0f3b109b13c353e3
                                                                                                                                        • Opcode Fuzzy Hash: 7b2669ec5a07210ef3a1515af3e2399c19d500ee6eaa4f8595677c4efd39a6f7
                                                                                                                                        • Instruction Fuzzy Hash: 9AD1E1B6A046129BE314DF38C88062AB3E5FF49290F068669E85997749DB31FC91CBC1
                                                                                                                                        Function 02F44BF0 Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • bind.WS2_32(?,?,-0000001D), ref: 02F44C06
                                                                                                                                        • InterlockedIncrement.KERNEL32(02F781CC), ref: 02F44C20
                                                                                                                                        • InterlockedIncrement.KERNEL32(02F781CC), ref: 02F44C2B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: IncrementInterlocked$bind
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3786334496-0
                                                                                                                                        • Opcode ID: 7727409e197db7bd6f7e4f9cdddbbf0843338876c924d738d337bcb690ce01e3
                                                                                                                                        • Instruction ID: e7f883fe65db95d8218ae071659604ab4a03e96a345492227228b6990e7acf7a
                                                                                                                                        • Opcode Fuzzy Hash: 7727409e197db7bd6f7e4f9cdddbbf0843338876c924d738d337bcb690ce01e3
                                                                                                                                        • Instruction Fuzzy Hash: C7E0DFB1D10A216AE7086B3CEC06B593A98AF092B07140746F312D31C0EBE4DD819AB0
                                                                                                                                        Function 01003930 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcessHeap.KERNEL32(?,011AEA18,0100391C,01231208,?,010101EA,?,?), ref: 01003979
                                                                                                                                        • HeapFree.KERNEL32(01200000,00000000,01231208,?,011AEA18,0100391C,01231208,?,010101EA,?,?), ref: 01003988
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3859560861-0
                                                                                                                                        • Opcode ID: e455db9f5f474d09640d1b67fa0baedec62e268fd016f9bea1b54c1b8b886ed0
                                                                                                                                        • Instruction ID: 9a3ecab4410d3f3919982c7074b524f365af0fc347d2e87baa3ac7c92630c006
                                                                                                                                        • Opcode Fuzzy Hash: e455db9f5f474d09640d1b67fa0baedec62e268fd016f9bea1b54c1b8b886ed0
                                                                                                                                        • Instruction Fuzzy Hash: A7F096763016019FD722CB29E908B96BBA6EBD1715F49C47EE1D4CF289E731E401C7A0
                                                                                                                                        Function 00FC0B75 Relevance: .1, Instructions: 54COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e98751c0085c93d4bfe575babc2a43918a14b3e1072f24ca66f5a1cbb62a07a5
                                                                                                                                        • Instruction ID: 52dc68754c567a4f4e87989be44e2e76bcf944b4fe0499fdb1fba780a2868eb5
                                                                                                                                        • Opcode Fuzzy Hash: e98751c0085c93d4bfe575babc2a43918a14b3e1072f24ca66f5a1cbb62a07a5
                                                                                                                                        • Instruction Fuzzy Hash: 28112B64A10209CBEB00DFA4D581BAFB375FF5C700F105169D508EB395E77A9E11C7AA
                                                                                                                                        Function 00FB1527 Relevance: .0, Instructions: 50COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d2be7fd4554111fdd61e3eb7304aed579f726dfb4960e33780e18abd5a25df2e
                                                                                                                                        • Instruction ID: d89baa789a8e1bbe80232be4826ded2105424e47865a85c33771af04ced0a86c
                                                                                                                                        • Opcode Fuzzy Hash: d2be7fd4554111fdd61e3eb7304aed579f726dfb4960e33780e18abd5a25df2e
                                                                                                                                        • Instruction Fuzzy Hash: 9B112539604606CFCB74CF15C4D0AA673A2FB8930478889A8D9568B31AD330F915EFA0
                                                                                                                                        Function 00FB1865 Relevance: .0, Instructions: 48COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6816500293ebcbc6f50790f4b6538cac270248fea54944f7292acf58c09cb3ac
                                                                                                                                        • Instruction ID: 513f684a4e8f93f2ca854dc1c23cd25a5f448cab5ffcfb65805dfe102ef54f7f
                                                                                                                                        • Opcode Fuzzy Hash: 6816500293ebcbc6f50790f4b6538cac270248fea54944f7292acf58c09cb3ac
                                                                                                                                        • Instruction Fuzzy Hash: 2B01A27BB003049BAB24CE13C8E15A273E2FF893607918855C90187B0DE730FD46AE62
                                                                                                                                        Function 00FCD905 Relevance: .0, Instructions: 48COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e791d4b46d06381fc4d45f82530b7a929529039283b7c339ee76343b9ba59aaa
                                                                                                                                        • Instruction ID: 8232756d15f7f215c80ae1a6320c34bd718071cd04c070456d2f48eafd7073e3
                                                                                                                                        • Opcode Fuzzy Hash: e791d4b46d06381fc4d45f82530b7a929529039283b7c339ee76343b9ba59aaa
                                                                                                                                        • Instruction Fuzzy Hash: 1901847FA002059BAB14CE11C682B6973E2EB89760B518869C94147F09E730ED439A52
                                                                                                                                        Function 00FCDA79 Relevance: .0, Instructions: 37COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 21962bfc0c5e751e5a123b3854f54b1be391feb407acc70e6fb058679af21adf
                                                                                                                                        • Instruction ID: 47e037bf640177d734f22775777086a6907e6c83f61a04b89988b78e286eb8bd
                                                                                                                                        • Opcode Fuzzy Hash: 21962bfc0c5e751e5a123b3854f54b1be391feb407acc70e6fb058679af21adf
                                                                                                                                        • Instruction Fuzzy Hash: 6DF0F67A6083014BDB14CE14C6D2B9977E2EFC9360B598898CD9147B1FE338ED839B52
                                                                                                                                        Function 00FB1815 Relevance: .0, Instructions: 25COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4263d83a6fb9b114440df30be9fa905148a7d7abb542143c69aee057420f8470
                                                                                                                                        • Instruction ID: e90741102be9beb160dee7abb1585977e63cba974a6579ca2bdad74a7d373393
                                                                                                                                        • Opcode Fuzzy Hash: 4263d83a6fb9b114440df30be9fa905148a7d7abb542143c69aee057420f8470
                                                                                                                                        • Instruction Fuzzy Hash: B9F0C936A00650CFCB21DF09E4E0985B3E5FB09764BA94969D986E7B01C320FC44DF90
                                                                                                                                        Function 02F2FFD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3b2deb79e13e61ded0c8d404cd0bb8c9a3ab813605c934b4b00f919d9190d57d
                                                                                                                                        • Instruction ID: aaf1fa5fa21a1a1df01858c35b7e0903dc1608eb1d6190aa4af65ccf4f6ef768
                                                                                                                                        • Opcode Fuzzy Hash: 3b2deb79e13e61ded0c8d404cd0bb8c9a3ab813605c934b4b00f919d9190d57d
                                                                                                                                        • Instruction Fuzzy Hash: 45E02D7A200209AF8B80DF9CD880EAB77EDAB8C210B148544FA19C7301C630FD629BA0
                                                                                                                                        Function 02F2FFA0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6c49fdd2755746407b380d3e66225006847016148d81a3283c9ebc212c3aec2b
                                                                                                                                        • Instruction ID: 074402e8b203748079ccda577a55a2b8c6fc7e433a556464f2a416201d4fb8c7
                                                                                                                                        • Opcode Fuzzy Hash: 6c49fdd2755746407b380d3e66225006847016148d81a3283c9ebc212c3aec2b
                                                                                                                                        • Instruction Fuzzy Hash: 09E0247A200209AFCB40DE9CD881EAA77EDAB8C610F148544FA09CB351C630F8629BA0
                                                                                                                                        Function 02F2F0E0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: 59b2dbcef8db3965b15254c9198b4e86403eca5ce37f8a20b8533fa161c13641
                                                                                                                                        • Instruction ID: 7679646eafa1aa3c24d91df97aec5cabe9971d9a7a98cb7e9557a2782701113c
                                                                                                                                        • Opcode Fuzzy Hash: 59b2dbcef8db3965b15254c9198b4e86403eca5ce37f8a20b8533fa161c13641
                                                                                                                                        • Instruction Fuzzy Hash: 9CE0BDF0A192008FD70C8F18A9498027FE0AB0831071A81FEE50ECF322C734C501CF89
                                                                                                                                        Function 02F2F0A0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: 022f25e14017c03948286588a101afbfccddb074199398978d1043644f65249a
                                                                                                                                        • Instruction ID: f2fa4ad520a94b0b10e5fa003e8bc1b3fd65f1c13bcd15f3680f13956b6f2fb6
                                                                                                                                        • Opcode Fuzzy Hash: 022f25e14017c03948286588a101afbfccddb074199398978d1043644f65249a
                                                                                                                                        • Instruction Fuzzy Hash: B2E099F091A2008ED70C8F18A9098027EE0AB0835171A85FEA10ECB322CB34C940CF9A
                                                                                                                                        Function 02F2F190 Relevance: .0, Instructions: 18COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: 77d72352bbf6bdb85f8f210adc9c3fa34407700ea75b7a659ca43cbd69ba8548
                                                                                                                                        • Instruction ID: ddae81bfdcd926f10e87686d4b26d2b7667fcd9cd922b659a0e9f1b324e1cc9e
                                                                                                                                        • Opcode Fuzzy Hash: 77d72352bbf6bdb85f8f210adc9c3fa34407700ea75b7a659ca43cbd69ba8548
                                                                                                                                        • Instruction Fuzzy Hash: 32E099F0A192008FD70C8F18A9098057EE0AB0935071A81FEA10ECB322CB34C541CF89
                                                                                                                                        Function 02F2F150 Relevance: .0, Instructions: 18COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: e05c4121ff6e789083fd01a5513f0b647c7ef979de7b4cce5f312c6e6f0a8c65
                                                                                                                                        • Instruction ID: 7947d00f2f888045efa7b428a23f3ab44264606fa51cfbe7409599323a533759
                                                                                                                                        • Opcode Fuzzy Hash: e05c4121ff6e789083fd01a5513f0b647c7ef979de7b4cce5f312c6e6f0a8c65
                                                                                                                                        • Instruction Fuzzy Hash: ABE099F0A292008ED70C8F18A9098067EE0AB0935071A81FEE50ECB322C734C500CF8A
                                                                                                                                        Function 02F2F440 Relevance: .0, Instructions: 18COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: 41112c7c8ee3b5c16f8e7187291db6000bd3862edca24c170593c7143542eb0e
                                                                                                                                        • Instruction ID: 8cb6cd90858122e472cfa95379c2dc348a82e75121faf49a8220bb3457c9a51a
                                                                                                                                        • Opcode Fuzzy Hash: 41112c7c8ee3b5c16f8e7187291db6000bd3862edca24c170593c7143542eb0e
                                                                                                                                        • Instruction Fuzzy Hash: 88E099F0A192008ED70C8F18A9098057EE0AB09750B1A85FEE20ECB322C774D500CF99
                                                                                                                                        Function 02F2F510 Relevance: .0, Instructions: 18COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: e3c4e38d976a9252ca06b0143e164af8e66021724fdde964752a18af7f0befde
                                                                                                                                        • Instruction ID: 67b5802a52f310b861f0ada13b3ff98589915bf315cf079ebfa1600421ea656c
                                                                                                                                        • Opcode Fuzzy Hash: e3c4e38d976a9252ca06b0143e164af8e66021724fdde964752a18af7f0befde
                                                                                                                                        • Instruction Fuzzy Hash: 5FE099F09192008FDB4C8F18A9498017EE0AB0831071A81FEA10ECB322CB34C512CF89
                                                                                                                                        Function 02F2F1D0 Relevance: .0, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: 1831ab38b13b1d71e93abb9b8cfc45f07e7807533df91e558a88baa865a2e1e1
                                                                                                                                        • Instruction ID: 2e6386d9b18f84870c4d6f95047091dbde7b5561ce6e060067ddf53aeaa3e46c
                                                                                                                                        • Opcode Fuzzy Hash: 1831ab38b13b1d71e93abb9b8cfc45f07e7807533df91e558a88baa865a2e1e1
                                                                                                                                        • Instruction Fuzzy Hash: 79E0BDB09193008EDB4C8F18A9099017EA0AB09320B1A80FEA10ECB322CB34C600DF89
                                                                                                                                        Function 02F2F120 Relevance: .0, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: 00f6374e67a482ebac576abc0b2f0d0dfacf1a73c4d41d42929c23f56458e6f2
                                                                                                                                        • Instruction ID: d1d4f0aaab04bf089d7cb2b5551806361777eff6fdc741e4de725e8fdf3c09d7
                                                                                                                                        • Opcode Fuzzy Hash: 00f6374e67a482ebac576abc0b2f0d0dfacf1a73c4d41d42929c23f56458e6f2
                                                                                                                                        • Instruction Fuzzy Hash: C1E0BDB091A2008ED74C8F18A8099027EA0AB09310B1A80FEE10ECB322C734C500CF99
                                                                                                                                        Function 02F2F4B0 Relevance: .0, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: fc2878a38651c4d1d2825e40c7eed432b9627c41150807471e8d53f13101bd97
                                                                                                                                        • Instruction ID: 4c122b893a8ec1d2350bacd4ed00e2799bc5f083924603a47d2911c7675ea03f
                                                                                                                                        • Opcode Fuzzy Hash: fc2878a38651c4d1d2825e40c7eed432b9627c41150807471e8d53f13101bd97
                                                                                                                                        • Instruction Fuzzy Hash: 21E0BDB09192008EDB4C8F18A9099017EA0AB08310B1A80FEA10ECB362C774C601CF99
                                                                                                                                        Function 02F2F480 Relevance: .0, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: 1f3f6450c64740c40b8aba6a75c8c9e73dd0b625b5ae0a44c7baae087b7cfdef
                                                                                                                                        • Instruction ID: f4ab48a8f3b9e0d0082a15f68af3e1d53ea208ba325abbce5531a25d7251c835
                                                                                                                                        • Opcode Fuzzy Hash: 1f3f6450c64740c40b8aba6a75c8c9e73dd0b625b5ae0a44c7baae087b7cfdef
                                                                                                                                        • Instruction Fuzzy Hash: 71E0E2F09193008ED74C8F18A9099027FE0AB08310B1A80FEE50ECF322C774C600DF89
                                                                                                                                        Function 02F2F550 Relevance: .0, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: 033bbd0f57c7f0bc71fc0c2e0ac3593826faa9a2c36490228fd08dba0c140a53
                                                                                                                                        • Instruction ID: 9bca8bb40f0a64521e053011d7a43284a057fbef0a9b975771780c157ec6308d
                                                                                                                                        • Opcode Fuzzy Hash: 033bbd0f57c7f0bc71fc0c2e0ac3593826faa9a2c36490228fd08dba0c140a53
                                                                                                                                        • Instruction Fuzzy Hash: DCE0BDB0D592008ED74C8F18A8099057EA0AB08350B1A80FEA10ECB372C734C500CF8A
                                                                                                                                        Function 02F2F7A0 Relevance: .0, Instructions: 16COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 92c53b59c935c8446f0f0b73aea86a09e5d2a8ead56228c2a1d38939137a7886
                                                                                                                                        • Instruction ID: 2759f9316f3175e46529f716de90f92b6dd63c7ed30831f5abf6be492a7b4439
                                                                                                                                        • Opcode Fuzzy Hash: 92c53b59c935c8446f0f0b73aea86a09e5d2a8ead56228c2a1d38939137a7886
                                                                                                                                        • Instruction Fuzzy Hash: C5D067752002099FCB44DF9CD880E6A73EDBB8C210F148554F909C7702C630FC11DBA0
                                                                                                                                        Function 02F2F4E0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: ed9bc2022b3959666759d25cccd7fb3bb7274c5ec8f75a72422b59bdd0c9e67d
                                                                                                                                        • Instruction ID: ca44cb7b663e5181b12c102a1db89d653f833e06ea62300140003f2576c1bc94
                                                                                                                                        • Opcode Fuzzy Hash: ed9bc2022b3959666759d25cccd7fb3bb7274c5ec8f75a72422b59bdd0c9e67d
                                                                                                                                        • Instruction Fuzzy Hash: 01D01CB0A062008EDB0C8F28A90A8067BE0AB09340B0AC4FEA50ECB322CB34C500DF46
                                                                                                                                        Function 02F31630 Relevance: .0, Instructions: 14COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1579825452-0
                                                                                                                                        • Opcode ID: 485e18230a7ffb0b42fb4f5ea37a66e180fc270169793f712c22a8d5e48a0388
                                                                                                                                        • Instruction ID: 2cb6007bb94d13ced02770f0d1193fd3562b5ca7a64a566f9e87d64610066ea6
                                                                                                                                        • Opcode Fuzzy Hash: 485e18230a7ffb0b42fb4f5ea37a66e180fc270169793f712c22a8d5e48a0388
                                                                                                                                        • Instruction Fuzzy Hash: 6CD092B0A162008EDB088F28A805A167AA0AB44751B1AC4FEA60ECF361CB74D4109E55
                                                                                                                                        Function 00FB1094 Relevance: .0, Instructions: 12COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4166609f46e1e3870822f18e47ad906b85be3cb121b05c48cc550c3ccd7ee5f7
                                                                                                                                        • Instruction ID: dc99c457252e4ad614bb68a6b0dd8e044f8fc0e41b894933112eacc617eb6aad
                                                                                                                                        • Opcode Fuzzy Hash: 4166609f46e1e3870822f18e47ad906b85be3cb121b05c48cc550c3ccd7ee5f7
                                                                                                                                        • Instruction Fuzzy Hash: D0D0C935250749CFDB01DF15C4E1B41B3A8EB49788F204170DD419B349D2B4F945CAA1
                                                                                                                                        Function 02F2F930 Relevance: .0, Instructions: 12COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a85ecaed8054264bbbf03c49c030c7f085317bea0d85ec575fdecfdd0b8bf407
                                                                                                                                        • Instruction ID: d200cd6d3db64d98933168232b02dcc60bb13c65500abf4a0daa89376437a8bb
                                                                                                                                        • Opcode Fuzzy Hash: a85ecaed8054264bbbf03c49c030c7f085317bea0d85ec575fdecfdd0b8bf407
                                                                                                                                        • Instruction Fuzzy Hash: FED012392002089FCB04EF98C884E6AB3E9BF8C310F14C265E90D8B702C630FC12CBA0
                                                                                                                                        Function 02F2F200 Relevance: .0, Instructions: 11COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 11ade58215f75382a52e060c025590530de48af1c9403ef38fc0482b8b49fa5a
                                                                                                                                        • Instruction ID: 442ae55954675f02c529ab5212b39ee8f959322fa69334f29c2c890990e4f297
                                                                                                                                        • Opcode Fuzzy Hash: 11ade58215f75382a52e060c025590530de48af1c9403ef38fc0482b8b49fa5a
                                                                                                                                        • Instruction Fuzzy Hash: A3C08C39B842084FDB08DE85E480F2733699F85B04F008018E7044B692C7B1F80086E5
                                                                                                                                        Function 02F303B0 Relevance: .0, Instructions: 11COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a3c1b2c1ff19dbd32895ca5a88523dcdd30526ef214492611dc4b49095036e14
                                                                                                                                        • Instruction ID: f5505184fe5ddf04f1f5cc7568aeb0909d62bda506bd10001ab8ad002fecfbad
                                                                                                                                        • Opcode Fuzzy Hash: a3c1b2c1ff19dbd32895ca5a88523dcdd30526ef214492611dc4b49095036e14
                                                                                                                                        • Instruction Fuzzy Hash: 8AC04C3924430C9FC704DF98D890C66B7A9EFD8625714C049FD594B302C635FD51DAA5
                                                                                                                                        Function 02F318F0 Relevance: .0, Instructions: 11COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 004ecd806b60f94557ac648035f94a42baee93ad06ae674c14136776a857b796
                                                                                                                                        • Instruction ID: 91662c0c83ee4e0a4929e029d18717f7e5fed04fa53e6fb579004e29c6d03eae
                                                                                                                                        • Opcode Fuzzy Hash: 004ecd806b60f94557ac648035f94a42baee93ad06ae674c14136776a857b796
                                                                                                                                        • Instruction Fuzzy Hash: CAC08C353453084FD708DE85C490F3A7358AF88B00F04805CE7080B251C7B1F800C6E0
                                                                                                                                        Function 02F2F950 Relevance: .0, Instructions: 10COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: efcaa7dff0166ab11664fff319ee7d3768ad8d499a97ae0b3c05927ac1467c47
                                                                                                                                        • Instruction ID: d00e823c38ffa30b06b71fd950577572484cf8edab657146a456acabc7c6863a
                                                                                                                                        • Opcode Fuzzy Hash: efcaa7dff0166ab11664fff319ee7d3768ad8d499a97ae0b3c05927ac1467c47
                                                                                                                                        • Instruction Fuzzy Hash: EFC04C352042088FC744DB9CD890E69B7E9AF98610B14C675A90D8B712DA31FD52DB94
                                                                                                                                        Function 02F31600 Relevance: .0, Instructions: 7COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1d9687ac692df87b71544f27beef82b832d0d47e4500950c8239434ebf8bd108
                                                                                                                                        • Instruction ID: c731d4f4fb8fdd60f6c5786367e6ef0a98c57d474b4a5c3ecfba435245932943
                                                                                                                                        • Opcode Fuzzy Hash: 1d9687ac692df87b71544f27beef82b832d0d47e4500950c8239434ebf8bd108
                                                                                                                                        • Instruction Fuzzy Hash: 72B0923510430CAB8700DE88D040855BBA8EB58620B00C01AAC484B301D632F911CA90
                                                                                                                                        Function 02F506F4 Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,02F4E5DA,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F506FC
                                                                                                                                        • __mtterm.LIBCMT ref: 02F50708
                                                                                                                                          • Part of subcall function 02F503D3: DecodePointer.KERNEL32(0000000A,02F4E69D,02F4E683,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F503E4
                                                                                                                                          • Part of subcall function 02F503D3: TlsFree.KERNEL32(00000027,02F4E69D,02F4E683,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F503FE
                                                                                                                                          • Part of subcall function 02F503D3: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,02F4E69D,02F4E683,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F50B05
                                                                                                                                          • Part of subcall function 02F503D3: _free.LIBCMT ref: 02F50B08
                                                                                                                                          • Part of subcall function 02F503D3: DeleteCriticalSection.KERNEL32(00000027,?,?,02F4E69D,02F4E683,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F50B2F
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02F5071E
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02F5072B
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02F50738
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02F50745
                                                                                                                                        • TlsAlloc.KERNEL32(?,?,02F4E5DA,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F50795
                                                                                                                                        • TlsSetValue.KERNEL32(00000000,?,?,02F4E5DA,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F507B0
                                                                                                                                        • __init_pointers.LIBCMT ref: 02F507BA
                                                                                                                                        • EncodePointer.KERNEL32(?,?,02F4E5DA,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F507CB
                                                                                                                                        • EncodePointer.KERNEL32(?,?,02F4E5DA,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F507D8
                                                                                                                                        • EncodePointer.KERNEL32(?,?,02F4E5DA,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F507E5
                                                                                                                                        • EncodePointer.KERNEL32(?,?,02F4E5DA,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F507F2
                                                                                                                                        • DecodePointer.KERNEL32(Function_00030557,?,?,02F4E5DA,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F50813
                                                                                                                                        • __calloc_crt.LIBCMT ref: 02F50828
                                                                                                                                        • DecodePointer.KERNEL32(00000000,?,?,02F4E5DA,02F67EC0,00000008,02F4E76E,?,?,?,02F67EE0,0000000C,02F4E829,?), ref: 02F50842
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F50854
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL$PNEw
                                                                                                                                        • API String ID: 3698121176-3835707568
                                                                                                                                        • Opcode ID: 753a504e50c174fbe583de807c825c1df931ed77e7d506ced2a832c350ea9165
                                                                                                                                        • Instruction ID: dc13aa7241f398f492ba204a1cbd5947a4ee624233b89a3fb90a90ab2659a539
                                                                                                                                        • Opcode Fuzzy Hash: 753a504e50c174fbe583de807c825c1df931ed77e7d506ced2a832c350ea9165
                                                                                                                                        • Instruction Fuzzy Hash: 00319532DA03289EE7107F75EC04916FBA5AB097E4B150D2AEF059B250EFB48864CF41
                                                                                                                                        Function 02F34FD0 Relevance: 33.2, APIs: 22, Instructions: 229synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F34FF2
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 02F35023
                                                                                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 02F35035
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,000000FF), ref: 02F35041
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 02F3504F
                                                                                                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 02F3505F
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F35076
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02F350CF
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F350DA
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F35102
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3511F
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F35135
                                                                                                                                        • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 02F35154
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 02F35168
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 02F35197
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?), ref: 02F351BC
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?), ref: 02F351D6
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F351EF
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02F35208
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3520F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$CloseHandleObjectSingleWait$EventExchangeInterlockedReset$CompletionEnterExceptionPostQueuedRaiseStatus
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 579648409-0
                                                                                                                                        • Opcode ID: d73846bbdd3af7825561b3826d9621985cf87700a1e80a0190ac7e64c6a3de9b
                                                                                                                                        • Instruction ID: 8302ff46fd4f2b5c9f2d356b0456fc716af79126877f4236ef30fc74a9a3ab75
                                                                                                                                        • Opcode Fuzzy Hash: d73846bbdd3af7825561b3826d9621985cf87700a1e80a0190ac7e64c6a3de9b
                                                                                                                                        • Instruction Fuzzy Hash: 86619272B403269BD210AA68EC44B5AF7E8FF8C791F404A29FF45D3240D775E9258BA1
                                                                                                                                        Function 01097C1B Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 303stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __mbsinc$__fassign__mbclen__vswprintflstrlen
                                                                                                                                        • String ID: %*.*f$I64
                                                                                                                                        • API String ID: 726598348-2444075078
                                                                                                                                        • Opcode ID: f808bd817695a98f9d7c1c73ed3d99f47c5801a75e9a358f40e0d8b89ce53e01
                                                                                                                                        • Instruction ID: 80b39bd94765746a2a3adbc5386854dc66b4be0ab4816acd8d1f79594df30c71
                                                                                                                                        • Opcode Fuzzy Hash: f808bd817695a98f9d7c1c73ed3d99f47c5801a75e9a358f40e0d8b89ce53e01
                                                                                                                                        • Instruction Fuzzy Hash: EC91297392424AABEF659F7CC9682BDBFF0AF19320F1840D9E5C0A7241D6348A41EF15
                                                                                                                                        Function 02F48410 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 235threadnetworkmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 02F48427
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F4842F
                                                                                                                                        • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 02F48456
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F48496
                                                                                                                                        • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 02F484BD
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F484C7
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F48504
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F48568
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F485C0
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F485CA
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?), ref: 02F485EC
                                                                                                                                        • SetLastError.KERNEL32(?), ref: 02F48612
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F4868A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CurrentInterlockedThread$CompletionDecrementExchangeFreeHeapOverlappedQueuedResultStatus
                                                                                                                                        • String ID: <
                                                                                                                                        • API String ID: 2838343172-4251816714
                                                                                                                                        • Opcode ID: a2bd250ebbaceb92841ad6746cb8ba7c3c78d77c317ca7f355fb3abfcaa09a55
                                                                                                                                        • Instruction ID: b4a9e2c3fee0191dedc07a27c89ff70d9f4ba24b6b6eebe611dc3254e208574a
                                                                                                                                        • Opcode Fuzzy Hash: a2bd250ebbaceb92841ad6746cb8ba7c3c78d77c317ca7f355fb3abfcaa09a55
                                                                                                                                        • Instruction Fuzzy Hash: 92816271A002199FDB54DFA8CD84EAEBBB9FF48784B104519EA06DB244DF70EE05CB91
                                                                                                                                        Function 02F3CDA0 Relevance: 22.7, APIs: 15, Instructions: 229timememoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F3CDE0
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F3CDED
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F3CE10
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?,?), ref: 02F3CE5D
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?), ref: 02F3CE63
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?), ref: 02F3CE6F
                                                                                                                                        • timeGetTime.WINMM(?), ref: 02F3CEC8
                                                                                                                                        • InterlockedCompareExchange.KERNEL32 ref: 02F3CEFC
                                                                                                                                        • timeGetTime.WINMM(?,00000000,744A47A0), ref: 02F3CF21
                                                                                                                                        • timeGetTime.WINMM(?,00000000,744A47A0), ref: 02F3CF2B
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F3CF5D
                                                                                                                                        • DeleteCriticalSection.KERNEL32(744A4810,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02F327FB), ref: 02F3CFE5
                                                                                                                                        • DeleteCriticalSection.KERNEL32(744A47F8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02F327FB), ref: 02F3CFEB
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,744A47A0), ref: 02F3CFF7
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F3D006
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$CompareCriticalDeleteExchangeSection$Timetime$DecrementFreeHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 517897276-0
                                                                                                                                        • Opcode ID: 90eb4465db855eb730ebc0735942f98559cdeca47b3e4c864230a95c21b843ff
                                                                                                                                        • Instruction ID: c1f9dad29534298d3f693afb7097423829dcec9daad6fb938baa804c317224f8
                                                                                                                                        • Opcode Fuzzy Hash: 90eb4465db855eb730ebc0735942f98559cdeca47b3e4c864230a95c21b843ff
                                                                                                                                        • Instruction Fuzzy Hash: FF819F71A047159FD711CF28C880B1ABBE5FF88BA4F008A1AFA59DB294D774E941CF91
                                                                                                                                        Function 010104B0 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 310libraryregistryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,011AE608,00000000), ref: 01010594
                                                                                                                                        • LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,0118FD28,?,?,?,?,?,?,00000000,011AE608,00000000), ref: 010105D1
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 01010607
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,011AE608,00000000), ref: 01010612
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,011AE608,00000000), ref: 01010620
                                                                                                                                        • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0101072D
                                                                                                                                        • RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 01010762
                                                                                                                                        • _strrchr.LIBCMT ref: 010107E7
                                                                                                                                        • CLSIDFromString.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,011AE608,00000000), ref: 01010827
                                                                                                                                        • UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 01010843
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$LoadType$FreeRegister$AddressFromProcString_strrchr
                                                                                                                                        • String ID: DllRegisterServer$DllUnregisterServer
                                                                                                                                        • API String ID: 3574613120-2931954178
                                                                                                                                        • Opcode ID: e1b3176a3719a240d9c27188c0e3a5fdac928f1092abec9aad8c12e6991ed144
                                                                                                                                        • Instruction ID: 8b7407255411e9cb1b08bd860bf4bd217a949760924f4377ec924b26f805cd1b
                                                                                                                                        • Opcode Fuzzy Hash: e1b3176a3719a240d9c27188c0e3a5fdac928f1092abec9aad8c12e6991ed144
                                                                                                                                        • Instruction Fuzzy Hash: D6B1C5B590020AEFDB14EFA4C854FEEB7B8FF54314F108559F895A7288DB389A45CB60
                                                                                                                                        Function 02F4C7D0 Relevance: 21.2, APIs: 14, Instructions: 215timememoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F4C814
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F4C827
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4C852
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?,?), ref: 02F4C877
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F4C891
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F4C8AC
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?), ref: 02F4C8C0
                                                                                                                                        • timeGetTime.WINMM(?), ref: 02F4C923
                                                                                                                                        • InterlockedCompareExchange.KERNEL32 ref: 02F4C957
                                                                                                                                        • timeGetTime.WINMM(?,00000000,744A47A0), ref: 02F4C980
                                                                                                                                        • timeGetTime.WINMM(?,00000000,744A47A0), ref: 02F4C98A
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4C9BC
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,744A47A0), ref: 02F4CA12
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F4CA21
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$CompareExchange$Timetime$CloseDecrementFreeHandleHeap$CriticalDeleteSection
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1801204590-0
                                                                                                                                        • Opcode ID: 7f5cc901a374cc9cf3dfc47730e3c05124dd126c58d155098756b28d113a60da
                                                                                                                                        • Instruction ID: 0aefae86593100991f2591c4a6ae827f0b2c12facdf88e2d06a6364dd26f303a
                                                                                                                                        • Opcode Fuzzy Hash: 7f5cc901a374cc9cf3dfc47730e3c05124dd126c58d155098756b28d113a60da
                                                                                                                                        • Instruction Fuzzy Hash: CD816271A05711AFD720CF24C884B1ABFE4BF44B94F045A2EFA9997280DBB4E544CB92
                                                                                                                                        Function 02F44530 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 201COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F4D059: _malloc.LIBCMT ref: 02F4D073
                                                                                                                                        • std::exception::exception.LIBCMT ref: 02F44574
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 02F44589
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,?), ref: 02F44633
                                                                                                                                        • ResetEvent.KERNEL32(0000000C,?,?,?,?,?,?), ref: 02F44686
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorEventException@8LastResetThrow_mallocstd::exception::exception
                                                                                                                                        • String ID: CUdpCast::Start
                                                                                                                                        • API String ID: 3711864853-3828262324
                                                                                                                                        • Opcode ID: 796fce6b963393ce9fc26f6eb854fd85bdd1dcff406029308f3622d4e44b4348
                                                                                                                                        • Instruction ID: 59c158c1ea288b259ff143a06e0b09c53df4ea1e6321c429a6e28b5a06718315
                                                                                                                                        • Opcode Fuzzy Hash: 796fce6b963393ce9fc26f6eb854fd85bdd1dcff406029308f3622d4e44b4348
                                                                                                                                        • Instruction Fuzzy Hash: ED615075A00619AFE710DF65DC45B6ABBB5FF48384F008165EB09E7240EBB1A911CFE1
                                                                                                                                        Function 02F45A40 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 171networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F45E40: WSASetLastError.WS2_32(00002741), ref: 02F45EE2
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 02F45ADD
                                                                                                                                        • ResetEvent.KERNEL32(?,?,?,?), ref: 02F45B31
                                                                                                                                        • WSAGetLastError.WS2_32(00000005,?,?,?,?,?,?,?,?), ref: 02F45B68
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F45B88
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?), ref: 02F45B8E
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F45BB7
                                                                                                                                          • Part of subcall function 02F46160: WSAEventSelect.WS2_32(?,?,00000030), ref: 02F4617B
                                                                                                                                          • Part of subcall function 02F46160: connect.WS2_32(?,?,-0000001D), ref: 02F461A0
                                                                                                                                          • Part of subcall function 02F46160: WSAGetLastError.WS2_32(?,7556DFA0,?,02F45B06,00000005,?,?,?,?,?,?,?,?), ref: 02F461AF
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?), ref: 02F45BBD
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 02F45BDB
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F45C01
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F45C17
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F45C29
                                                                                                                                          • Part of subcall function 02F46080: bind.WS2_32(?,?,-0000001D), ref: 02F460B3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$Event$ResetSelectbindconnect
                                                                                                                                        • String ID: CUdpClient::Start
                                                                                                                                        • API String ID: 1052395590-3951387650
                                                                                                                                        • Opcode ID: 1e98f8762dbfd3ea5c65f4900887ef8b02209d12c9917ae226e26db17201c120
                                                                                                                                        • Instruction ID: d6224f5194df5f6e3d17e7559a6e037aa7ce1fb18b0f96bda133e01c48d480c8
                                                                                                                                        • Opcode Fuzzy Hash: 1e98f8762dbfd3ea5c65f4900887ef8b02209d12c9917ae226e26db17201c120
                                                                                                                                        • Instruction Fuzzy Hash: 3E51A471A406049FE720EF69DC84E6BBBF9EF99740F104519EB46D3240EFB1E9048BA1
                                                                                                                                        Function 02F35840 Relevance: 21.1, APIs: 14, Instructions: 120threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 02F358C2
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 02F358CA
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F358DB
                                                                                                                                        • SetEvent.KERNEL32(?), ref: 02F358EF
                                                                                                                                        • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 02F35907
                                                                                                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 02F35921
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F35938
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02F35950
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F3595B
                                                                                                                                        • _free.LIBCMT ref: 02F35979
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        • GetQueuedCompletionStatus.KERNEL32(?,?,?,000000FF,000000FF), ref: 02F359AB
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F359C4
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F359D4
                                                                                                                                        • SetEvent.KERNEL32(?), ref: 02F359E1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentInterlockedThread$CompletionDecrementErrorEventLastQueuedStatus$ExchangeFreeHeapIncrement_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 255837261-0
                                                                                                                                        • Opcode ID: bd11b75f540bd7bfdbb5401ad40c921f5b3012ec910e3c9fda37c5cbf970f05d
                                                                                                                                        • Instruction ID: c69713e69c4d82995224d76370a054b9a280addd667979183935fb7917366e46
                                                                                                                                        • Opcode Fuzzy Hash: bd11b75f540bd7bfdbb5401ad40c921f5b3012ec910e3c9fda37c5cbf970f05d
                                                                                                                                        • Instruction Fuzzy Hash: 97417175901319EFDB10DFA4D888E6AF7B8FF887A1B408959EB1597240D730FA14CBA1
                                                                                                                                        Function 02F40A00 Relevance: 19.7, APIs: 13, Instructions: 180memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,000000F1,00000000,00000000,6EBCDBE2,?,?,?,?,?), ref: 02F40A34
                                                                                                                                        • EnterCriticalSection.KERNEL32(00000058,00000000), ref: 02F40AC1
                                                                                                                                        • InterlockedIncrement.KERNEL32(00000000), ref: 02F40AD8
                                                                                                                                        • setsockopt.WS2_32(?,0000FFFF,0000700B,?,00000004), ref: 02F40AFC
                                                                                                                                        • CreateIoCompletionPort.KERNEL32(?,?,00000000,00000000), ref: 02F40B0A
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F40B12
                                                                                                                                        • LeaveCriticalSection.KERNEL32(00000058), ref: 02F40B2B
                                                                                                                                        • InterlockedDecrement.KERNEL32(00000000), ref: 02F40B43
                                                                                                                                          • Part of subcall function 02F223E0: __CxxThrowException@8.LIBCMT ref: 02F223F0
                                                                                                                                          • Part of subcall function 02F3F730: EnterCriticalSection.KERNEL32(?), ref: 02F3F759
                                                                                                                                          • Part of subcall function 02F3F730: EnterCriticalSection.KERNEL32(?), ref: 02F3F763
                                                                                                                                          • Part of subcall function 02F3F730: LeaveCriticalSection.KERNEL32(?), ref: 02F3F782
                                                                                                                                          • Part of subcall function 02F3F730: LeaveCriticalSection.KERNEL32(?), ref: 02F3F785
                                                                                                                                          • Part of subcall function 02F3F730: timeGetTime.WINMM(?,00000000,?,?,?), ref: 02F3F7B4
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?), ref: 02F40B84
                                                                                                                                        • InterlockedDecrement.KERNEL32(00000000), ref: 02F40B8B
                                                                                                                                        • shutdown.WS2_32(?,00000002), ref: 02F40BAB
                                                                                                                                        • closesocket.WS2_32(?), ref: 02F40BB2
                                                                                                                                          • Part of subcall function 02F4C2C0: InterlockedCompareExchange.KERNEL32(?,?,00000000), ref: 02F4C30D
                                                                                                                                          • Part of subcall function 02F4C2C0: InterlockedCompareExchange.KERNEL32(?,?,?), ref: 02F4C31B
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?), ref: 02F40BD0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Interlocked$EnterLeave$CompareCompletionDecrementExchangeFreeHeap$CreateErrorException@8IncrementLastPortPostQueuedStatusThrowTimeclosesocketsetsockoptshutdowntime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4174458377-0
                                                                                                                                        • Opcode ID: 1e475bca046171feb2e348095cb6ae429372a4e800017632ddb1a181292d0eba
                                                                                                                                        • Instruction ID: d2df6921507c41070ddbed20384ac1bf3c5c55adc7c43627e19edb3b9cf8cec9
                                                                                                                                        • Opcode Fuzzy Hash: 1e475bca046171feb2e348095cb6ae429372a4e800017632ddb1a181292d0eba
                                                                                                                                        • Instruction Fuzzy Hash: 3D519F72A40319ABD714DFA4DC85FABB7B9FF48750F104619FB16D7280DB74A9108BA0
                                                                                                                                        Function 02F21EA0 Relevance: 19.7, APIs: 13, Instructions: 163timememoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F21EDC
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F21EE9
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F21F0D
                                                                                                                                        • DeleteCriticalSection.KERNEL32(00000000), ref: 02F21F2E
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000), ref: 02F21F3E
                                                                                                                                        • timeGetTime.WINMM ref: 02F21F94
                                                                                                                                        • InterlockedCompareExchange.KERNEL32 ref: 02F21FC7
                                                                                                                                        • timeGetTime.WINMM ref: 02F21FEF
                                                                                                                                        • timeGetTime.WINMM ref: 02F21FF9
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F22023
                                                                                                                                        • DeleteCriticalSection.KERNEL32(00000000), ref: 02F2204A
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?), ref: 02F2205A
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F22069
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$CompareExchange$Timetime$CriticalDecrementDeleteFreeHeapSection
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2063879007-0
                                                                                                                                        • Opcode ID: df80529241be1373d2ab9cd8f41b8258431f5bb58ab9c3657e2d1f665b8fb888
                                                                                                                                        • Instruction ID: 01fb02501cfa79515738d0fdd4f3dc01a90407d5f8e41d7bbe4eb2a685c156ef
                                                                                                                                        • Opcode Fuzzy Hash: df80529241be1373d2ab9cd8f41b8258431f5bb58ab9c3657e2d1f665b8fb888
                                                                                                                                        • Instruction Fuzzy Hash: C351C370A047229FD710CF24C884B1BBBF9FF49B94F004A19FA599B285D774E948CB96
                                                                                                                                        Function 02F2CE10 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 200timememoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,6EBCDBE2,00000008,00000000), ref: 02F2CE73
                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,02F5BF2E,000000FF), ref: 02F2CE88
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,6EBCDBE2,00000008,00000000), ref: 02F2CEFD
                                                                                                                                        • HeapCreate.KERNEL32(?,?,?,?,00000004,00000000,00000000), ref: 02F2CF80
                                                                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,?,?,?,00000004,00000000,00000000), ref: 02F2CFB3
                                                                                                                                        • CreateTimerQueue.KERNEL32(?,?,?,?,00000004,00000000,00000000), ref: 02F2CFD5
                                                                                                                                        • CreateTimerQueue.KERNEL32(?,?,?,?,00000004,00000000,00000000), ref: 02F2CFF6
                                                                                                                                        • CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 02F2D049
                                                                                                                                        • CreateSemaphoreA.KERNEL32(00000000,00000000,00000001,00000000), ref: 02F2D056
                                                                                                                                        • _free.LIBCMT ref: 02F2D095
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create$InfoNativeQueueSemaphoreSystemTimer$CountCriticalEventHeapInitializeSectionSpin_free
                                                                                                                                        • String ID: 0/Wu
                                                                                                                                        • API String ID: 1847867904-938174528
                                                                                                                                        • Opcode ID: 1b3c63f184f2bd6b41638b8cd72af8ed72f4a821802c9cc0156021b0e3a921e8
                                                                                                                                        • Instruction ID: b0b11db41a2d7e62790983ca56cc56276e66bf86747f9ed04128e75aa400cfc2
                                                                                                                                        • Opcode Fuzzy Hash: 1b3c63f184f2bd6b41638b8cd72af8ed72f4a821802c9cc0156021b0e3a921e8
                                                                                                                                        • Instruction Fuzzy Hash: 67913DB0A00A56AFD708DF79D884799FBA8FF09344F50462EE61DD7240D774AA68CF90
                                                                                                                                        Function 02F36E30 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 96COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?), ref: 02F36E52
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F36E5C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CountCriticalErrorInitializeLastSectionSpin
                                                                                                                                        • String ID: 0/Wu
                                                                                                                                        • API String ID: 439134102-938174528
                                                                                                                                        • Opcode ID: a64f512bc1b41caebfa8e1a3b9a514acb9f849069e2fc69e2f0b6395265b4b4e
                                                                                                                                        • Instruction ID: abadb0a7cb7b57546d34bc58dc94b385f968aa187e359372abdb51acd0202078
                                                                                                                                        • Opcode Fuzzy Hash: a64f512bc1b41caebfa8e1a3b9a514acb9f849069e2fc69e2f0b6395265b4b4e
                                                                                                                                        • Instruction Fuzzy Hash: DB217136680704ABD3609F69ED84F17F7ECBF947A1F10492AFB45C6640D735E4188B28
                                                                                                                                        Function 02F46270 Relevance: 18.3, APIs: 12, Instructions: 284threadtimenetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(00000078,6EBCDBE2), ref: 02F4629D
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F462A9
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F462B9
                                                                                                                                        • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02F46375
                                                                                                                                        • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,FFFFD8F0,000000FF), ref: 02F463DB
                                                                                                                                        • _free.LIBCMT ref: 02F46403
                                                                                                                                        • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 02F4643E
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,02F5C3E3,000000FF), ref: 02F464F9
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F46513
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F4653C
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02F4655C
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02F5C3E3,000000FF), ref: 02F46575
                                                                                                                                          • Part of subcall function 02F46A30: EnterCriticalSection.KERNEL32(?), ref: 02F46A75
                                                                                                                                          • Part of subcall function 02F46A30: LeaveCriticalSection.KERNEL32(?), ref: 02F46AC0
                                                                                                                                          • Part of subcall function 02F46A30: send.WS2_32(?,?,?,00000000), ref: 02F46AEB
                                                                                                                                          • Part of subcall function 02F46A30: EnterCriticalSection.KERNEL32(?), ref: 02F46AFE
                                                                                                                                          • Part of subcall function 02F46A30: LeaveCriticalSection.KERNEL32(?), ref: 02F46B11
                                                                                                                                          • Part of subcall function 02F46A30: SetLastError.KERNEL32(00000000), ref: 02F46B19
                                                                                                                                          • Part of subcall function 02F46A30: HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F46B64
                                                                                                                                          • Part of subcall function 02F46A30: WSAGetLastError.WS2_32 ref: 02F46B6F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CriticalCurrentSectionThread$EnterLeaveTimerWaitable$CloseCreateEventsFreeHandleHeapMultipleWait_freesend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1467685963-0
                                                                                                                                        • Opcode ID: 0103fd53001dd2871e16a1175f5657cf1ea35ddb2acb567e5ffbb1c2426558a3
                                                                                                                                        • Instruction ID: 52098ccc5626060b539b40dd2abf21d316c5d5f00ed97d55f4548b1537ca6061
                                                                                                                                        • Opcode Fuzzy Hash: 0103fd53001dd2871e16a1175f5657cf1ea35ddb2acb567e5ffbb1c2426558a3
                                                                                                                                        • Instruction Fuzzy Hash: 5BA16DB0E006169BDB10DF68C980B6ABBF9BF49394F104529EB19D7384DBB4E910CF91
                                                                                                                                        Function 02F42280 Relevance: 18.2, APIs: 12, Instructions: 208COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(0000139F,6EBCDBE2,?,?,?,?,02F42669), ref: 02F422B6
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,?,?,?,02F42669), ref: 02F422DD
                                                                                                                                        • SetLastError.KERNEL32(0000139F,?,?,?,02F42669), ref: 02F422F1
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,02F42669), ref: 02F422F8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2124651672-0
                                                                                                                                        • Opcode ID: af4aab558249dc4dcb87629a1d33c694cc319e800d49111a3d4da5e2da531ee2
                                                                                                                                        • Instruction ID: 2bf89270727ff4fe9477da37092ed8b1eb27876244d82a395b1c24c09710eaea
                                                                                                                                        • Opcode Fuzzy Hash: af4aab558249dc4dcb87629a1d33c694cc319e800d49111a3d4da5e2da531ee2
                                                                                                                                        • Instruction Fuzzy Hash: E871AD76E043148FC714DFA8D984B6AFBF5EF48790F00096AEE0A93741DBB5A904CB91
                                                                                                                                        Function 02F43E70 Relevance: 18.2, APIs: 12, Instructions: 205COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(0000139F,6EBCDBE2,7556E7E0,?,?,?,?,?,00000000), ref: 02F43EA6
                                                                                                                                        • EnterCriticalSection.KERNEL32(6EBCDBE2,6EBCDBE2,7556E7E0,?,?,?,?,?,00000000), ref: 02F43ECD
                                                                                                                                        • SetLastError.KERNEL32(0000139F), ref: 02F43EE1
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6EBCDBE2), ref: 02F43EE8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2124651672-0
                                                                                                                                        • Opcode ID: c9980e2345adab5e1e694b57ad64aa1164959ef46ce8f82a24a342eec46b327b
                                                                                                                                        • Instruction ID: c79701574b0a84e521473e3b7470be75bd780ec0dda73cea722a9e06ce6844ef
                                                                                                                                        • Opcode Fuzzy Hash: c9980e2345adab5e1e694b57ad64aa1164959ef46ce8f82a24a342eec46b327b
                                                                                                                                        • Instruction Fuzzy Hash: D9619D72E047048FD714DFA8D88476EFBF5FF48751F100A6AEA0AA3740DBB5A9148B91
                                                                                                                                        Function 02F3B8F0 Relevance: 18.2, APIs: 12, Instructions: 203memorynetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • HeapAlloc.KERNEL32(?,00000000,?,00000000,6EBCDBE2,?), ref: 02F3B943
                                                                                                                                        • EnterCriticalSection.KERNEL32(00000058,00000000,6EBCDBE2,?), ref: 02F3B992
                                                                                                                                        • ioctlsocket.WS2_32(?,8004667E,?), ref: 02F3B9D0
                                                                                                                                        • CreateIoCompletionPort.KERNEL32(?,?,00000000,00000000), ref: 02F3B9FB
                                                                                                                                        • connect.WS2_32(?,?,-0000001D), ref: 02F3BA41
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F3BA4D
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F3BA5A
                                                                                                                                        • CreateIoCompletionPort.KERNEL32(?,?,00000000,00000000), ref: 02F3BA8E
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F3BAC7
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02F3BB19
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 02F3BB2C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CompletionCreateCriticalHeapPortSection$AllocEnterFreeLeaveconnectioctlsocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1571219349-0
                                                                                                                                        • Opcode ID: 9f2e4351c145d0e50448a492cd27c995b5c20452de8d2d6813fd36df1351054a
                                                                                                                                        • Instruction ID: b8488484ba72152cf55cb70271b51ac76f58293bea67f38cfe417e50e7b7b88e
                                                                                                                                        • Opcode Fuzzy Hash: 9f2e4351c145d0e50448a492cd27c995b5c20452de8d2d6813fd36df1351054a
                                                                                                                                        • Instruction Fuzzy Hash: A7713CB1A00619AFDB15DF68C894BAAB7B9FF48798F008519FE15DB340D774E910CBA0
                                                                                                                                        Function 02F4ADC0 Relevance: 16.8, APIs: 11, Instructions: 288threadnetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 02F4ADF8
                                                                                                                                        • _memmove.LIBCMT ref: 02F4AE30
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 02F4AE9A
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000001,000000FF,?,00000001,000000FF), ref: 02F4AEB4
                                                                                                                                        • SetLastError.KERNEL32(00000078,?,?), ref: 02F4AEFA
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F4AF05
                                                                                                                                        • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 02F4AF2C
                                                                                                                                        • GetLastError.KERNEL32(?), ref: 02F4AFEA
                                                                                                                                        • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 02F4B011
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F4B01B
                                                                                                                                          • Part of subcall function 02F4B560: InterlockedIncrement.KERNEL32(?), ref: 02F4B5EE
                                                                                                                                          • Part of subcall function 02F4B560: timeGetTime.WINMM(?,02F4B076,?,?), ref: 02F4B604
                                                                                                                                          • Part of subcall function 02F4B560: InterlockedDecrement.KERNEL32(?), ref: 02F4B653
                                                                                                                                          • Part of subcall function 02F4B670: InterlockedDecrement.KERNEL32(?), ref: 02F4B6CB
                                                                                                                                          • Part of subcall function 02F4B670: HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F4B6E6
                                                                                                                                          • Part of subcall function 02F4B410: InterlockedIncrement.KERNEL32(?), ref: 02F4B492
                                                                                                                                          • Part of subcall function 02F4B410: InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F4B4BA
                                                                                                                                          • Part of subcall function 02F4B410: InterlockedDecrement.KERNEL32(?), ref: 02F4B4C7
                                                                                                                                          • Part of subcall function 02F4B410: InterlockedDecrement.KERNEL32(?), ref: 02F4B520
                                                                                                                                          • Part of subcall function 02F4B410: HeapFree.KERNEL32(00000000,00000000,?,?,?,02F4B096,00000000,?,?), ref: 02F4B53F
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F4B0B1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$Decrement$ErrorLast$CompletionCurrentFreeHeapIncrementQueuedStatusThread$CloseExchangeHandleMultipleObjectsOverlappedPostResultTimeWait_memmovetime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 216165568-0
                                                                                                                                        • Opcode ID: 0f11eb88f7041bb06c4ca645b03fe1397c69e273e561c0cf481e5a905d8c70c5
                                                                                                                                        • Instruction ID: 858979af043ec4191b229403615698292b821f261252ed142152c1d295ebaf09
                                                                                                                                        • Opcode Fuzzy Hash: 0f11eb88f7041bb06c4ca645b03fe1397c69e273e561c0cf481e5a905d8c70c5
                                                                                                                                        • Instruction Fuzzy Hash: 7D91B572E40519ABDB14DF68CC90BAEBB69BF44794F104619EA25D7280DFB0EE018B91
                                                                                                                                        Function 02F3AB50 Relevance: 16.7, APIs: 11, Instructions: 215COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 02F3AB85
                                                                                                                                        • _memmove.LIBCMT ref: 02F3ABBD
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 02F3AC2A
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000001,000000FF,?,00000001,000000FF), ref: 02F3AC44
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCompletionHandleMultipleObjectsPostQueuedStatusWait_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3218539664-0
                                                                                                                                        • Opcode ID: cd77707a976859875afa2f2f08284c68cbd61fbae6b553cd7997bd5eb3ea0234
                                                                                                                                        • Instruction ID: 243082c74002d8a75f7c97bb9625aea3922e6cf9ec09bc64cf5ce208533739d7
                                                                                                                                        • Opcode Fuzzy Hash: cd77707a976859875afa2f2f08284c68cbd61fbae6b553cd7997bd5eb3ea0234
                                                                                                                                        • Instruction Fuzzy Hash: 9B61AC75E00219AFDB15DFA9D884BAEB7B9FF48790F104559EA55E7340DB30AE00CB90
                                                                                                                                        Function 02F45140 Relevance: 16.7, APIs: 11, Instructions: 166memorynetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F45183
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F451CE
                                                                                                                                        • sendto.WS2_32(00000000,?,?,00000000,00000002,-0000001D), ref: 02F4520D
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F45220
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F4523F
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F45247
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F45291
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F4529C
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F452B0
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F452E9
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F45331
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave$ErrorFreeHeapLast$sendto
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3005915512-0
                                                                                                                                        • Opcode ID: 64ffcc131b2e3428d0fa900c09c09c90345d756a42f71fbee5c1af3ea5980620
                                                                                                                                        • Instruction ID: 79929b8af4a64faccb03489260a5a3a7fc1284020df94d08a9a0a78b7c17c5d0
                                                                                                                                        • Opcode Fuzzy Hash: 64ffcc131b2e3428d0fa900c09c09c90345d756a42f71fbee5c1af3ea5980620
                                                                                                                                        • Instruction Fuzzy Hash: 3B516B71A007049FD720DF64D884BABBBF9FF49740F50492EEA5AC7240DB70E9008B61
                                                                                                                                        Function 02F46A30 Relevance: 16.7, APIs: 11, Instructions: 154memorynetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F46A75
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F46AC0
                                                                                                                                        • send.WS2_32(?,?,?,00000000), ref: 02F46AEB
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F46AFE
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F46B11
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F46B19
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F46B64
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F46B6F
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F46B83
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F46BBC
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F46C06
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave$ErrorFreeHeapLast$send
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3617958714-0
                                                                                                                                        • Opcode ID: ea50a78850a93dbd5affad6ad7cb9a6b79db94378b199e2950a35ace3fcb2a5a
                                                                                                                                        • Instruction ID: 575fc7d4437c82b794b8cb378ebf0f092adac77b2f602a367542803f80ba911d
                                                                                                                                        • Opcode Fuzzy Hash: ea50a78850a93dbd5affad6ad7cb9a6b79db94378b199e2950a35ace3fcb2a5a
                                                                                                                                        • Instruction Fuzzy Hash: C1513B71904700DFC724CF64D984B67BBF9FB89750F108A2EEA5ACB240DB74E5458B61
                                                                                                                                        Function 02F487F0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 196memorynetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F2AC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F2ACA5
                                                                                                                                          • Part of subcall function 02F2AC90: SwitchToThread.KERNEL32(?,02F21AA6,?), ref: 02F2ACB9
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?), ref: 02F488D0
                                                                                                                                        • WSASendTo.WS2_32(?,?,00000001,?,00000000,00000002,?,?,00000000), ref: 02F48920
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 02F4892B
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4893B
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 02F4895D
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 02F4899E
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F489F6
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?), ref: 02F48A18
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$Exchange$ErrorFreeHeapLast$CompareDecrementSendSwitchThread
                                                                                                                                        • String ID: <
                                                                                                                                        • API String ID: 3290016356-4251816714
                                                                                                                                        • Opcode ID: 5508895694c4f3b76b5e9174525e900cc0d9f08aed7b9cb76b119e8584ab74ce
                                                                                                                                        • Instruction ID: 18946cd025350284cd947e984e2d39345a38579107370a8e0a27615eb4708666
                                                                                                                                        • Opcode Fuzzy Hash: 5508895694c4f3b76b5e9174525e900cc0d9f08aed7b9cb76b119e8584ab74ce
                                                                                                                                        • Instruction Fuzzy Hash: A6717E71A00608DFCB54CFA8D884BAEBBF9FF48784F10455AEA1ADB244DB70A945CF51
                                                                                                                                        Function 00F91130 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 61libraryloaderthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00F91310), ref: 00F91137
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,LoadLibraryA), ref: 00F91153
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FreeLibrary), ref: 00F91168
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00F91179
                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 00F9118D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2715965943.0000000000FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_f90000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$CurrentHandleModuleThread
                                                                                                                                        • String ID: FreeLibrary$GetProcAddress$LoadLibraryA$kernel32.dll
                                                                                                                                        • API String ID: 46939698-1293290853
                                                                                                                                        • Opcode ID: 68e682a686d0ef90b6524ed029aa5e32df3f3511cb27dae79cee7e16b6e1fa0a
                                                                                                                                        • Instruction ID: 1cb6342a956f47d1306e80ebf29d123a1c6565a81044627ce30921683f5ec060
                                                                                                                                        • Opcode Fuzzy Hash: 68e682a686d0ef90b6524ed029aa5e32df3f3511cb27dae79cee7e16b6e1fa0a
                                                                                                                                        • Instruction Fuzzy Hash: 4F012D25A4561B36BE2237FA2D06A5B798C6F527A47004433FE10D11A5FB54CA81B562
                                                                                                                                        Function 02F411C0 Relevance: 15.2, APIs: 10, Instructions: 155memorynetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • HeapAlloc.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,02F2B397,?,?,?), ref: 02F41232
                                                                                                                                        • _memmove.LIBCMT ref: 02F4127D
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F4128A
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02F412B3
                                                                                                                                        • WSASend.WS2_32(?,0000001C,00000001,?,00000000,00000000,00000000), ref: 02F412C9
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,?,02F2B397,?,?,?), ref: 02F412D4
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F412E8
                                                                                                                                        • InterlockedDecrement.KERNEL32(00000028), ref: 02F41309
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F41334
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F41366
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$DecrementExchangeHeap$AllocErrorFreeIncrementLastSend_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1255044884-0
                                                                                                                                        • Opcode ID: 89eb9f205156b2ef55e0c4cdcbf8f43ceab06ef223898ba7cd64bb46a9963eb1
                                                                                                                                        • Instruction ID: d3d7a45c1b70aab3275b1588e90a2984ae17789ea75271643394a10cfbb71c12
                                                                                                                                        • Opcode Fuzzy Hash: 89eb9f205156b2ef55e0c4cdcbf8f43ceab06ef223898ba7cd64bb46a9963eb1
                                                                                                                                        • Instruction Fuzzy Hash: D3510C71E01219EFDB14CFA8C984B9EBBB9FF48394F104595EA09DB241D770DA50CBA0
                                                                                                                                        Function 02F3BD40 Relevance: 15.2, APIs: 10, Instructions: 155memorynetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • HeapAlloc.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,02F2C187,?,?,?), ref: 02F3BDB2
                                                                                                                                        • _memmove.LIBCMT ref: 02F3BDFD
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(00000000,?), ref: 02F3BE0A
                                                                                                                                        • InterlockedIncrement.KERNEL32(00000000), ref: 02F3BE33
                                                                                                                                        • WSASend.WS2_32(?,0000001C,00000001,?,00000000,00000000,00000000), ref: 02F3BE49
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,?,02F2C187,?,?,?), ref: 02F3BE54
                                                                                                                                        • InterlockedDecrement.KERNEL32(00000000), ref: 02F3BE68
                                                                                                                                        • InterlockedDecrement.KERNEL32(00000028), ref: 02F3BE89
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F3BEB4
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(00000000,?), ref: 02F3BEE6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$DecrementExchangeHeap$AllocErrorFreeIncrementLastSend_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1255044884-0
                                                                                                                                        • Opcode ID: d33ed394e346a80e4decb5ea1e91d8d04c262c839b5daba4aaf88eb8a6f23cc8
                                                                                                                                        • Instruction ID: fd54b8e5f7330e0acb20515553b7686b53ab4722b0ed8bb49d4cf4bc1ef8276e
                                                                                                                                        • Opcode Fuzzy Hash: d33ed394e346a80e4decb5ea1e91d8d04c262c839b5daba4aaf88eb8a6f23cc8
                                                                                                                                        • Instruction Fuzzy Hash: 54512BB1A01219EFDB14CF68C994B9EBBF9EF48394F104599EA09DB241D770DA50CBA0
                                                                                                                                        Function 02F2D110 Relevance: 15.1, APIs: 10, Instructions: 147timememorysynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02F2D161
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F2D16F
                                                                                                                                        • _free.LIBCMT ref: 02F2D199
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2D1D9
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2D1FD
                                                                                                                                        • DeleteTimerQueueEx.KERNEL32(?,000000FF,?), ref: 02F2D23C
                                                                                                                                        • DeleteTimerQueueEx.KERNEL32(?,000000FF,?), ref: 02F2D267
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?,?), ref: 02F2D288
                                                                                                                                        • HeapDestroy.KERNEL32(?), ref: 02F2D299
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2D2D3
                                                                                                                                          • Part of subcall function 02F223E0: __CxxThrowException@8.LIBCMT ref: 02F223F0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseDeleteHandle$QueueTimer$CriticalDestroyErrorException@8HeapLastObjectSectionSingleThrowWait_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2419799110-0
                                                                                                                                        • Opcode ID: 9c95596bfeaa785e92174654966767353e5cd6d4bfd56e9f5c7c2490a902b029
                                                                                                                                        • Instruction ID: d8ebcbaa71193012cb23479a2ed20679193a7856c8bbef99780dbf8a131b83d9
                                                                                                                                        • Opcode Fuzzy Hash: 9c95596bfeaa785e92174654966767353e5cd6d4bfd56e9f5c7c2490a902b029
                                                                                                                                        • Instruction Fuzzy Hash: A051D771E40666ABDB14DF74DC8479AF7A8FF05390F100B29EB29E7280C734A918CB91
                                                                                                                                        Function 02F449A0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 201networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F39040: StrChrA.SHLWAPI(00000000,0000005E,00000000,?,?,02F449D4,?,6EBCDBE2,?,00000000,?,?,?,?), ref: 02F3904B
                                                                                                                                        • htons.WS2_32(?), ref: 02F44A68
                                                                                                                                        • WSASetLastError.WS2_32(0000273B), ref: 02F44A9C
                                                                                                                                        • WSASetLastError.WS2_32(0000273F), ref: 02F44AD7
                                                                                                                                        • socket.WS2_32(00000000,00000002,00000011), ref: 02F44B0E
                                                                                                                                        • WSAIoctl.WS2_32(00000000,9800000C,00000000,00000004), ref: 02F44B3B
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F44B46
                                                                                                                                        • WSACreateEvent.WS2_32 ref: 02F44B7A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CreateEventIoctlhtonssocket
                                                                                                                                        • String ID: 255.255.255.255
                                                                                                                                        • API String ID: 2120161073-2422070025
                                                                                                                                        • Opcode ID: 45f7534f2f637944805ef7a56a9d089c5d1792255662c9ab2b26fbcafbd56547
                                                                                                                                        • Instruction ID: e9e088c6359a2e32647b4894091a5536118b5136be07905fc9719451d5f42623
                                                                                                                                        • Opcode Fuzzy Hash: 45f7534f2f637944805ef7a56a9d089c5d1792255662c9ab2b26fbcafbd56547
                                                                                                                                        • Instruction Fuzzy Hash: FF61F676E04219DBDB20DF64D841BAABBB5FF04390F00451AEF05A7380EBB1E954CBA5
                                                                                                                                        Function 02F39980 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 162timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateTimerQueueTimer.KERNEL32(00000000,?,02F3C3E0,?,00003A98,00003A98,00000020), ref: 02F39AC0
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F39ACC
                                                                                                                                        • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02F39ADC
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 02F39B02
                                                                                                                                        • GetLastError.KERNEL32(vector<T> too long), ref: 02F39B07
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F39B17
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$Timer$CreateQueueXinvalid_argumentstd::_
                                                                                                                                        • String ID: CTcpAgent::CreateWorkerThreads$vector<T> too long
                                                                                                                                        • API String ID: 1960426987-3187569605
                                                                                                                                        • Opcode ID: 23aef8d5526aea9bfbf7fa17b11d5554d0292f8b54e38193a258fa3192ce46aa
                                                                                                                                        • Instruction ID: 5546fe627a125836b8622c4ea35096511af4941c1b440eeb3374b3ed84f724e5
                                                                                                                                        • Opcode Fuzzy Hash: 23aef8d5526aea9bfbf7fa17b11d5554d0292f8b54e38193a258fa3192ce46aa
                                                                                                                                        • Instruction Fuzzy Hash: F351F732B002055BDF299E68CCC5B6E7795EB84795F24872DEF06DB280DBF0E9418790
                                                                                                                                        Function 02F474F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F47552
                                                                                                                                          • Part of subcall function 02F37AD0: WSASetLastError.WS2_32(00002741,?,?,?,02F44A7F,?,?,?), ref: 02F37AF0
                                                                                                                                        • htons.WS2_32(?), ref: 02F4757F
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F475A6
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,02F472FC), ref: 02F475BF
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F475D2
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F475F8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$htons
                                                                                                                                        • String ID: 255.255.255.255$CUdpNode::ParseBindAddr
                                                                                                                                        • API String ID: 1446237738-2777872655
                                                                                                                                        • Opcode ID: 4ad7df6499bf6f64c650c278ff24e0a28c28ac546ca7a752b2ffddf6ca44ce0d
                                                                                                                                        • Instruction ID: 57b8b8424ac0d06c19e8478588250e9cf85e9a7455197824833f736625a54b22
                                                                                                                                        • Opcode Fuzzy Hash: 4ad7df6499bf6f64c650c278ff24e0a28c28ac546ca7a752b2ffddf6ca44ce0d
                                                                                                                                        • Instruction Fuzzy Hash: AA31F131A043019BEB207B649C48726FBA6FF107E4F540A19EB4A8A2D0EFF0E552CB11
                                                                                                                                        Function 02F496A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateIoCompletionPort.KERNEL32(?,?,?,00000000,?,?,?,02F48FF8), ref: 02F496B6
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,000000F1,00000000,00000000,?,?,?,?,02F48FF8), ref: 02F496ED
                                                                                                                                        • CreateTimerQueueTimer.KERNEL32(?,?,02F4C0E0,?,00003A98,00003A98,00000020,?,?,?,02F48FF8), ref: 02F4971E
                                                                                                                                        • GetLastError.KERNEL32(?,00003A98,00003A98,00000020,?,?,?,02F48FF8), ref: 02F4972A
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F4973D
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,02F48FF8), ref: 02F4976E
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F49781
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CompletionCreateTimer$PortPostQueueQueuedStatus
                                                                                                                                        • String ID: CUdpServer::StartAccept
                                                                                                                                        • API String ID: 3593799683-1250240616
                                                                                                                                        • Opcode ID: 17f4353e5625d8a8969f0b5a89ff81784938bc1c384783164d25333541b3699a
                                                                                                                                        • Instruction ID: 938f5917716f160c183855a0816e7fed33c55adea792d1a2bdcdebce9f2416ae
                                                                                                                                        • Opcode Fuzzy Hash: 17f4353e5625d8a8969f0b5a89ff81784938bc1c384783164d25333541b3699a
                                                                                                                                        • Instruction Fuzzy Hash: F5219731B40304ABE7209B75DC49F6BFBECFF45B91F100559FA1A96580DAF06910CA61
                                                                                                                                        Function 02F3F260 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateIoCompletionPort.KERNEL32(?,?,?,00000000,?,?,?,02F3EB5A,?,?), ref: 02F3F270
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,000000F1,00000000,00000000,?,?,?,?,02F3EB5A,?,?), ref: 02F3F29F
                                                                                                                                        • CreateTimerQueueTimer.KERNEL32(?,?,02F41960,?,00003A98,00003A98,00000020,?,?,?,02F3EB5A,?,?), ref: 02F3F2D0
                                                                                                                                        • GetLastError.KERNEL32(?,00003A98,00003A98,00000020,?,?,?,02F3EB5A,?,?), ref: 02F3F2DC
                                                                                                                                        • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02F3F2EC
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,02F3EB5A,?,?), ref: 02F3F31D
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F3F32D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CompletionCreateTimer$PortPostQueueQueuedStatus
                                                                                                                                        • String ID: CTcpServer::StartAccept
                                                                                                                                        • API String ID: 3593799683-877316848
                                                                                                                                        • Opcode ID: b2ec45c344ecc7508213bcb132529376a08a59fa3729649a6ffb06c3d43e8b81
                                                                                                                                        • Instruction ID: 49b9850709c17f1b49a7164645ae41d5b0f97a98a25eae141e3357207c1096ad
                                                                                                                                        • Opcode Fuzzy Hash: b2ec45c344ecc7508213bcb132529376a08a59fa3729649a6ffb06c3d43e8b81
                                                                                                                                        • Instruction Fuzzy Hash: 62218671F40305AFE7209F65DC49B2BF7ECEF85B94F100A19FA4AD3680DAB4A5118A61
                                                                                                                                        Function 02F360F0 Relevance: 13.7, APIs: 9, Instructions: 212COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 02F36173
                                                                                                                                        • _free.LIBCMT ref: 02F36291
                                                                                                                                        • std::exception::exception.LIBCMT ref: 02F362C0
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 02F362D5
                                                                                                                                        • SetLastError.KERNEL32(0000000D,?,?), ref: 02F362DC
                                                                                                                                        • _free.LIBCMT ref: 02F362E3
                                                                                                                                        • SetLastError.KERNEL32(00000018,?,?), ref: 02F36304
                                                                                                                                        • _free.LIBCMT ref: 02F3630B
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast_free$Exception@8FreeHeapThrow_mallocstd::exception::exception
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3837565262-0
                                                                                                                                        • Opcode ID: 22696dd3ae00766b2680c6959c7d7f03bacc32f141fad6b824cd78ab001c9e04
                                                                                                                                        • Instruction ID: e9ee958bb5e4a5f8ee7a5280f3d3f3bded8a2a4918039106c908447b3acab13c
                                                                                                                                        • Opcode Fuzzy Hash: 22696dd3ae00766b2680c6959c7d7f03bacc32f141fad6b824cd78ab001c9e04
                                                                                                                                        • Instruction Fuzzy Hash: AC71B0B2E00218AFEB15DF98D884BAEB7F4FB48790F14456AEE15E3340D7709900CBA4
                                                                                                                                        Function 02F35EA0 Relevance: 13.7, APIs: 9, Instructions: 205COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 02F35F20
                                                                                                                                        • _free.LIBCMT ref: 02F36030
                                                                                                                                        • std::exception::exception.LIBCMT ref: 02F3605F
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 02F36074
                                                                                                                                        • SetLastError.KERNEL32(0000000D,?,?,00000000,?,?,?,?), ref: 02F3607B
                                                                                                                                        • _free.LIBCMT ref: 02F36082
                                                                                                                                        • SetLastError.KERNEL32(00000018,?,?,00000000,?,?,?,?), ref: 02F360A3
                                                                                                                                        • _free.LIBCMT ref: 02F360AA
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast_free$Exception@8FreeHeapThrow_mallocstd::exception::exception
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3837565262-0
                                                                                                                                        • Opcode ID: 483e9c336992214e82fbeba920b12b7e8f359e9dae501e581b0a5027d4d729c9
                                                                                                                                        • Instruction ID: a3fb7eca8870f957d0720ff2fbd62057b2f2421c40f598697403749d55729946
                                                                                                                                        • Opcode Fuzzy Hash: 483e9c336992214e82fbeba920b12b7e8f359e9dae501e581b0a5027d4d729c9
                                                                                                                                        • Instruction Fuzzy Hash: 9B61CFB2E002189FDB15CF69D885BAEBBF5FB88790F14457AEA05E7340D7759900CB90
                                                                                                                                        Function 02F35C50 Relevance: 13.7, APIs: 9, Instructions: 205COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 02F35CD0
                                                                                                                                        • _free.LIBCMT ref: 02F35DE0
                                                                                                                                        • std::exception::exception.LIBCMT ref: 02F35E0F
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 02F35E24
                                                                                                                                        • SetLastError.KERNEL32(0000000D,?,?,00000000,?,?,?,?), ref: 02F35E2B
                                                                                                                                        • _free.LIBCMT ref: 02F35E32
                                                                                                                                        • SetLastError.KERNEL32(00000018,?,?,00000000,?,?,?,?), ref: 02F35E53
                                                                                                                                        • _free.LIBCMT ref: 02F35E5A
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast_free$Exception@8FreeHeapThrow_mallocstd::exception::exception
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3837565262-0
                                                                                                                                        • Opcode ID: 251b026067a4c8c721cd6f74fbad632a0d65c0a7f2273e844efeaf719ae8c1e4
                                                                                                                                        • Instruction ID: 89a3b6c9a36a3277272f1575fac3a2cf763fb54726c328e53e8abe00acec0d28
                                                                                                                                        • Opcode Fuzzy Hash: 251b026067a4c8c721cd6f74fbad632a0d65c0a7f2273e844efeaf719ae8c1e4
                                                                                                                                        • Instruction Fuzzy Hash: 8461B1B2E042188BDB15DF98D8857AEBBF1FB8C794F14456AEA06E7340D7759900CB90
                                                                                                                                        Function 02F36360 Relevance: 13.7, APIs: 9, Instructions: 171timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(000000D4,00000001,00000000), ref: 02F363A0
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(000000D4,00000001,00000000), ref: 02F363AD
                                                                                                                                        • InterlockedDecrement.KERNEL32(000000D8), ref: 02F363D8
                                                                                                                                        • timeGetTime.WINMM(02F5E34C), ref: 02F36446
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(000000D4,00000001,00000000), ref: 02F3647A
                                                                                                                                        • timeGetTime.WINMM ref: 02F364A2
                                                                                                                                        • timeGetTime.WINMM ref: 02F364AC
                                                                                                                                        • InterlockedDecrement.KERNEL32(000000D8), ref: 02F364DE
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(000000D4,00000001,00000000), ref: 02F36539
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$CompareExchange$Timetime$Decrement
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1774158691-0
                                                                                                                                        • Opcode ID: 35f720b4ad481d6e520ad9567cc61a9e21e5292565f738d3e25448d3c76eb729
                                                                                                                                        • Instruction ID: 84df87d8b90437ea1ab8e658d323198ae53f23d4e9b1de68cef0d6b97b52c409
                                                                                                                                        • Opcode Fuzzy Hash: 35f720b4ad481d6e520ad9567cc61a9e21e5292565f738d3e25448d3c76eb729
                                                                                                                                        • Instruction Fuzzy Hash: 9151AF71A04701AFD721CF28C884B1AB7E8FF847A4F108A2DE6AAC7394D774E541CB55
                                                                                                                                        Function 02F37350 Relevance: 13.6, APIs: 9, Instructions: 141networkstringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • getaddrinfo.WS2_32(?,00000000,?,?), ref: 02F373D8
                                                                                                                                        • _free.LIBCMT ref: 02F373ED
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                          • Part of subcall function 02F223E0: __CxxThrowException@8.LIBCMT ref: 02F223F0
                                                                                                                                        • WSASetLastError.WS2_32(00000000,?,?,?,?), ref: 02F373FA
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 02F37417
                                                                                                                                        • _memcpy_s.LIBCMT ref: 02F37441
                                                                                                                                        • _memmove.LIBCMT ref: 02F3749F
                                                                                                                                        • freeaddrinfo.WS2_32(?,?,?,?,?), ref: 02F374AD
                                                                                                                                        • htons.WS2_32(?), ref: 02F374BB
                                                                                                                                        • WSASetLastError.WS2_32(00002AF9,?,?,?,?), ref: 02F374E0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$Exception@8FreeHeapThrow_free_memcpy_s_memmovefreeaddrinfogetaddrinfohtonslstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2357404279-0
                                                                                                                                        • Opcode ID: 1e01837849f4cae1e1db2659c520bba23e25841f469e5538d82cc8fc06ce4a1b
                                                                                                                                        • Instruction ID: 0f14f03064296ce874a4ec63b3d39699cff7154882441f902cb892128f3164da
                                                                                                                                        • Opcode Fuzzy Hash: 1e01837849f4cae1e1db2659c520bba23e25841f469e5538d82cc8fc06ce4a1b
                                                                                                                                        • Instruction Fuzzy Hash: 75514EB1A04310DFD754DF68D884A6BBBE5EF88790F01895EFA49DB250E734D904CBA2
                                                                                                                                        Function 02F4B410 Relevance: 13.6, APIs: 9, Instructions: 113memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02F4B492
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4B4C7
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F4B4BA
                                                                                                                                          • Part of subcall function 02F48EC0: SetLastError.KERNEL32(00000000,?,?), ref: 02F48ED7
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F4B4D4
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4B4EC
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F4B4F9
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4B511
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4B520
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,02F4B096,00000000,?,?), ref: 02F4B53F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$Decrement$Exchange$ErrorFreeHeapIncrementLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 692366606-0
                                                                                                                                        • Opcode ID: 3baa2e885feb5b67daf06a67e451a4dc3a0d23f1cf38c57ae7deb68135928b81
                                                                                                                                        • Instruction ID: c3e9690d192f143c659fdf796baad908107e9d4c26df0d0a6d3d9ec1cda44a39
                                                                                                                                        • Opcode Fuzzy Hash: 3baa2e885feb5b67daf06a67e451a4dc3a0d23f1cf38c57ae7deb68135928b81
                                                                                                                                        • Instruction Fuzzy Hash: C3319372D00214ABCB149F64DC84A5AFB79FF04798F004559FB06D724ADF74EA108BA0
                                                                                                                                        Function 02F453E0 Relevance: 13.6, APIs: 9, Instructions: 112memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F453F3
                                                                                                                                        • _free.LIBCMT ref: 02F45406
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 02F4542D
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 02F45436
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 02F4543F
                                                                                                                                        • HeapDestroy.KERNEL32(?), ref: 02F45462
                                                                                                                                        • HeapCreate.KERNEL32(?,?,?), ref: 02F4547D
                                                                                                                                        • SetEvent.KERNEL32 ref: 02F45544
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F4554E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Event$HeapReset$CriticalSection$CreateDestroyEnterErrorFreeLastLeave_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 465610239-0
                                                                                                                                        • Opcode ID: ed7d6794341c37014fdaf645ec249b96584bcab409fdcde4eeef847b9c7bc266
                                                                                                                                        • Instruction ID: a24018b35b23b296f9a8f80575a9b6be64f5d7bd54757c434332bde48826f09e
                                                                                                                                        • Opcode Fuzzy Hash: ed7d6794341c37014fdaf645ec249b96584bcab409fdcde4eeef847b9c7bc266
                                                                                                                                        • Instruction Fuzzy Hash: 6C41E4B1A00A06AFD788DF79C884B95FBE5FF49350F50866AD62DC7210DB70A825CF91
                                                                                                                                        Function 02F46CD0 Relevance: 13.6, APIs: 9, Instructions: 98memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F46CE3
                                                                                                                                        • _free.LIBCMT ref: 02F46CF3
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 02F46D11
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 02F46D1A
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 02F46D23
                                                                                                                                        • HeapDestroy.KERNEL32(?), ref: 02F46D43
                                                                                                                                        • HeapCreate.KERNEL32(?,?,?), ref: 02F46D55
                                                                                                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02F46DD5
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F46DDF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Event$HeapReset$CriticalSection$CreateDestroyEnterErrorFreeLastLeave_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 465610239-0
                                                                                                                                        • Opcode ID: 33dfb27b6354c0b1db7b16caaecc7d3230e75e7c81bfedcfe1576fcb1b7d049e
                                                                                                                                        • Instruction ID: 51f91a0f8f0dc2e2611f0330b39f9a8f2e5b4ca0b6f1667cddbf14ea7cc991e5
                                                                                                                                        • Opcode Fuzzy Hash: 33dfb27b6354c0b1db7b16caaecc7d3230e75e7c81bfedcfe1576fcb1b7d049e
                                                                                                                                        • Instruction Fuzzy Hash: 49313B71A00A06EFC704DF69C888996FBB9FF49354710866EEA1AC7610CB75B925CFD0
                                                                                                                                        Function 02F211F0 Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _free.LIBCMT ref: 02F21203
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        • _malloc.LIBCMT ref: 02F21235
                                                                                                                                        • _memset.LIBCMT ref: 02F21240
                                                                                                                                        • _free.LIBCMT ref: 02F21267
                                                                                                                                        • _malloc.LIBCMT ref: 02F212A8
                                                                                                                                        • _memset.LIBCMT ref: 02F212B6
                                                                                                                                        • _free.LIBCMT ref: 02F212CC
                                                                                                                                        • _malloc.LIBCMT ref: 02F21307
                                                                                                                                        • _memset.LIBCMT ref: 02F21315
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free_malloc_memset$ErrorFreeHeapLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3649356292-0
                                                                                                                                        • Opcode ID: 4cee6dba77bb3f9e240f86840a25f89a45f7388602072b1fec72b06440922374
                                                                                                                                        • Instruction ID: c93347435709ff88a179e78ced164e71303dcaa9035eca9f3a6d73999bba855a
                                                                                                                                        • Opcode Fuzzy Hash: 4cee6dba77bb3f9e240f86840a25f89a45f7388602072b1fec72b06440922374
                                                                                                                                        • Instruction Fuzzy Hash: 6A3108F1E02626ABD714DF7988846D6FBA8FF05384F50422EEA2C93201D77178248FD0
                                                                                                                                        Function 02F43A60 Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(0000139F,6EBCDBE2,00000000), ref: 02F43A99
                                                                                                                                        • TryEnterCriticalSection.KERNEL32(?,6EBCDBE2,00000000), ref: 02F43AC4
                                                                                                                                        • TryEnterCriticalSection.KERNEL32(?), ref: 02F43ADE
                                                                                                                                        • SetLastError.KERNEL32(0000139F), ref: 02F43AFE
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F43B07
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F43B0E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4082018349-0
                                                                                                                                        • Opcode ID: 63df9b790ddaff57c4063dd2b58a9b08c7bfd64f7b433394c496cadf420c20ea
                                                                                                                                        • Instruction ID: 0c7db7a9fa05e08ad3342a9521920ae05403c9c4a12d12ca20d48ebb58477c92
                                                                                                                                        • Opcode Fuzzy Hash: 63df9b790ddaff57c4063dd2b58a9b08c7bfd64f7b433394c496cadf420c20ea
                                                                                                                                        • Instruction Fuzzy Hash: 9A31D832A483548BC310DF29D845B57FBE8FB887A4F000A2EEA45D3650DB75E500CB56
                                                                                                                                        Function 02F34F10 Relevance: 13.6, APIs: 9, Instructions: 79threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F34F2B
                                                                                                                                        • GetExitCodeThread.KERNEL32(?,?,00000000), ref: 02F34F5D
                                                                                                                                        • TerminateThread.KERNEL32(?,00000000,?,?,00000000), ref: 02F34F70
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,00000000), ref: 02F34F77
                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000), ref: 02F34F8A
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F34F97
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?), ref: 02F34F9E
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F34FA8
                                                                                                                                        • RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000000), ref: 02F34FBB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCriticalHandleSection$Thread$CodeDeleteEnterExceptionExitLeaveRaiseTerminate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 664006054-0
                                                                                                                                        • Opcode ID: 6c359dc61530d4b83a108f35fe14e38efcb4cf04b4a66377d3301ed879a33dbd
                                                                                                                                        • Instruction ID: 7387101550c5213cb77d32a40283a32559d7cf1fb1595e8832e51490836f5b33
                                                                                                                                        • Opcode Fuzzy Hash: 6c359dc61530d4b83a108f35fe14e38efcb4cf04b4a66377d3301ed879a33dbd
                                                                                                                                        • Instruction Fuzzy Hash: A5115172940725ABD7119F74DC88B5AF7A8BF047A5F454A04FB01A7680C774F9248BE1
                                                                                                                                        Function 02F29F20 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 301COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 02F2A10C
                                                                                                                                          • Part of subcall function 02F4D0D9: __FF_MSGBANNER.LIBCMT ref: 02F4D0F2
                                                                                                                                          • Part of subcall function 02F4D0D9: __NMSG_WRITE.LIBCMT ref: 02F4D0F9
                                                                                                                                          • Part of subcall function 02F4D0D9: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D11E
                                                                                                                                        • _memmove.LIBCMT ref: 02F2A152
                                                                                                                                          • Part of subcall function 02F293B0: __vswprintf.LIBCMT ref: 02F293EA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap__vswprintf_malloc_memmove
                                                                                                                                        • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                                                                                                                                        • API String ID: 1438150933-868042568
                                                                                                                                        • Opcode ID: b9054fae1282fc985defa2df5a9638ea7c7301d92ca9de1115bc5fe5b44798bc
                                                                                                                                        • Instruction ID: 8bf1b2246a40cbcaa8f786fa1dc05470ec7d6f562e9c1cc46d12afad263da0b4
                                                                                                                                        • Opcode Fuzzy Hash: b9054fae1282fc985defa2df5a9638ea7c7301d92ca9de1115bc5fe5b44798bc
                                                                                                                                        • Instruction Fuzzy Hash: 8BB1E471E002249FDB18CF68C890AAA77B5FF4A750F1485AEDE059B346D771E948CF90
                                                                                                                                        Function 02F2C480 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166memorytimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,6EBCDBE2,00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02F2C4E8
                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02F5BFB6,000000FF), ref: 02F2C4FD
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,6EBCDBE2,00000008,00000000), ref: 02F2C561
                                                                                                                                        • CreateTimerQueue.KERNEL32 ref: 02F2C5CD
                                                                                                                                        • HeapCreate.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000004,00000000,00000000), ref: 02F2C60C
                                                                                                                                        • _free.LIBCMT ref: 02F2C675
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create$InfoNativeSystem$EventHeapQueueTimer_free
                                                                                                                                        • String ID: 0/Wu
                                                                                                                                        • API String ID: 2140642950-938174528
                                                                                                                                        • Opcode ID: 1d36b8e0e4c15f6abb20781f31b025cb9875a2ece5ec5016e1905e6e10e57343
                                                                                                                                        • Instruction ID: e28dae5fc1e5424ec4b2c27a6dfbbb6aaf8127f22700e66bd8b2f11558e4c5ea
                                                                                                                                        • Opcode Fuzzy Hash: 1d36b8e0e4c15f6abb20781f31b025cb9875a2ece5ec5016e1905e6e10e57343
                                                                                                                                        • Instruction Fuzzy Hash: 617113B0A01A56AFD704CF69D984789FBE8FF09384F50862ED61DD7640D774AA28CF90
                                                                                                                                        Function 02F2B720 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160memorytimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,6EBCDBE2,00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02F2B783
                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02F5C0E3,000000FF), ref: 02F2B798
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,6EBCDBE2,00000008,00000000), ref: 02F2B80B
                                                                                                                                        • HeapCreate.KERNEL32(?,?,?,?,00000004,00000000,00000000), ref: 02F2B879
                                                                                                                                        • CreateTimerQueue.KERNEL32(?,?,?,?,00000004,00000000,00000000), ref: 02F2B8B3
                                                                                                                                        • _free.LIBCMT ref: 02F2B907
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create$InfoNativeSystem$EventHeapQueueTimer_free
                                                                                                                                        • String ID: 0/Wu
                                                                                                                                        • API String ID: 2140642950-938174528
                                                                                                                                        • Opcode ID: 9e5654aae978a3ff858df77ee6010be9bd60abf26ee26abe4219dd8562243453
                                                                                                                                        • Instruction ID: c5f6e66d4e8550df1caf9ad008a2ee6273137572bb4d3d4a6445e476c46d1d58
                                                                                                                                        • Opcode Fuzzy Hash: 9e5654aae978a3ff858df77ee6010be9bd60abf26ee26abe4219dd8562243453
                                                                                                                                        • Instruction Fuzzy Hash: 6E7118B0A01B56EFD704CF69D984789FBA4FF08348F50862ED62D97680D774A568CF90
                                                                                                                                        Function 00F92BB0 Relevance: 12.3, APIs: 8, Instructions: 256threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00F92BD4
                                                                                                                                        • GetThreadContext.KERNEL32(?,00010001), ref: 00F92CE1
                                                                                                                                          • Part of subcall function 00F929F0: GetCurrentThreadId.KERNEL32 ref: 00F929F6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2715965943.0000000000FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_f90000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Thread$Current$Context
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1666949209-0
                                                                                                                                        • Opcode ID: c49d2a6682d3e01da82259ea1fc8f474b62711a628e24190ad9a24a8a2cd18e1
                                                                                                                                        • Instruction ID: 668581fc76080c2f0b6634ccd2993cb7576056275c899606ff27ef7b4e48c3ca
                                                                                                                                        • Opcode Fuzzy Hash: c49d2a6682d3e01da82259ea1fc8f474b62711a628e24190ad9a24a8a2cd18e1
                                                                                                                                        • Instruction Fuzzy Hash: 01C12BB4E00219DFDB58CF94D888BAEB7B5FB48304F20859AE81597351D734EA85EF90
                                                                                                                                        Function 02F37570 Relevance: 12.2, APIs: 8, Instructions: 250networkstringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSASetLastError.WS2_32(00002741,6EBCDBE2), ref: 02F37603
                                                                                                                                        • WSAStringToAddressA.WS2_32(?,?,00000000,?,?,6EBCDBE2), ref: 02F37693
                                                                                                                                        • getaddrinfo.WS2_32(?,00000000,?,?), ref: 02F37737
                                                                                                                                        • _free.LIBCMT ref: 02F3774C
                                                                                                                                        • lstrlenA.KERNEL32(?), ref: 02F3775F
                                                                                                                                        • _memcpy_s.LIBCMT ref: 02F37789
                                                                                                                                        • freeaddrinfo.WS2_32(?), ref: 02F3785A
                                                                                                                                        • WSASetLastError.WS2_32(00002AF9), ref: 02F37869
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$AddressString_free_memcpy_sfreeaddrinfogetaddrinfolstrlen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2503221313-0
                                                                                                                                        • Opcode ID: ac29cb8bb3ff5199bc0bb3fdee57e7a19e9e287471708cfdc03e8fafb0bce2ff
                                                                                                                                        • Instruction ID: 47a01698a93b60dcea78f6100a1c21f4f1570d0fa12254ddc59e8d5fe0d5279f
                                                                                                                                        • Opcode Fuzzy Hash: ac29cb8bb3ff5199bc0bb3fdee57e7a19e9e287471708cfdc03e8fafb0bce2ff
                                                                                                                                        • Instruction Fuzzy Hash: AD918FB1A083419FD722EF29C884A6BF7E5AF88784F14492DFA85D7250E730D944CF92
                                                                                                                                        Function 02F424D0 Relevance: 12.1, APIs: 8, Instructions: 149timenetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSASetLastError.WS2_32(0000000D,6EBCDBE2,?), ref: 02F42529
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?), ref: 02F4254F
                                                                                                                                        • WSASetLastError.WS2_32(00002746), ref: 02F42568
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F4256F
                                                                                                                                        • timeGetTime.WINMM ref: 02F425AB
                                                                                                                                        • timeGetTime.WINMM ref: 02F425D9
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 02F42621
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F42649
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$ErrorLastTimetime$Enter
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 926294903-0
                                                                                                                                        • Opcode ID: 1717b5dc3a4402217c4a74d8d987eb549e48a366ab72c140be361233e91dee03
                                                                                                                                        • Instruction ID: 5a5a1eea150c36b20a5ceaa72f72bf8c3a8afff5641672a7112f7d669943e056
                                                                                                                                        • Opcode Fuzzy Hash: 1717b5dc3a4402217c4a74d8d987eb549e48a366ab72c140be361233e91dee03
                                                                                                                                        • Instruction Fuzzy Hash: A9518E32A047048FD720CF58D954B6AFBE4FB497A0F004A6AEE56D3780DBB5A900CB50
                                                                                                                                        Function 02F43B70 Relevance: 12.1, APIs: 8, Instructions: 144timenetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSASetLastError.WS2_32(0000000D,6EBCDBE2,?,?,00000000), ref: 02F43BC8
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,?,00000000), ref: 02F43BEE
                                                                                                                                        • WSASetLastError.WS2_32(00002746,?,?,00000000), ref: 02F43C07
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 02F43C0E
                                                                                                                                        • timeGetTime.WINMM(?,?,00000000), ref: 02F43C4D
                                                                                                                                        • timeGetTime.WINMM(?,?,00000000), ref: 02F43C79
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,02F5CC98,000000FF), ref: 02F43CB5
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 02F43CDD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$ErrorLastTimetime$Enter
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 926294903-0
                                                                                                                                        • Opcode ID: 88cd05da15709072109bdeb390328173ffe060dda4c74cfabec901367dff9ce8
                                                                                                                                        • Instruction ID: 6b8bfbf38a8427c64466093f17499522aaf0584be8585911f6e66e38fbbf9859
                                                                                                                                        • Opcode Fuzzy Hash: 88cd05da15709072109bdeb390328173ffe060dda4c74cfabec901367dff9ce8
                                                                                                                                        • Instruction Fuzzy Hash: 1451C272E047048FD720CF68D585B6AFBF5FB487A4F1046AAEA46C3780DB75AA40CB50
                                                                                                                                        Function 02F44D00 Relevance: 12.1, APIs: 8, Instructions: 124threadnetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 02F44D0E
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F44D1A
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F44D2A
                                                                                                                                        • _free.LIBCMT ref: 02F44D74
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 02F44DAD
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F44DF4
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F44E1E
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F44E4D
                                                                                                                                          • Part of subcall function 02F45140: EnterCriticalSection.KERNEL32(?), ref: 02F45183
                                                                                                                                          • Part of subcall function 02F45140: LeaveCriticalSection.KERNEL32(?), ref: 02F451CE
                                                                                                                                          • Part of subcall function 02F45140: sendto.WS2_32(00000000,?,?,00000000,00000002,-0000001D), ref: 02F4520D
                                                                                                                                          • Part of subcall function 02F45140: EnterCriticalSection.KERNEL32(?), ref: 02F45220
                                                                                                                                          • Part of subcall function 02F45140: LeaveCriticalSection.KERNEL32(?), ref: 02F4523F
                                                                                                                                          • Part of subcall function 02F45140: SetLastError.KERNEL32(00000000), ref: 02F45247
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalCurrentErrorLastSectionThread$EnterLeave$EventsFreeHeapMultipleWait_freesendto
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3037932394-0
                                                                                                                                        • Opcode ID: de9e9e6daf06638fa947bd425cb8aaa5f9ea41918f52363caae3508a87328ec3
                                                                                                                                        • Instruction ID: 9e6f5ffdb563896e2534416960d7b2fbc502a783d44f420c5def1c3c18f5868a
                                                                                                                                        • Opcode Fuzzy Hash: de9e9e6daf06638fa947bd425cb8aaa5f9ea41918f52363caae3508a87328ec3
                                                                                                                                        • Instruction Fuzzy Hash: CB414F74A007029FD710EF68C884B6ABBF5BF88394F144619DA2997380DF74E955CF92
                                                                                                                                        Function 02F2D850 Relevance: 12.1, APIs: 8, Instructions: 119synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000009,000000FF,6EBCDBE2), ref: 02F2D89D
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F2D8AB
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2D8C8
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2D8EB
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2D90E
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?), ref: 02F2D934
                                                                                                                                        • _free.LIBCMT ref: 02F2D96D
                                                                                                                                        • CloseHandle.KERNEL32(00000002), ref: 02F2D989
                                                                                                                                          • Part of subcall function 02F46C20: GetCurrentThreadId.KERNEL32 ref: 02F46C24
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle$CriticalCurrentDeleteErrorLastObjectSectionSingleThreadWait_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3924219484-0
                                                                                                                                        • Opcode ID: 6ae243074c771b57cf6b3a76278ec0a0e1b44e9c31638560a4c0a3ee2c1e1228
                                                                                                                                        • Instruction ID: 92e3fe42d527f319084f7d3875084fd0cef084af48c498818060a883672d9bbd
                                                                                                                                        • Opcode Fuzzy Hash: 6ae243074c771b57cf6b3a76278ec0a0e1b44e9c31638560a4c0a3ee2c1e1228
                                                                                                                                        • Instruction Fuzzy Hash: BE41E471E40656EBD700DFB8CD84A99FBA9FF06784F104A29E615E7280DB34E908CB90
                                                                                                                                        Function 02F2DEC0 Relevance: 12.1, APIs: 8, Instructions: 119synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000009,000000FF,6EBCDBE2), ref: 02F2DF0D
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F2DF1B
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2DF38
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2DF5B
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2DF7E
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?), ref: 02F2DFA4
                                                                                                                                        • _free.LIBCMT ref: 02F2DFE6
                                                                                                                                        • CloseHandle.KERNEL32(00000002), ref: 02F2E00B
                                                                                                                                          • Part of subcall function 02F45350: GetCurrentThreadId.KERNEL32 ref: 02F45354
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle$CriticalCurrentDeleteErrorLastObjectSectionSingleThreadWait_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3924219484-0
                                                                                                                                        • Opcode ID: 6ab33acff498408819429a657364f0b5d9a3db8b0636c81d51ffeea555220211
                                                                                                                                        • Instruction ID: b5756f1fbb870fc07e4d9abf6a467a20322dabbd4fad87a9634398009a61ca8f
                                                                                                                                        • Opcode Fuzzy Hash: 6ab33acff498408819429a657364f0b5d9a3db8b0636c81d51ffeea555220211
                                                                                                                                        • Instruction Fuzzy Hash: 5D41D671A40666EFD700DF78CD84B59F7A9FF06394F504668EB19DB240DB34A918CB90
                                                                                                                                        Function 02F2BF80 Relevance: 12.1, APIs: 8, Instructions: 119synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000009,000000FF,6EBCDBE2), ref: 02F2BFCD
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F2BFDB
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2BFF8
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2C01B
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2C03E
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?), ref: 02F2C064
                                                                                                                                        • _free.LIBCMT ref: 02F2C09D
                                                                                                                                        • CloseHandle.KERNEL32(00000002), ref: 02F2C0B9
                                                                                                                                          • Part of subcall function 02F3E2C0: GetCurrentThreadId.KERNEL32 ref: 02F3E2C4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle$CriticalCurrentDeleteErrorLastObjectSectionSingleThreadWait_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3924219484-0
                                                                                                                                        • Opcode ID: 3d490e1a1d60766346f4371a0961abe3d2181a19b27cef14d2c75766b219ff8b
                                                                                                                                        • Instruction ID: 575c62d56a7db981b3043cf0788686392f2d8ee0bfefc61cd231922a48ff095e
                                                                                                                                        • Opcode Fuzzy Hash: 3d490e1a1d60766346f4371a0961abe3d2181a19b27cef14d2c75766b219ff8b
                                                                                                                                        • Instruction Fuzzy Hash: C8410471A40666EBC700DFB8CD84B5EF7A5FF05784F104629EA14D7240DB34E908CB90
                                                                                                                                        Function 02F46160 Relevance: 12.1, APIs: 8, Instructions: 106networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSAEventSelect.WS2_32(?,?,00000030), ref: 02F4617B
                                                                                                                                        • connect.WS2_32(?,?,-0000001D), ref: 02F461A0
                                                                                                                                        • WSAGetLastError.WS2_32(?,7556DFA0,?,02F45B06,00000005,?,?,?,?,?,?,?,?), ref: 02F461AF
                                                                                                                                        • connect.WS2_32(?,?,-0000001D), ref: 02F461EB
                                                                                                                                        • WSAEventSelect.WS2_32(?,?,00000023), ref: 02F46200
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,7556DFA0,?,02F45B06,00000005,?,?,?,?,?,?,?,?), ref: 02F46218
                                                                                                                                        • GetLastError.KERNEL32(?,7556DFA0,?,02F45B06,00000005,?,?,?,?,?,?,?,?), ref: 02F4622F
                                                                                                                                        • WSASetLastError.WS2_32(00000000,?,7556DFA0,?,02F45B06,00000005,?,?,?,?,?,?,?,?), ref: 02F4623F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$EventSelectconnect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 371153081-0
                                                                                                                                        • Opcode ID: 9bc5baac6e3930416b8df5a6dd3af150049cb1434d5da786d62cc2f6963f8d98
                                                                                                                                        • Instruction ID: 84fbe9df194e5e62e4eb7467fb54d93b1506b1005ce736e08b9f8081d8129b4d
                                                                                                                                        • Opcode Fuzzy Hash: 9bc5baac6e3930416b8df5a6dd3af150049cb1434d5da786d62cc2f6963f8d98
                                                                                                                                        • Instruction Fuzzy Hash: B931F672F016156BE3105E78EC88A1ABB9CFF457B4B144726FB14C22C0DBB4D9A187A0
                                                                                                                                        Function 02F40210 Relevance: 12.1, APIs: 8, Instructions: 81windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,?,?,6EBCDBE2), ref: 02F40249
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,?,?,6EBCDBE2), ref: 02F4025A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000032,000004FF), ref: 02F40279
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F4028F
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F40299
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F4029F
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F402B1
                                                                                                                                        • SetLastError.KERNEL32(000005B4,?,?,?,?,?,?,?,6EBCDBE2), ref: 02F402D8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242711932-0
                                                                                                                                        • Opcode ID: a154a18ad40afbafce25daa950cec7bc64a8a82a7cca516cb8f2abf9ed148454
                                                                                                                                        • Instruction ID: eabaa73cb4c22cb721dc122f1f764e1361d7d440d11cb91348e5374b74a9e6d4
                                                                                                                                        • Opcode Fuzzy Hash: a154a18ad40afbafce25daa950cec7bc64a8a82a7cca516cb8f2abf9ed148454
                                                                                                                                        • Instruction Fuzzy Hash: 40216231B803156BEB189AA4CC85FBA7B69AB49790F14451DEF05E61C0EFF4D6408760
                                                                                                                                        Function 02F4ABE0 Relevance: 12.1, APIs: 8, Instructions: 81windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,?,?,6EBCDBE2), ref: 02F4AC19
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,?,?,6EBCDBE2), ref: 02F4AC2A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000032,000004FF), ref: 02F4AC49
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F4AC5F
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F4AC69
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F4AC6F
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F4AC81
                                                                                                                                        • SetLastError.KERNEL32(000005B4,?,?,?,?,?,?,?,6EBCDBE2), ref: 02F4ACA8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242711932-0
                                                                                                                                        • Opcode ID: 6ee90a96f8e6b5c921550067c175984f22f5a12155b56f2b762511b32da84ad7
                                                                                                                                        • Instruction ID: b2e79d3f745d25ceb2bc2a280329674d65f3826f36c9487def8876714893ea88
                                                                                                                                        • Opcode Fuzzy Hash: 6ee90a96f8e6b5c921550067c175984f22f5a12155b56f2b762511b32da84ad7
                                                                                                                                        • Instruction Fuzzy Hash: FB218632BC0319ABEB1497A4DDA5FB97B68AB487D0F144519EB01D62C0EFF4D6408BA0
                                                                                                                                        Function 02F47CE0 Relevance: 12.1, APIs: 8, Instructions: 81windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM ref: 02F47D19
                                                                                                                                        • timeGetTime.WINMM ref: 02F47D2A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000004,00000000,-00000032,000004FF), ref: 02F47D49
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F47D5F
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F47D69
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F47D6F
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F47D81
                                                                                                                                        • SetLastError.KERNEL32(000005B4), ref: 02F47DA8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242711932-0
                                                                                                                                        • Opcode ID: 8f99f115a943ed93ec89e836cdbfd3eca9e5a992d205f985b116bc89f141eb5c
                                                                                                                                        • Instruction ID: 781e38709103a263ac9a94eb927b3b3acb913b03227dee132a95dfe1e9da545b
                                                                                                                                        • Opcode Fuzzy Hash: 8f99f115a943ed93ec89e836cdbfd3eca9e5a992d205f985b116bc89f141eb5c
                                                                                                                                        • Instruction Fuzzy Hash: CB217431B503196BEB14AAA4CC85FB9FB79AB48790F144919EB02D61C0DFB4D5418760
                                                                                                                                        Function 02F40300 Relevance: 12.1, APIs: 8, Instructions: 79windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM ref: 02F40339
                                                                                                                                        • timeGetTime.WINMM ref: 02F4034A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000032,000004FF), ref: 02F40369
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F4037F
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F40389
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F4038F
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F403A1
                                                                                                                                        • SetLastError.KERNEL32(000005B4), ref: 02F403C8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242711932-0
                                                                                                                                        • Opcode ID: f60d657886cde28f2ecf728aa463d6b41e47fe072723ea4e26d9bafbf2459392
                                                                                                                                        • Instruction ID: 4c04cd13cfae39779720dc927247d5bfddf649e4047ffc9aa7d1cd5cc0700c78
                                                                                                                                        • Opcode Fuzzy Hash: f60d657886cde28f2ecf728aa463d6b41e47fe072723ea4e26d9bafbf2459392
                                                                                                                                        • Instruction Fuzzy Hash: 7521B332E84318ABEB2897A4CC49FBD7F68AB44798F14452DEB05EA1C0DFF49540CB61
                                                                                                                                        Function 02F45560 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetEvent.KERNEL32(?,00000000), ref: 02F45586
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 02F455B3
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F455C9
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F455D4
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F455DA
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F455E8
                                                                                                                                        • SetLastError.KERNEL32(000005B4), ref: 02F45611
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02F45628
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$Peek$CloseDispatchErrorEventHandleLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1713936993-0
                                                                                                                                        • Opcode ID: c528c935b74b7d01af5e55f9579ccd025175923702f278cdd732f94b29bd8e40
                                                                                                                                        • Instruction ID: 72134e8a9bb880f6ec13458f705de5533a23c5d4b10694a1603342c97d6e97c2
                                                                                                                                        • Opcode Fuzzy Hash: c528c935b74b7d01af5e55f9579ccd025175923702f278cdd732f94b29bd8e40
                                                                                                                                        • Instruction Fuzzy Hash: C021A971940324ABE720DBA48D45FAA77B8AF44794F540919EB01E71C0DB74E904CF61
                                                                                                                                        Function 02F3AA60 Relevance: 12.1, APIs: 8, Instructions: 79windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM ref: 02F3AA99
                                                                                                                                        • timeGetTime.WINMM ref: 02F3AAAA
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000032,000004FF), ref: 02F3AAC9
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F3AADF
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F3AAE9
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F3AAEF
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F3AB01
                                                                                                                                        • SetLastError.KERNEL32(000005B4), ref: 02F3AB28
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242711932-0
                                                                                                                                        • Opcode ID: 41d90e142e2a5fac7b3c290d2b11636b6e5bc00f9f92eda1e4ef23be5d21c1a4
                                                                                                                                        • Instruction ID: f5e6c66b55f9d04db4d0b8afa970fbb1bac1ab75b29e0f4850d80682448f78b0
                                                                                                                                        • Opcode Fuzzy Hash: 41d90e142e2a5fac7b3c290d2b11636b6e5bc00f9f92eda1e4ef23be5d21c1a4
                                                                                                                                        • Instruction Fuzzy Hash: 6121F532F80318EBEF158BA6DD49FF973A9AB487D0F14451AEB02D61C0DBB09540CB61
                                                                                                                                        Function 02F4ACD0 Relevance: 12.1, APIs: 8, Instructions: 79windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM ref: 02F4AD09
                                                                                                                                        • timeGetTime.WINMM ref: 02F4AD1A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000032,000004FF), ref: 02F4AD39
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F4AD4F
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F4AD59
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F4AD5F
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F4AD71
                                                                                                                                        • SetLastError.KERNEL32(000005B4), ref: 02F4AD98
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242711932-0
                                                                                                                                        • Opcode ID: fe91dcfc526823e51e761ad76c5b70f5fd7b108e22226a9e894608de5c5a3ff8
                                                                                                                                        • Instruction ID: 598247e50e7b13747bbf51eba76b8bfa5f94a3e1143cc844b2487f89ef1fed3a
                                                                                                                                        • Opcode Fuzzy Hash: fe91dcfc526823e51e761ad76c5b70f5fd7b108e22226a9e894608de5c5a3ff8
                                                                                                                                        • Instruction Fuzzy Hash: AD21A132EC0319ABEB149AA4CC59FA97A7CAB48792F144529EB029A1C0DFF0D5408661
                                                                                                                                        Function 02F46DF0 Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetEvent.KERNEL32(?,00000000), ref: 02F46E16
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 02F46E43
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F46E59
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F46E64
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F46E6A
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F46E78
                                                                                                                                        • SetLastError.KERNEL32(000005B4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 02F46EA1
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 02F46EB8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$Peek$CloseDispatchErrorEventHandleLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1713936993-0
                                                                                                                                        • Opcode ID: 608b5d41741e4c3af71a3cb1cdc96a1fc11b97c127a2d196b94e99f6e67b95e3
                                                                                                                                        • Instruction ID: 0d7f7c5c5b3de5aa871a27de1c7bad485ec35367e3ad3456e93b3f69938b47c6
                                                                                                                                        • Opcode Fuzzy Hash: 608b5d41741e4c3af71a3cb1cdc96a1fc11b97c127a2d196b94e99f6e67b95e3
                                                                                                                                        • Instruction Fuzzy Hash: 24218671A40328ABEB24DBA4CC45FAA77FCAF49790F140919EB01E71C0DBB1E944CB65
                                                                                                                                        Function 02F45E40 Relevance: 10.7, APIs: 7, Instructions: 195networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F39040: StrChrA.SHLWAPI(00000000,0000005E,00000000,?,?,02F449D4,?,6EBCDBE2,?,00000000,?,?,?,?), ref: 02F3904B
                                                                                                                                          • Part of subcall function 02F37100: StrChrA.SHLWAPI(?,0000003A,?,02F375E6,6EBCDBE2), ref: 02F3711C
                                                                                                                                        • WSASetLastError.WS2_32(00002741), ref: 02F45EE2
                                                                                                                                          • Part of subcall function 02F37240: WSASetLastError.WS2_32(00002741,?,?,02F44A13,?,?,6EBCDBE2,?,00000000,?,?,?), ref: 02F37256
                                                                                                                                        • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02F45F05
                                                                                                                                        • WSASetLastError.WS2_32(0000273F,?,00000000,?,?), ref: 02F45F44
                                                                                                                                        • socket.WS2_32(00000000,00000002,00000011), ref: 02F45F7A
                                                                                                                                        • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 02F45FD2
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F45FDD
                                                                                                                                        • WSACreateEvent.WS2_32 ref: 02F46011
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$AddressCreateEventIoctlStringsocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2854721509-0
                                                                                                                                        • Opcode ID: 8a3247ee30378b61027e91e837f3fa5c9db68b8e26edcbf1124a5a9938fb78d5
                                                                                                                                        • Instruction ID: 8f2af477e94fae86510e3536d62743eec817358cd9ed86a788768de55599f14f
                                                                                                                                        • Opcode Fuzzy Hash: 8a3247ee30378b61027e91e837f3fa5c9db68b8e26edcbf1124a5a9938fb78d5
                                                                                                                                        • Instruction Fuzzy Hash: F2613A72E002199BDB14FF64DC45BAEBBA5EF14790F400629EF0597280DFB1E904CB91
                                                                                                                                        Function 02F2DC80 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,6EBCDBE2,00000008,00000000,?,?,02F5C8A1,000000FF,?,02F2F2F2,00000008,?), ref: 02F2DCBC
                                                                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02F2DDE1
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F2DE1F
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F2DE69
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F2DE44
                                                                                                                                          • Part of subcall function 02F223E0: __CxxThrowException@8.LIBCMT ref: 02F223F0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateEvent$CountCriticalException@8InitializeSectionSpinThrow
                                                                                                                                        • String ID: 0/Wu
                                                                                                                                        • API String ID: 2324559976-938174528
                                                                                                                                        • Opcode ID: 1ddb1dca4271f974ddb8c104fe18eca5315a3212ef42f08f2d675ee63d9a880e
                                                                                                                                        • Instruction ID: 46f0cfb60e4c4d65540666a9f21446254cf9e05c40b2f4c9e34c3b734c518c8b
                                                                                                                                        • Opcode Fuzzy Hash: 1ddb1dca4271f974ddb8c104fe18eca5315a3212ef42f08f2d675ee63d9a880e
                                                                                                                                        • Instruction Fuzzy Hash: 2761E2B0A01A66AFD344CF79C98079AFBE8FF09740F50822EE619D3640D774A9248FD1
                                                                                                                                        Function 02F295D0 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _free.LIBCMT ref: 02F29618
                                                                                                                                        • _free.LIBCMT ref: 02F29656
                                                                                                                                        • _free.LIBCMT ref: 02F29695
                                                                                                                                        • _free.LIBCMT ref: 02F296D5
                                                                                                                                        • _free.LIBCMT ref: 02F296FD
                                                                                                                                        • _free.LIBCMT ref: 02F29721
                                                                                                                                        • _free.LIBCMT ref: 02F29759
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 776569668-0
                                                                                                                                        • Opcode ID: ee0659b6aa755c1729c8f798b96809dc4e9cd3f5b0d1367c46e56be1d75c78bb
                                                                                                                                        • Instruction ID: b5e608d75846e61bdf2f1aa658c9ae420e7c81912fffd90e3655cbc827412303
                                                                                                                                        • Opcode Fuzzy Hash: ee0659b6aa755c1729c8f798b96809dc4e9cd3f5b0d1367c46e56be1d75c78bb
                                                                                                                                        • Instruction Fuzzy Hash: 6B512C72A00165CFD714DF58C584869BBE6FF8A298B2980BDC6095F311C7B2BD1ACF91
                                                                                                                                        Function 02F2D680 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,6EBCDBE2,00000008,00000000,?,?,02F5C929,000000FF,?,02F2F2A2,00000008,?), ref: 02F2D6BC
                                                                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02F2D78A
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F2D7C8
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F2D7ED
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F2D812
                                                                                                                                          • Part of subcall function 02F223E0: __CxxThrowException@8.LIBCMT ref: 02F223F0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateEvent$CountCriticalException@8InitializeSectionSpinThrow
                                                                                                                                        • String ID: 0/Wu
                                                                                                                                        • API String ID: 2324559976-938174528
                                                                                                                                        • Opcode ID: 7277b132df49eede8e834a5120e06cc3b900e87e9dac530783770da4e9def938
                                                                                                                                        • Instruction ID: b9fee93d941149a3058216b64e28a4c7eeb8dcc6bc6a13ae5edeb34cb3bb452c
                                                                                                                                        • Opcode Fuzzy Hash: 7277b132df49eede8e834a5120e06cc3b900e87e9dac530783770da4e9def938
                                                                                                                                        • Instruction Fuzzy Hash: 60515FB0A0066ABFD300DF69C98479AFBA8FF09744F50862EE518D7640D774A924CFD0
                                                                                                                                        Function 02F2BDA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,6EBCDBE2,00000008,00000000,?,?,02F5CB79,000000FF,?,02F2EF32,00000008,?), ref: 02F2BDDC
                                                                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02F2BEB7
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F2BEF5
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F2BF1A
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F2BF3F
                                                                                                                                          • Part of subcall function 02F223E0: __CxxThrowException@8.LIBCMT ref: 02F223F0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateEvent$CountCriticalException@8InitializeSectionSpinThrow
                                                                                                                                        • String ID: 0/Wu
                                                                                                                                        • API String ID: 2324559976-938174528
                                                                                                                                        • Opcode ID: 85a6380cce4ce972a00df657539c07cb23b14392e83d83729acd025ecf473db2
                                                                                                                                        • Instruction ID: 377ed8b9bf5925c77e00a87ed3cf396f562635ef5966df595c0744c33296b946
                                                                                                                                        • Opcode Fuzzy Hash: 85a6380cce4ce972a00df657539c07cb23b14392e83d83729acd025ecf473db2
                                                                                                                                        • Instruction Fuzzy Hash: 9A514DB1A00A66BFD300DF69C98478AFBA8FF09794F50461EE619D7A40C774A924CFD0
                                                                                                                                        Function 02F4B280 Relevance: 10.6, APIs: 7, Instructions: 140COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,00000000,?,?,?), ref: 02F4B2B4
                                                                                                                                          • Part of subcall function 02F4A2A0: WaitForSingleObject.KERNEL32(?,000000FF), ref: 02F4A2E3
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?), ref: 02F4B2DF
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F4B30C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$EnterObjectSingleWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3156609256-0
                                                                                                                                        • Opcode ID: 3076efbfc0592cc4103e0b38121fb00a69c0471b313c9173d2af1ce397a71996
                                                                                                                                        • Instruction ID: 75dcda8b765be057f0cebe7d7ec80f226d93807119c0e99ee0728609cdf516df
                                                                                                                                        • Opcode Fuzzy Hash: 3076efbfc0592cc4103e0b38121fb00a69c0471b313c9173d2af1ce397a71996
                                                                                                                                        • Instruction Fuzzy Hash: 21418372F40218ABD714DFA8DC85BAEF7B9FB48790F10462AFA15D7340DB75A9108B90
                                                                                                                                        Function 02F41810 Relevance: 10.6, APIs: 7, Instructions: 120fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(?), ref: 02F4188E
                                                                                                                                        • UnmapViewOfFile.KERNEL32(?), ref: 02F4189F
                                                                                                                                          • Part of subcall function 02F368C0: GetLastError.KERNEL32(02F351EC), ref: 02F368C0
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F418BF
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F418D7
                                                                                                                                        • UnmapViewOfFile.KERNEL32(?), ref: 02F41900
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F41920
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F41938
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle$ErrorFileLastUnmapView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4017539725-0
                                                                                                                                        • Opcode ID: b4a1f2c1cf4c587158726b652c39fe7ff82718ea65c5c88ea9cbe7bf41086337
                                                                                                                                        • Instruction ID: 94291c94a5496ecaca90993c7e5cad3cb1cc8fb792c0ff5a4d0990c3bddc9351
                                                                                                                                        • Opcode Fuzzy Hash: b4a1f2c1cf4c587158726b652c39fe7ff82718ea65c5c88ea9cbe7bf41086337
                                                                                                                                        • Instruction Fuzzy Hash: 8B415F71A043159FD710DF79D840F1BBBE9AF88AD4F014E29FA59D7240EB70E9448BA2
                                                                                                                                        Function 02F21330 Relevance: 10.6, APIs: 7, Instructions: 118memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$CreateDestroy$CriticalDeleteFreeSection_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1764084169-0
                                                                                                                                        • Opcode ID: 275be8e1727bc5cec260e7fef66e4c26fd7a2961bcb87b1da2ad6ae86f86c09f
                                                                                                                                        • Instruction ID: 2a5dd6491f506a72d3f5d2a4d3c28bade914820d26e471a41c2256c515584b1f
                                                                                                                                        • Opcode Fuzzy Hash: 275be8e1727bc5cec260e7fef66e4c26fd7a2961bcb87b1da2ad6ae86f86c09f
                                                                                                                                        • Instruction Fuzzy Hash: 7A415DB5A002149BCF14DF64C980A9A77AABF89340F1545A9DE08DB24ADB70ED45CBA0
                                                                                                                                        Function 02F3E7C0 Relevance: 10.6, APIs: 7, Instructions: 118fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(?), ref: 02F3E83E
                                                                                                                                        • UnmapViewOfFile.KERNEL32(?), ref: 02F3E84F
                                                                                                                                          • Part of subcall function 02F368C0: GetLastError.KERNEL32(02F351EC), ref: 02F368C0
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F3E86F
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F3E887
                                                                                                                                        • UnmapViewOfFile.KERNEL32(?), ref: 02F3E8AC
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F3E8CC
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F3E8E4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle$ErrorFileLastUnmapView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4017539725-0
                                                                                                                                        • Opcode ID: 2d4688aa1aabbab225242dd460ed82296b00d71c11877d5468a5d07e4fba025d
                                                                                                                                        • Instruction ID: 1dba4c31dc3e777f15c037fc14757e480f3cb99b45dd9dd10e1faddd34be3216
                                                                                                                                        • Opcode Fuzzy Hash: 2d4688aa1aabbab225242dd460ed82296b00d71c11877d5468a5d07e4fba025d
                                                                                                                                        • Instruction Fuzzy Hash: EC413D71E443159BD711DF799840F1BB7E9AF88AD4F014A29FE55D7240E730E9088BA2
                                                                                                                                        Function 02F40660 Relevance: 10.6, APIs: 7, Instructions: 112threadnetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 02F4066B
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F40676
                                                                                                                                        • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 02F4069B
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F406ED
                                                                                                                                        • WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 02F40726
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F40730
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F40767
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CurrentThread$CompletionOverlappedQueuedResultStatus
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 190740389-0
                                                                                                                                        • Opcode ID: 26762a192ff3c9d5545cb40099841df29b6d8b01e378d9652b19db794eb6a2c9
                                                                                                                                        • Instruction ID: ddd0fafdcf48219867ef91bd3936b0a56cd9e1b4dc9e75db5ab222b99e17f736
                                                                                                                                        • Opcode Fuzzy Hash: 26762a192ff3c9d5545cb40099841df29b6d8b01e378d9652b19db794eb6a2c9
                                                                                                                                        • Instruction Fuzzy Hash: C9410D75A01219EFDB04DFA8C884DAEBBB5FF88790B104559EA0597340DF70AA41CFA1
                                                                                                                                        Function 02F3C120 Relevance: 10.6, APIs: 7, Instructions: 108COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • getsockopt.WS2_32(?,0000FFFF,00001001,?,?), ref: 02F3C14A
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F3C175
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3C184
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3C1A7
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?), ref: 02F3C1CA
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3C1D9
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3C215
                                                                                                                                          • Part of subcall function 02F3C260: InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F3C2CC
                                                                                                                                          • Part of subcall function 02F3C260: InterlockedIncrement.KERNEL32(?), ref: 02F3C2F2
                                                                                                                                          • Part of subcall function 02F3C260: WSASend.WS2_32(00000004,?,00000001,?,00000000,?,00000000), ref: 02F3C308
                                                                                                                                          • Part of subcall function 02F3C260: WSAGetLastError.WS2_32 ref: 02F3C313
                                                                                                                                          • Part of subcall function 02F3C260: InterlockedDecrement.KERNEL32(?), ref: 02F3C324
                                                                                                                                          • Part of subcall function 02F3C260: InterlockedDecrement.KERNEL32(00000002), ref: 02F3C32E
                                                                                                                                          • Part of subcall function 02F3C260: HeapFree.KERNEL32(?,00000000,?,?), ref: 02F3C361
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$InterlockedLeave$DecrementEnter$ErrorExchangeFreeHeapIncrementLastSendgetsockopt
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 152964496-0
                                                                                                                                        • Opcode ID: 14e4ee9375949bd56540b2499528d76c52a301fe79b4bd22ed662940452fb31c
                                                                                                                                        • Instruction ID: 154d9dd508e4bad72f6112b0771c1e519200abb6bb576617343275e53982a524
                                                                                                                                        • Opcode Fuzzy Hash: 14e4ee9375949bd56540b2499528d76c52a301fe79b4bd22ed662940452fb31c
                                                                                                                                        • Instruction Fuzzy Hash: 3731B472E405149BDB26DF88D8C4BAA7BA9FF48F84F10415AEF04EB244D771EA41CB91
                                                                                                                                        Function 02F415A0 Relevance: 10.6, APIs: 7, Instructions: 108COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • getsockopt.WS2_32(?,0000FFFF,00001001,?,?), ref: 02F415CA
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F415F5
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F41604
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F41627
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?), ref: 02F4164A
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F41659
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F41695
                                                                                                                                          • Part of subcall function 02F416E0: InterlockedExchangeAdd.KERNEL32(?,00004000), ref: 02F4174C
                                                                                                                                          • Part of subcall function 02F416E0: InterlockedIncrement.KERNEL32(?), ref: 02F41772
                                                                                                                                          • Part of subcall function 02F416E0: WSASend.WS2_32(?,00004000,00000001,00000000,00000000,?,00000000), ref: 02F41788
                                                                                                                                          • Part of subcall function 02F416E0: WSAGetLastError.WS2_32 ref: 02F41793
                                                                                                                                          • Part of subcall function 02F416E0: InterlockedDecrement.KERNEL32(?), ref: 02F417A4
                                                                                                                                          • Part of subcall function 02F416E0: InterlockedDecrement.KERNEL32(00000002), ref: 02F417AE
                                                                                                                                          • Part of subcall function 02F416E0: HeapFree.KERNEL32(?,00000000,?,?), ref: 02F417E1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$InterlockedLeave$DecrementEnter$ErrorExchangeFreeHeapIncrementLastSendgetsockopt
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 152964496-0
                                                                                                                                        • Opcode ID: 1eca0264b293f241ce1eae2d8af515f99eda3e058e5cfc3fa81e05853a97fc10
                                                                                                                                        • Instruction ID: e0ed372398e84f4a30a6cf25c1c1a29da784a21e6cab251b41afcf2949622f54
                                                                                                                                        • Opcode Fuzzy Hash: 1eca0264b293f241ce1eae2d8af515f99eda3e058e5cfc3fa81e05853a97fc10
                                                                                                                                        • Instruction Fuzzy Hash: 6031C371E002149BDB24DF48D4C4AAB7FA9BF49784F144159EF099B284EBB2D981CF91
                                                                                                                                        Function 02F2134C Relevance: 10.6, APIs: 7, Instructions: 107memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$CreateDestroy$CriticalDeleteFreeSection_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1764084169-0
                                                                                                                                        • Opcode ID: d0020a3befd80e480fd5570e7fc4fc409eb8e9a450f82ef8f0a0b19a6748dbe2
                                                                                                                                        • Instruction ID: fc6b638375597b19ebfc93d34f7edf65e14834028540f46cfedbb3008e30d0f8
                                                                                                                                        • Opcode Fuzzy Hash: d0020a3befd80e480fd5570e7fc4fc409eb8e9a450f82ef8f0a0b19a6748dbe2
                                                                                                                                        • Instruction Fuzzy Hash: DD415CB5A002109BCF14DF64C9C4A9777A6FF89340F1585A9DE08DB30ADB70ED45CBA0
                                                                                                                                        Function 02F36BA0 Relevance: 10.6, APIs: 7, Instructions: 106COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(0000139F,?,?,02F36AD7,?,?,00000000,?,?,?,02F36A99,?,?,?), ref: 02F36BB1
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02F36BCE
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 02F36C8E
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F36C99
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$CompletionDecrementErrorIncrementLastPostQueuedStatus
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2216264528-0
                                                                                                                                        • Opcode ID: 347b3e9f20dd7ec0bdce270058792602d3a8a8400160dc6ddee960cdf1cf2610
                                                                                                                                        • Instruction ID: 614cfa67ed78b3b5ce695b12eb6e139ef623458918c4a02e0e3922ddcea361a3
                                                                                                                                        • Opcode Fuzzy Hash: 347b3e9f20dd7ec0bdce270058792602d3a8a8400160dc6ddee960cdf1cf2610
                                                                                                                                        • Instruction Fuzzy Hash: C831D432A40214BBD721CF58E884BAAB7ADFF08391F004556EE09C7640D771A960C7E5
                                                                                                                                        Function 02F3C260 Relevance: 10.6, APIs: 7, Instructions: 93networkmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F3C2CC
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02F3C2F2
                                                                                                                                        • WSASend.WS2_32(00000004,?,00000001,?,00000000,?,00000000), ref: 02F3C308
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F3C313
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F3C324
                                                                                                                                        • InterlockedDecrement.KERNEL32(00000002), ref: 02F3C32E
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?), ref: 02F3C361
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$Decrement$ErrorExchangeFreeHeapIncrementLastSend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 941312861-0
                                                                                                                                        • Opcode ID: d61a05fd7aa7b995b785a1eb29b4327247bceb1da792c719c691eca8e5547489
                                                                                                                                        • Instruction ID: 33d2d88aba8a4d03eec0c81e21aa5a73a5329c7aa91800e8e30376db1f31c275
                                                                                                                                        • Opcode Fuzzy Hash: d61a05fd7aa7b995b785a1eb29b4327247bceb1da792c719c691eca8e5547489
                                                                                                                                        • Instruction Fuzzy Hash: 88316D71901204DFDB24DF68C988B9ABBF8BF08744F04056AEE0AEB645D730E544CB60
                                                                                                                                        Function 02F416E0 Relevance: 10.6, APIs: 7, Instructions: 93networkmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,00004000), ref: 02F4174C
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02F41772
                                                                                                                                        • WSASend.WS2_32(?,00004000,00000001,00000000,00000000,?,00000000), ref: 02F41788
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F41793
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F417A4
                                                                                                                                        • InterlockedDecrement.KERNEL32(00000002), ref: 02F417AE
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?), ref: 02F417E1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$Decrement$ErrorExchangeFreeHeapIncrementLastSend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 941312861-0
                                                                                                                                        • Opcode ID: 3e27631c2ec47b3f730c189e8618954b5f5af9e4aeb4123b1f037f387af1a94b
                                                                                                                                        • Instruction ID: cfadc74604e2e01a1954df7d2f78d5c9d187c1f6055415fc6d5be50f3b259afe
                                                                                                                                        • Opcode Fuzzy Hash: 3e27631c2ec47b3f730c189e8618954b5f5af9e4aeb4123b1f037f387af1a94b
                                                                                                                                        • Instruction Fuzzy Hash: F2316D71A002089FDB24CF64C988F9BBBF8AF08784F14456AEE0DDB641DB70A580CB60
                                                                                                                                        Function 010A3619 Relevance: 10.6, APIs: 7, Instructions: 85memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • TlsGetValue.KERNEL32(011D618C,011D617C,00000000,0118FEC4,011D618C,?,010A3881,011D617C,00000000), ref: 010A3624
                                                                                                                                        • EnterCriticalSection.KERNEL32(011D61A8,00000010,?,010A3881,011D617C,00000000), ref: 010A3673
                                                                                                                                        • LeaveCriticalSection.KERNEL32(011D61A8,00000000,?,010A3881,011D617C,00000000), ref: 010A3686
                                                                                                                                        • LocalAlloc.KERNEL32(00000000,00000005,?,010A3881,011D617C,00000000), ref: 010A369C
                                                                                                                                        • LocalReAlloc.KERNEL32(?,00000005,00000002,?,010A3881,011D617C,00000000), ref: 010A36AE
                                                                                                                                        • _memset.LIBCMT ref: 010A36DA
                                                                                                                                        • TlsSetValue.KERNEL32(011D618C,00000000,010A3881,011D617C,00000000), ref: 010A36EA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocCriticalLocalSectionValue$EnterLeave_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 364526299-0
                                                                                                                                        • Opcode ID: 5cf311711e2d8cc059503287308f365e995c34552e06f1481308b85fb0162226
                                                                                                                                        • Instruction ID: 42a26f04ea80874d3d32c2dacd39e11ea1837409e1a3a4c103e175f5b5c08922
                                                                                                                                        • Opcode Fuzzy Hash: 5cf311711e2d8cc059503287308f365e995c34552e06f1481308b85fb0162226
                                                                                                                                        • Instruction Fuzzy Hash: 90318C71200A05AFD724DF58C899EAAB7F8FF48361F40C619E59ACB740EB71E814CB60
                                                                                                                                        Function 100033E0 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • 0167C4C5.CRTDLL(?,?,10003835), ref: 100033F6
                                                                                                                                        • deflateEnd.Z(?,?,10003835), ref: 1000340D
                                                                                                                                        • 0167C4C5.CRTDLL(?,?,10003835), ref: 10003452
                                                                                                                                        • 0167C4C5.CRTDLL(?,?,10003835), ref: 10003462
                                                                                                                                        • 0167C4C5.CRTDLL(?,?,10003835), ref: 10003472
                                                                                                                                        • 0167C4C5.CRTDLL(?,?,10003835), ref: 1000347B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2717966199.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2717983727.0000000010011000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718021812.0000000010012000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718041790.0000000010013000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_10000000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: 0167$deflate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2873484036-0
                                                                                                                                        • Opcode ID: 4c42e5a481e8cb6d1154785bdf704bc6f448e1cd3cced1ac3630a58c1e8f8afb
                                                                                                                                        • Instruction ID: 8a9d3cae50af51644dd3d1ad79693e67cc4cc00fea9b789beb4838845e0ef17c
                                                                                                                                        • Opcode Fuzzy Hash: 4c42e5a481e8cb6d1154785bdf704bc6f448e1cd3cced1ac3630a58c1e8f8afb
                                                                                                                                        • Instruction Fuzzy Hash: 601186E5B0065147FBA3C9395C45B1B23DDDF815D03058634F846DB68DEA65F98282B2
                                                                                                                                        Function 02F3BB90 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(0000139F,?,?,02F2C187,?,?,?), ref: 02F3BBA2
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02F3BBBB
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,02F2C187,?,?,?), ref: 02F3BBC5
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,02F2C187,?,?,?), ref: 02F3BBEB
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F3BBF2
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,00000057,00000002,00000000,?,?,02F2C187,?,?,?), ref: 02F3BC19
                                                                                                                                        • SetLastError.KERNEL32(00000057,?,?,02F2C187,?,?,?), ref: 02F3BC20
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorInterlockedLastSection$CompletionDecrementEnterIncrementLeavePostQueuedStatus
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1390802861-0
                                                                                                                                        • Opcode ID: 7fcab956f475f2ca97c842551f8f0b84aa1b13c1ca59d95afc5006da965df91f
                                                                                                                                        • Instruction ID: 8add776fd9b9f24b6a78292e3122e970068a28a113f599ee3e78e499923d97ef
                                                                                                                                        • Opcode Fuzzy Hash: 7fcab956f475f2ca97c842551f8f0b84aa1b13c1ca59d95afc5006da965df91f
                                                                                                                                        • Instruction Fuzzy Hash: 40118632D40629ABD7219B64D898EAB77ADFF49BE5F018414FB059B600CB34ED51CBA0
                                                                                                                                        Function 02F50410 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,02F67F20,00000008,02F50518,00000000,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C), ref: 02F50421
                                                                                                                                        • __lock.LIBCMT ref: 02F50455
                                                                                                                                          • Part of subcall function 02F50C18: __mtinitlocknum.LIBCMT ref: 02F50C2E
                                                                                                                                          • Part of subcall function 02F50C18: __amsg_exit.LIBCMT ref: 02F50C3A
                                                                                                                                          • Part of subcall function 02F50C18: EnterCriticalSection.KERNEL32(?,?,?,02F4D5FB,00000008,02F67E60,00000020,02F4D739,?,00000001,00000000,?,02F4D79D,00000003,02F286E5), ref: 02F50C42
                                                                                                                                        • InterlockedIncrement.KERNEL32(02F746E0), ref: 02F50462
                                                                                                                                        • __lock.LIBCMT ref: 02F50476
                                                                                                                                        • ___addlocaleref.LIBCMT ref: 02F50494
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                                        • String ID: KERNEL32.DLL
                                                                                                                                        • API String ID: 637971194-2576044830
                                                                                                                                        • Opcode ID: 639d7f601b7c8770436cf64f8eff7e1bfb2ac7a48700ff022354e173ceb894fa
                                                                                                                                        • Instruction ID: 143018d706b41cbe3e11a9c275e1135506aa3e3c8a9f2e6e39e251b67c889065
                                                                                                                                        • Opcode Fuzzy Hash: 639d7f601b7c8770436cf64f8eff7e1bfb2ac7a48700ff022354e173ceb894fa
                                                                                                                                        • Instruction Fuzzy Hash: FD016D71844B24EFE720EF65D90874AFBE0AF043A0F10894EDB9697690CFB4A685CF55
                                                                                                                                        Function 02F583AB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 02F583CC
                                                                                                                                          • Part of subcall function 02F5053D: __getptd_noexit.LIBCMT ref: 02F50540
                                                                                                                                          • Part of subcall function 02F5053D: __amsg_exit.LIBCMT ref: 02F5054D
                                                                                                                                        • __getptd.LIBCMT ref: 02F583DD
                                                                                                                                        • __getptd.LIBCMT ref: 02F583EB
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                        • String ID: MOC$RCC$csm
                                                                                                                                        • API String ID: 803148776-2671469338
                                                                                                                                        • Opcode ID: f4bf0c396d825679a0a78e0068055177d0fbaec516c099ffbf2cea2dd37b1b1d
                                                                                                                                        • Instruction ID: e0db3b7e09a5dd3c5479aacd78edfc527501c0dea4401749a860931bab2aecf5
                                                                                                                                        • Opcode Fuzzy Hash: f4bf0c396d825679a0a78e0068055177d0fbaec516c099ffbf2cea2dd37b1b1d
                                                                                                                                        • Instruction Fuzzy Hash: 72E01231510624CFC7209B64D4497A933E5FB487D8F5600A5DF0DC7221DB78D8D4CE92
                                                                                                                                        Function 02F3D070 Relevance: 9.2, APIs: 6, Instructions: 161networkmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 02F3D0F5
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F3D100
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F3D138
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F3D152
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3D17F
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?,6EBCDBE2,?,?,02F3AD57,?,?,?), ref: 02F3D200
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterFreeHeapLeaveRecv
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4219686125-0
                                                                                                                                        • Opcode ID: 22651b9b53965a198ef0ec68cda97df8c5ca42d1ae24e061ac83cb7533b034f5
                                                                                                                                        • Instruction ID: 198e833ceefbb6bb8f77fee5e5989b76dbc68cad7f768989bf40d14a51cb5fec
                                                                                                                                        • Opcode Fuzzy Hash: 22651b9b53965a198ef0ec68cda97df8c5ca42d1ae24e061ac83cb7533b034f5
                                                                                                                                        • Instruction Fuzzy Hash: F0515F75E002059FEB15DF64C884BAAB7B9FF48794F104669EE16DB384D734E901CB60
                                                                                                                                        Function 02F41980 Relevance: 9.2, APIs: 6, Instructions: 161networkmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSARecv.WS2_32(00000000,?,00000001,00000000,?,00000000,00000000), ref: 02F41A05
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F41A10
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F41A48
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F41A62
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F41A8F
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?,6EBCDBE2,?,?,?,?), ref: 02F41B10
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterFreeHeapLeaveRecv
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4219686125-0
                                                                                                                                        • Opcode ID: bcbcc6a85769c87536d40f16d215b234ace83216ee9804e2fe9af6a5920661e6
                                                                                                                                        • Instruction ID: b6fb7884d62ad98092f265c60a1ac265898aaa1f214bcc3a188602d4b025b119
                                                                                                                                        • Opcode Fuzzy Hash: bcbcc6a85769c87536d40f16d215b234ace83216ee9804e2fe9af6a5920661e6
                                                                                                                                        • Instruction Fuzzy Hash: CA515F75E002059FDB14CF58D884BAB7BB9FF48390F10466AEA19DB780DBB4E941CB60
                                                                                                                                        Function 02F40510 Relevance: 9.1, APIs: 6, Instructions: 124memorynetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • socket.WS2_32(?,00000001,00000006), ref: 02F4053A
                                                                                                                                        • HeapAlloc.KERNEL32(00000000,00000000,?,?), ref: 02F40567
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F405DC
                                                                                                                                        • closesocket.WS2_32(00000001), ref: 02F4061B
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?), ref: 02F40639
                                                                                                                                        • InterlockedDecrement.KERNEL32(-00000398), ref: 02F40646
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$AllocDecrementErrorFreeInterlockedLastclosesocketsocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3429847540-0
                                                                                                                                        • Opcode ID: 89945190dbff16b5dd5701b5c364be12009c3cb28624109ceb84b9bb29a19196
                                                                                                                                        • Instruction ID: 5b4f1c5c2a5be3e6d2f3e6b52c63c25f56d52774ae51cd71b11e157f180e07d2
                                                                                                                                        • Opcode Fuzzy Hash: 89945190dbff16b5dd5701b5c364be12009c3cb28624109ceb84b9bb29a19196
                                                                                                                                        • Instruction Fuzzy Hash: 51412EB1A003159FDB14DF69C8C0A5ABBF9EF48344F1045A9EA05DB241EB70EA51CFA0
                                                                                                                                        Function 02F3D09E Relevance: 9.1, APIs: 6, Instructions: 123networkmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSARecv.WS2_32(?,?,00000001,?,?,00000000,00000000), ref: 02F3D0F5
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F3D100
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F3D138
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F3D152
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3D17F
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?,6EBCDBE2,?,?,02F3AD57,?,?,?), ref: 02F3D200
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterFreeHeapLeaveRecv
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4219686125-0
                                                                                                                                        • Opcode ID: bcc6626410c18f2b49faaed7871105bea9cf5098079f39b28974d6d1bda60496
                                                                                                                                        • Instruction ID: 22060de7a743c5318ba8d0bf8211c931b1302877fc436afebb8477062a6bc35a
                                                                                                                                        • Opcode Fuzzy Hash: bcc6626410c18f2b49faaed7871105bea9cf5098079f39b28974d6d1bda60496
                                                                                                                                        • Instruction Fuzzy Hash: 75413AB5A002159FEB15DF64C884BAAB7B5FF8C394F108559EE15DB384D730E941CBA0
                                                                                                                                        Function 02F419AE Relevance: 9.1, APIs: 6, Instructions: 123networkmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSARecv.WS2_32(00000000,?,00000001,00000000,?,00000000,00000000), ref: 02F41A05
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F41A10
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F41A48
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F41A62
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F41A8F
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?,6EBCDBE2,?,?,?,?), ref: 02F41B10
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterFreeHeapLeaveRecv
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4219686125-0
                                                                                                                                        • Opcode ID: d02d5b80423c362737fd2539734c258e8f2ba10071ce8109f1dfa561dda6720d
                                                                                                                                        • Instruction ID: 374e083a29e879c8817de0d01325e633efe7b409d4106595d5577463366cfdab
                                                                                                                                        • Opcode Fuzzy Hash: d02d5b80423c362737fd2539734c258e8f2ba10071ce8109f1dfa561dda6720d
                                                                                                                                        • Instruction Fuzzy Hash: F9411C75E002159FDB14CF58C894BAB7BB5FF88390F10465AEA19DB340DB74E981CB60
                                                                                                                                        Function 02F38140 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • setsockopt.WS2_32(?,00000000,0000000A,?,00000004), ref: 02F3816E
                                                                                                                                        • setsockopt.WS2_32(?,00000000,0000000B,?,00000004), ref: 02F3818A
                                                                                                                                        • setsockopt.WS2_32(?,00000000,0000000C,7556DFA0,00000008), ref: 02F381BD
                                                                                                                                          • Part of subcall function 02F223E0: __CxxThrowException@8.LIBCMT ref: 02F223F0
                                                                                                                                        • setsockopt.WS2_32(?,00000029,0000000A,?,00000004), ref: 02F381DC
                                                                                                                                        • setsockopt.WS2_32(?,00000029,0000000B,?,00000004), ref: 02F381F8
                                                                                                                                        • setsockopt.WS2_32(?,00000029,0000000C,02F44658,00000014), ref: 02F38246
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: setsockopt$Exception@8Throw
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 549783214-0
                                                                                                                                        • Opcode ID: bbd996560eb2abe07a6f3b329a8de8e0eb2f8e958e03f984c2a8993efe6fb8be
                                                                                                                                        • Instruction ID: 248dc15ba6bd5a318cc46c8c0c371d60e8ae03eb4aec829540aa97e4929809ba
                                                                                                                                        • Opcode Fuzzy Hash: bbd996560eb2abe07a6f3b329a8de8e0eb2f8e958e03f984c2a8993efe6fb8be
                                                                                                                                        • Instruction Fuzzy Hash: 09411F70A40208ABDB10DFB89C81BAEB7F4EF49764F10461AFB29EB2C0D77599048B54
                                                                                                                                        Function 02F4BEC0 Relevance: 9.1, APIs: 6, Instructions: 118networkmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memmove.LIBCMT ref: 02F4BF3E
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F4BF57
                                                                                                                                        • WSASendTo.WS2_32(?,?,00000001,00000000,00000000,?,?,?,00000000), ref: 02F4BF9F
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?), ref: 02F4BFAA
                                                                                                                                        • InterlockedDecrement.KERNEL32(00000002), ref: 02F4BFBB
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 02F4BFE9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$DecrementErrorExchangeFreeHeapLastSend_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1163604154-0
                                                                                                                                        • Opcode ID: b369217f21688e4bab7bde39fcee051c886a8646983562a299f0a3aad21730c8
                                                                                                                                        • Instruction ID: 5bb6a189fa22c057151b8b1df033264679bcf71ea9ee023a713d933861c0026b
                                                                                                                                        • Opcode Fuzzy Hash: b369217f21688e4bab7bde39fcee051c886a8646983562a299f0a3aad21730c8
                                                                                                                                        • Instruction Fuzzy Hash: 98418871D006049FD714DF69C884AAABBF9EF48358F14867DEA0D8B242DBB1E545CF60
                                                                                                                                        Function 02F42680 Relevance: 9.1, APIs: 6, Instructions: 117networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,?,?,02F5B7B8,000000FF,?,02F4211C,?,?,?), ref: 02F426C8
                                                                                                                                        • WSASetLastError.WS2_32(0000000D,?,?,?,02F5B7B8,000000FF,?,02F4211C,?,?,?), ref: 02F426E0
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F426E7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4082018349-0
                                                                                                                                        • Opcode ID: af718c28e703bacb590a75ded2092f460b76d57a1528cbda345cc9a003cee072
                                                                                                                                        • Instruction ID: aa7372a7e2191cf51a066b0ae43dc266ae839c361605e9fa21d03ff16d531ad0
                                                                                                                                        • Opcode Fuzzy Hash: af718c28e703bacb590a75ded2092f460b76d57a1528cbda345cc9a003cee072
                                                                                                                                        • Instruction Fuzzy Hash: DF41BE76A40308ABD714CF94DC85F6ABBA9FB48754F104A6DFE1687680DBB1B900CB61
                                                                                                                                        Function 02F43D20 Relevance: 9.1, APIs: 6, Instructions: 112networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,00000000,?,?,02F5B7B8,000000FF,?,02F43092,?,?,00000000), ref: 02F43D68
                                                                                                                                        • WSASetLastError.WS2_32(0000000D,?,02F43092,?,?,00000000,?,?,?,?,?,02F5CC98,000000FF), ref: 02F43D80
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F43D87
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4082018349-0
                                                                                                                                        • Opcode ID: 265f15c0cdfab1e4169b1716c09ad4fffa2f615840be4c44cfe099a521319595
                                                                                                                                        • Instruction ID: 0c737ef1f0fe6b364370367c19c2024dd0e2cea25a75bb16f32f02abd668281c
                                                                                                                                        • Opcode Fuzzy Hash: 265f15c0cdfab1e4169b1716c09ad4fffa2f615840be4c44cfe099a521319595
                                                                                                                                        • Instruction Fuzzy Hash: 5F31AD72A04348ABD714DF94DC85F6ABBB8FB08754F204A5DFA1683780DB71A900CB61
                                                                                                                                        Function 02F41470 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • getsockopt.WS2_32(?,0000FFFF,00001001,?,?), ref: 02F41499
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02F414D8
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F414EE
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F41500
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F41530
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,000000F3,?,00000000), ref: 02F41553
                                                                                                                                          • Part of subcall function 02F416E0: InterlockedExchangeAdd.KERNEL32(?,00004000), ref: 02F4174C
                                                                                                                                          • Part of subcall function 02F416E0: InterlockedIncrement.KERNEL32(?), ref: 02F41772
                                                                                                                                          • Part of subcall function 02F416E0: WSASend.WS2_32(?,00004000,00000001,00000000,00000000,?,00000000), ref: 02F41788
                                                                                                                                          • Part of subcall function 02F416E0: WSAGetLastError.WS2_32 ref: 02F41793
                                                                                                                                          • Part of subcall function 02F416E0: InterlockedDecrement.KERNEL32(?), ref: 02F417A4
                                                                                                                                          • Part of subcall function 02F416E0: InterlockedDecrement.KERNEL32(00000002), ref: 02F417AE
                                                                                                                                          • Part of subcall function 02F416E0: HeapFree.KERNEL32(?,00000000,?,?), ref: 02F417E1
                                                                                                                                          • Part of subcall function 02F3F730: EnterCriticalSection.KERNEL32(?), ref: 02F3F759
                                                                                                                                          • Part of subcall function 02F3F730: EnterCriticalSection.KERNEL32(?), ref: 02F3F763
                                                                                                                                          • Part of subcall function 02F3F730: LeaveCriticalSection.KERNEL32(?), ref: 02F3F782
                                                                                                                                          • Part of subcall function 02F3F730: LeaveCriticalSection.KERNEL32(?), ref: 02F3F785
                                                                                                                                          • Part of subcall function 02F3F730: timeGetTime.WINMM(?,00000000,?,?,?), ref: 02F3F7B4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Interlocked$Leave$Enter$DecrementExchange$CompareCompletionErrorFreeHeapIncrementLastPostQueuedSendStatusTimegetsockopttime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1633786011-0
                                                                                                                                        • Opcode ID: 699d02a2f009b265a68955b131830f1acac4eb8e182368f12276945da136c56c
                                                                                                                                        • Instruction ID: ce8a8422ce8a69208113715209d3e7a7073fb6c0f3ff7ca85db8f6a567150b3b
                                                                                                                                        • Opcode Fuzzy Hash: 699d02a2f009b265a68955b131830f1acac4eb8e182368f12276945da136c56c
                                                                                                                                        • Instruction Fuzzy Hash: 7A31CB72E40214ABDB14CE98D884FDFBBA9EF44790F104265EF09DB284D7B1D990CB90
                                                                                                                                        Function 02F3BFF0 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • getsockopt.WS2_32(?,0000FFFF,00001001,?,?), ref: 02F3C019
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(00000001,00000000,00000001), ref: 02F3C058
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F3C06E
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3C080
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3C0B0
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,000000F3,?,00000000), ref: 02F3C0D3
                                                                                                                                          • Part of subcall function 02F3C260: InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F3C2CC
                                                                                                                                          • Part of subcall function 02F3C260: InterlockedIncrement.KERNEL32(?), ref: 02F3C2F2
                                                                                                                                          • Part of subcall function 02F3C260: WSASend.WS2_32(00000004,?,00000001,?,00000000,?,00000000), ref: 02F3C308
                                                                                                                                          • Part of subcall function 02F3C260: WSAGetLastError.WS2_32 ref: 02F3C313
                                                                                                                                          • Part of subcall function 02F3C260: InterlockedDecrement.KERNEL32(?), ref: 02F3C324
                                                                                                                                          • Part of subcall function 02F3C260: InterlockedDecrement.KERNEL32(00000002), ref: 02F3C32E
                                                                                                                                          • Part of subcall function 02F3C260: HeapFree.KERNEL32(?,00000000,?,?), ref: 02F3C361
                                                                                                                                          • Part of subcall function 02F39F00: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F29
                                                                                                                                          • Part of subcall function 02F39F00: EnterCriticalSection.KERNEL32(?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F33
                                                                                                                                          • Part of subcall function 02F39F00: LeaveCriticalSection.KERNEL32(?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F52
                                                                                                                                          • Part of subcall function 02F39F00: LeaveCriticalSection.KERNEL32(?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F55
                                                                                                                                          • Part of subcall function 02F39F00: timeGetTime.WINMM(?,00000000,?,?,?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F84
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Interlocked$Leave$Enter$DecrementExchange$CompareCompletionErrorFreeHeapIncrementLastPostQueuedSendStatusTimegetsockopttime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1633786011-0
                                                                                                                                        • Opcode ID: 8e8dfd2da0aaee2dedadc7512080605933314700c69e92ff7624a531c824b13c
                                                                                                                                        • Instruction ID: 0bc2ce1ba338e2b93978e51547f0314974e30f990880da42a0d3a22efb7d83c5
                                                                                                                                        • Opcode Fuzzy Hash: 8e8dfd2da0aaee2dedadc7512080605933314700c69e92ff7624a531c824b13c
                                                                                                                                        • Instruction Fuzzy Hash: D931A773E00218ABEB15DE98D884FAEB7B9EF48B51F104166EF05EB280D771D950CB90
                                                                                                                                        Function 02F4BEDE Relevance: 9.1, APIs: 6, Instructions: 102networkmemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memmove.LIBCMT ref: 02F4BF3E
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F4BF57
                                                                                                                                        • WSASendTo.WS2_32(?,?,00000001,00000000,00000000,?,?,?,00000000), ref: 02F4BF9F
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?), ref: 02F4BFAA
                                                                                                                                        • InterlockedDecrement.KERNEL32(00000002), ref: 02F4BFBB
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 02F4BFE9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$DecrementErrorExchangeFreeHeapLastSend_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1163604154-0
                                                                                                                                        • Opcode ID: 709bcb352d52837add6322720ceca73d10b54c264128f0b9dee4570eadf6c4a2
                                                                                                                                        • Instruction ID: 914a1be5c1c541ba198c7ce50d087becd2e33a6aa13e18e353381eb42aae61cd
                                                                                                                                        • Opcode Fuzzy Hash: 709bcb352d52837add6322720ceca73d10b54c264128f0b9dee4570eadf6c4a2
                                                                                                                                        • Instruction Fuzzy Hash: E531A971D006049FD714CFA9C884AAAB7F9FF44368F14866DEA0E87642DBB1E545CF50
                                                                                                                                        Function 02F2C6F0 Relevance: 9.1, APIs: 6, Instructions: 101memorysynchronizationtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02F2C73B
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F2C749
                                                                                                                                        • _free.LIBCMT ref: 02F2C773
                                                                                                                                        • HeapDestroy.KERNEL32(?,?), ref: 02F2C7B9
                                                                                                                                        • DeleteTimerQueueEx.KERNEL32(?,000000FF,?), ref: 02F2C7D0
                                                                                                                                        • CloseHandle.KERNEL32(?,?), ref: 02F2C81E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseDeleteDestroyErrorHandleHeapLastObjectQueueSingleTimerWait_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3483398106-0
                                                                                                                                        • Opcode ID: d5afb8ea3da693a9664ce1c210a9bbffb54ee55314015404ee3cc4b31aedafda
                                                                                                                                        • Instruction ID: f33618b05710d7b8217e75a7616f2ee60b3878a65290a367557686b02f202414
                                                                                                                                        • Opcode Fuzzy Hash: d5afb8ea3da693a9664ce1c210a9bbffb54ee55314015404ee3cc4b31aedafda
                                                                                                                                        • Instruction Fuzzy Hash: 1031A571E40656ABCB04DF78DD84B8AF7A9FF05390F50462AEB29D3240CB74A918CB91
                                                                                                                                        Function 02F2B980 Relevance: 9.1, APIs: 6, Instructions: 101memorysynchronizationtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02F2B9CB
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F2B9D9
                                                                                                                                        • _free.LIBCMT ref: 02F2BA03
                                                                                                                                        • DeleteTimerQueueEx.KERNEL32(?,000000FF,?), ref: 02F2BA44
                                                                                                                                        • HeapDestroy.KERNEL32(?,?), ref: 02F2BA78
                                                                                                                                        • CloseHandle.KERNEL32(?,?), ref: 02F2BAA2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseDeleteDestroyErrorHandleHeapLastObjectQueueSingleTimerWait_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3483398106-0
                                                                                                                                        • Opcode ID: 0fd1938f96cd7a5f619cd041b41e782e828e94359e5d87d34733b18c220bb681
                                                                                                                                        • Instruction ID: b014327a25ebcde4ada2618707e12f99b67690dae215bbd628832ab951bc631d
                                                                                                                                        • Opcode Fuzzy Hash: 0fd1938f96cd7a5f619cd041b41e782e828e94359e5d87d34733b18c220bb681
                                                                                                                                        • Instruction Fuzzy Hash: 3031A4B1E00656ABDB00DF78DD84B8AF7A9FF05394F50062AEE29D7240D734A518CB90
                                                                                                                                        Function 0108010F Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __lock.LIBCMT ref: 0108011D
                                                                                                                                          • Part of subcall function 010851F2: __mtinitlocknum.LIBCMT ref: 01085208
                                                                                                                                          • Part of subcall function 010851F2: __amsg_exit.LIBCMT ref: 01085214
                                                                                                                                          • Part of subcall function 010851F2: EnterCriticalSection.KERNEL32(00000000,00000000,?,0108180B,0000000D,?,01099BB3,0109A216,00000200,0109A216,01099D38,0109A223,011AE608,?,011AE608,0109A025), ref: 0108521C
                                                                                                                                        • DecodePointer.KERNEL32(01188AF0,00000020,01080276,00000000,00000001,00000000,?,010802B6,000000FF,?,01085219,00000011,00000000,?,0108180B,0000000D), ref: 01080159
                                                                                                                                        • DecodePointer.KERNEL32(?,010802B6,000000FF,?,01085219,00000011,00000000,?,0108180B,0000000D,?,01099BB3,0109A216,00000200,0109A216,01099D38), ref: 0108016A
                                                                                                                                          • Part of subcall function 0108173E: EncodePointer.KERNEL32(00000000,01080186,?,010802B6,000000FF,?,01085219,00000011,00000000,?,0108180B,0000000D,?,01099BB3,0109A216,00000200), ref: 01081740
                                                                                                                                        • DecodePointer.KERNEL32(-00000004,?,010802B6,000000FF,?,01085219,00000011,00000000,?,0108180B,0000000D,?,01099BB3,0109A216,00000200,0109A216), ref: 01080190
                                                                                                                                        • DecodePointer.KERNEL32(?,010802B6,000000FF,?,01085219,00000011,00000000,?,0108180B,0000000D,?,01099BB3,0109A216,00000200,0109A216,01099D38), ref: 010801A3
                                                                                                                                        • DecodePointer.KERNEL32(?,010802B6,000000FF,?,01085219,00000011,00000000,?,0108180B,0000000D,?,01099BB3,0109A216,00000200,0109A216,01099D38), ref: 010801AD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2005412495-0
                                                                                                                                        • Opcode ID: 9c3cfb8bfc3933f73c23a75a2b6de9a11c2eb5bf1735f9924115fd0c85e1f4d9
                                                                                                                                        • Instruction ID: 97577e48a84ad668c5277c811bb2241accd15a1b4021e0bc3708ad1e62b9e900
                                                                                                                                        • Opcode Fuzzy Hash: 9c3cfb8bfc3933f73c23a75a2b6de9a11c2eb5bf1735f9924115fd0c85e1f4d9
                                                                                                                                        • Instruction Fuzzy Hash: 33315330D1530ADFEF50BFA9D8446DCBBF0BF09224F14416AE5D1A6258DBB48885CF14
                                                                                                                                        Function 02F38280 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • select.WS2_32(00000000,00000000,?,?,?), ref: 02F382ED
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F3830C
                                                                                                                                        • __WSAFDIsSet.WS2_32(?,?), ref: 02F3833C
                                                                                                                                        • getsockopt.WS2_32(?,0000FFFF,00001007,?,?), ref: 02F38365
                                                                                                                                        • GetLastError.KERNEL32(?,0000FFFF,00001007,?,?,?,?), ref: 02F3837E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$getsockoptselect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1411559970-0
                                                                                                                                        • Opcode ID: 679293a59415f9798f1a42b623f966159f286b66b460c1ae6c1ecb4e1142e6c8
                                                                                                                                        • Instruction ID: d480f8d4c0c3a02ad7783e88d81a3d091ac8d7239f25daf656d678c69cb6e9e6
                                                                                                                                        • Opcode Fuzzy Hash: 679293a59415f9798f1a42b623f966159f286b66b460c1ae6c1ecb4e1142e6c8
                                                                                                                                        • Instruction Fuzzy Hash: 3B319471E4121C9BDB24DF65DC44BEDB7B8EF58780F0042ABFA09D6280EA749B408F50
                                                                                                                                        Function 02F37A00 Relevance: 9.1, APIs: 6, Instructions: 88networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • htons.WS2_32(?), ref: 02F37A18
                                                                                                                                        • WSAAddressToStringA.WS2_32(?,-0000001D,00000000,?,?), ref: 02F37A39
                                                                                                                                        • htons.WS2_32(?), ref: 02F37A56
                                                                                                                                        • StrPBrkA.SHLWAPI(?,02F64D34,?,?,?,02F30C78,?,?), ref: 02F37A7B
                                                                                                                                        • StrChrA.SHLWAPI(?,00000025,?,?,?,02F30C78,?,?), ref: 02F37A86
                                                                                                                                        • _memmove.LIBCMT ref: 02F37AAA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: htons$AddressString_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2092185379-0
                                                                                                                                        • Opcode ID: e7281eb0f7ff58b08ee1ea2e580e50a04a54759896a1f1770216cab13af532f5
                                                                                                                                        • Instruction ID: 29299df042868aec4f6eb4b643195a090a878142149815c6d61036e85cb9840a
                                                                                                                                        • Opcode Fuzzy Hash: e7281eb0f7ff58b08ee1ea2e580e50a04a54759896a1f1770216cab13af532f5
                                                                                                                                        • Instruction Fuzzy Hash: 45210872A41315A7DB15AF38DC80B66F7E8EF49794F048519FE08C7250E775D640C650
                                                                                                                                        Function 02F2ED20 Relevance: 9.1, APIs: 6, Instructions: 81synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,6EBCDBE2), ref: 02F2ED76
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F2ED84
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?), ref: 02F2EDAE
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?), ref: 02F2EDB4
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2EDC7
                                                                                                                                        • _free.LIBCMT ref: 02F2EDEA
                                                                                                                                          • Part of subcall function 02F46C20: GetCurrentThreadId.KERNEL32 ref: 02F46C24
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalDeleteSection$CloseCurrentErrorHandleLastObjectSingleThreadWait_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2652704522-0
                                                                                                                                        • Opcode ID: 25a2d6ed67ed7a6b7e6df41ab6ed3337ac64b40130b0c0dc3ce8a926d2a8ab77
                                                                                                                                        • Instruction ID: 6cb3b42dc296a7c938e96a8c893a9233fd85b0a08a458a55f9b3f655c769aea5
                                                                                                                                        • Opcode Fuzzy Hash: 25a2d6ed67ed7a6b7e6df41ab6ed3337ac64b40130b0c0dc3ce8a926d2a8ab77
                                                                                                                                        • Instruction Fuzzy Hash: 3F31F2B1A407559BCB10DF68C984AAAFBF9FF05794F20095DEA56D7340CB34A908CF50
                                                                                                                                        Function 02F368E0 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000000,00000003), ref: 02F368EE
                                                                                                                                        • SetLastError.KERNEL32(0000139F), ref: 02F368FE
                                                                                                                                        • SetLastError.KERNEL32(?,?,?), ref: 02F36952
                                                                                                                                        • GetLastError.KERNEL32(?,?,?), ref: 02F36954
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?), ref: 02F36968
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CompareExchangeInterlocked
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4252562804-0
                                                                                                                                        • Opcode ID: dbd07bc6ce7c8e7591de0480756b70373ed19bc5beb29c6db75945fa0eee65db
                                                                                                                                        • Instruction ID: 5894432d63dacf588504a43ee1e3dbf7ba94a9bcf3b232698307976209a2b85a
                                                                                                                                        • Opcode Fuzzy Hash: dbd07bc6ce7c8e7591de0480756b70373ed19bc5beb29c6db75945fa0eee65db
                                                                                                                                        • Instruction Fuzzy Hash: 7F118736741219ABD704DF69DC94B6AB7A9FF887A0B104525FB05C7640C771E920CBA0
                                                                                                                                        Function 02F4B9E0 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02F4BA0A
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F4BA1E
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F4BA38
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4BA3F
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,00000000), ref: 02F4BA8E
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4BA95
                                                                                                                                          • Part of subcall function 02F4BB40: _memmove.LIBCMT ref: 02F4BB74
                                                                                                                                          • Part of subcall function 02F4BB40: InterlockedExchangeAdd.KERNEL32(02F4BA37,00000000), ref: 02F4BB87
                                                                                                                                          • Part of subcall function 02F4BB40: InterlockedDecrement.KERNEL32(?), ref: 02F4BBA8
                                                                                                                                          • Part of subcall function 02F4BB40: HeapFree.KERNEL32(00000000,00000000,?,?), ref: 02F4BBCD
                                                                                                                                          • Part of subcall function 02F4BB40: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02F4BBE0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$CriticalDecrementSection$ExchangeLeave$EnterFreeHeapIncrement_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2920271241-0
                                                                                                                                        • Opcode ID: d1502908b94f4d0f03e75bed5b6d8e62ca622380d996eba1a6981113007614f2
                                                                                                                                        • Instruction ID: 26e5f596837cea25be75de2f9e3e1a7cc97927ae3fd0bd7210293f5a59072c52
                                                                                                                                        • Opcode Fuzzy Hash: d1502908b94f4d0f03e75bed5b6d8e62ca622380d996eba1a6981113007614f2
                                                                                                                                        • Instruction Fuzzy Hash: 51215972D44618DBD711CF58D844A6EFBB8EF49B94F00451AEE02A7640CBB5EA02CBA1
                                                                                                                                        Function 02F49100 Relevance: 9.1, APIs: 6, Instructions: 70COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F35250: _free.LIBCMT ref: 02F3526A
                                                                                                                                          • Part of subcall function 02F35250: _free.LIBCMT ref: 02F35273
                                                                                                                                          • Part of subcall function 02F35250: _malloc.LIBCMT ref: 02F352AD
                                                                                                                                          • Part of subcall function 02F35250: _malloc.LIBCMT ref: 02F352B9
                                                                                                                                          • Part of subcall function 02F35250: _memset.LIBCMT ref: 02F352C8
                                                                                                                                          • Part of subcall function 02F35250: _memset.LIBCMT ref: 02F352D6
                                                                                                                                        • _free.LIBCMT ref: 02F49123
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        • _malloc.LIBCMT ref: 02F4915E
                                                                                                                                        • _memset.LIBCMT ref: 02F4916C
                                                                                                                                        • _free.LIBCMT ref: 02F49190
                                                                                                                                        • _malloc.LIBCMT ref: 02F491C2
                                                                                                                                        • _memset.LIBCMT ref: 02F491CD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free_malloc_memset$ErrorFreeHeapLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3649356292-0
                                                                                                                                        • Opcode ID: 555bf472db0347be537623f6120772449b028474afd3cb8a7d76a8a3a47ad5b5
                                                                                                                                        • Instruction ID: 037a4b961f957788381a2369f5436e5dd7805c6e6f0e0ce1d638128453dce073
                                                                                                                                        • Opcode Fuzzy Hash: 555bf472db0347be537623f6120772449b028474afd3cb8a7d76a8a3a47ad5b5
                                                                                                                                        • Instruction Fuzzy Hash: BE21EAB0A00B448BD321DF6ADC80697FBE9FF88394F040A2ED5AA83700D7B5B5058F50
                                                                                                                                        Function 02F467B0 Relevance: 9.1, APIs: 6, Instructions: 70networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSAEventSelect.WS2_32(?,00000000,00000023), ref: 02F467C2
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F467CD
                                                                                                                                          • Part of subcall function 02F223E0: __CxxThrowException@8.LIBCMT ref: 02F223F0
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F467F9
                                                                                                                                        • send.WS2_32(?,00000000,00000000,00000000), ref: 02F4681A
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F46825
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F4685D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$EventException@8SelectThrowsend
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1905283610-0
                                                                                                                                        • Opcode ID: bf68504d7fd4396a3e38946105234091b4435e768616a2e0df9995103b42d570
                                                                                                                                        • Instruction ID: 4d5250c9fb40db2b7f4d7b4245414a054dd3b7ffbe5c5e64ecd70ec547c5c716
                                                                                                                                        • Opcode Fuzzy Hash: bf68504d7fd4396a3e38946105234091b4435e768616a2e0df9995103b42d570
                                                                                                                                        • Instruction Fuzzy Hash: 8D2158B5A007008BE3308F79E848B1BBBE9AF85794F104A1CE656CB684DBB5E5448F91
                                                                                                                                        Function 02F395A0 Relevance: 9.1, APIs: 6, Instructions: 70COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F35250: _free.LIBCMT ref: 02F3526A
                                                                                                                                          • Part of subcall function 02F35250: _free.LIBCMT ref: 02F35273
                                                                                                                                          • Part of subcall function 02F35250: _malloc.LIBCMT ref: 02F352AD
                                                                                                                                          • Part of subcall function 02F35250: _malloc.LIBCMT ref: 02F352B9
                                                                                                                                          • Part of subcall function 02F35250: _memset.LIBCMT ref: 02F352C8
                                                                                                                                          • Part of subcall function 02F35250: _memset.LIBCMT ref: 02F352D6
                                                                                                                                        • _free.LIBCMT ref: 02F395C3
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        • _malloc.LIBCMT ref: 02F395FE
                                                                                                                                        • _memset.LIBCMT ref: 02F3960C
                                                                                                                                        • _free.LIBCMT ref: 02F3963C
                                                                                                                                        • _malloc.LIBCMT ref: 02F39677
                                                                                                                                        • _memset.LIBCMT ref: 02F39685
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free_malloc_memset$ErrorFreeHeapLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3649356292-0
                                                                                                                                        • Opcode ID: c05eaf0c804dc47bb8d5a216c708aee96b58a967ed060219c949e10fcb4a2d97
                                                                                                                                        • Instruction ID: cac5f66c69cc1bff16ce5a133ab6ccd14436caa8aa3ffa45ab9c2b45a41767d3
                                                                                                                                        • Opcode Fuzzy Hash: c05eaf0c804dc47bb8d5a216c708aee96b58a967ed060219c949e10fcb4a2d97
                                                                                                                                        • Instruction Fuzzy Hash: 1E21E3B0902B408BD3219F699D80B97FBE9FF98790F04092EDAAE93310D7B475058B61
                                                                                                                                        Function 02F3EC50 Relevance: 9.1, APIs: 6, Instructions: 70COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F35250: _free.LIBCMT ref: 02F3526A
                                                                                                                                          • Part of subcall function 02F35250: _free.LIBCMT ref: 02F35273
                                                                                                                                          • Part of subcall function 02F35250: _malloc.LIBCMT ref: 02F352AD
                                                                                                                                          • Part of subcall function 02F35250: _malloc.LIBCMT ref: 02F352B9
                                                                                                                                          • Part of subcall function 02F35250: _memset.LIBCMT ref: 02F352C8
                                                                                                                                          • Part of subcall function 02F35250: _memset.LIBCMT ref: 02F352D6
                                                                                                                                        • _free.LIBCMT ref: 02F3EC73
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        • _malloc.LIBCMT ref: 02F3ECAE
                                                                                                                                        • _memset.LIBCMT ref: 02F3ECBC
                                                                                                                                        • _free.LIBCMT ref: 02F3ECEC
                                                                                                                                        • _malloc.LIBCMT ref: 02F3ED27
                                                                                                                                        • _memset.LIBCMT ref: 02F3ED35
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free_malloc_memset$ErrorFreeHeapLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3649356292-0
                                                                                                                                        • Opcode ID: 29c81b6abc0b0289ad75f4e6f662af3146d44b64f246248d31c20f7a4fcc3619
                                                                                                                                        • Instruction ID: d61a2c1795de4a428e12ff7c77d318528846a2b183dffecbc48abc96a1cce5d3
                                                                                                                                        • Opcode Fuzzy Hash: 29c81b6abc0b0289ad75f4e6f662af3146d44b64f246248d31c20f7a4fcc3619
                                                                                                                                        • Instruction Fuzzy Hash: 0D21C4B0A41B009BD331DF699884B9BFAE9FF88790F44092ED9AE87701D77475058B61
                                                                                                                                        Function 02F41020 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02F41033
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,02F2B397,?,?,?), ref: 02F4103D
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,02F2B397,?,?,?), ref: 02F41067
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4106E
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,00000057,00000002,00000000,?,?,02F2B397,?,?,?), ref: 02F41098
                                                                                                                                        • SetLastError.KERNEL32(00000057,?,?,02F2B397,?,?,?), ref: 02F4109F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalInterlockedSection$CompletionDecrementEnterErrorIncrementLastLeavePostQueuedStatus
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 249042461-0
                                                                                                                                        • Opcode ID: fc30d37a893769a95270116b5f3f1604d466c9ac32b535303bfbc8b411e89208
                                                                                                                                        • Instruction ID: 54fee98512e552a98cfa05f9f3b217097c2fda16ce769824d65d1ca368d61cb2
                                                                                                                                        • Opcode Fuzzy Hash: fc30d37a893769a95270116b5f3f1604d466c9ac32b535303bfbc8b411e89208
                                                                                                                                        • Instruction Fuzzy Hash: 63118632E00665ABD7219A68D988A67BFACBF44FD0B054514EB09A7204CBB1FC9187D0
                                                                                                                                        Function 02F35250 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _free.LIBCMT ref: 02F3526A
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        • _free.LIBCMT ref: 02F35273
                                                                                                                                        • _malloc.LIBCMT ref: 02F352AD
                                                                                                                                        • _malloc.LIBCMT ref: 02F352B9
                                                                                                                                        • _memset.LIBCMT ref: 02F352C8
                                                                                                                                        • _memset.LIBCMT ref: 02F352D6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free_malloc_memset$ErrorFreeHeapLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3649356292-0
                                                                                                                                        • Opcode ID: 7b1135355703e925d0810d11f81cb8143bacf8c26263ce51eb6c531ecf7f3614
                                                                                                                                        • Instruction ID: 0289f03d25e09ce6c048cff19ff44fe416883a6da40c4d4b063353487441a208
                                                                                                                                        • Opcode Fuzzy Hash: 7b1135355703e925d0810d11f81cb8143bacf8c26263ce51eb6c531ecf7f3614
                                                                                                                                        • Instruction Fuzzy Hash: 8F11FAB1912616AFD314EF799D40B56FBE9BF08740F5041299B2CD3640EB71B520CBD0
                                                                                                                                        Function 02F58658 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __CreateFrameInfo.LIBCMT ref: 02F58680
                                                                                                                                          • Part of subcall function 02F57720: __getptd.LIBCMT ref: 02F5772E
                                                                                                                                          • Part of subcall function 02F57720: __getptd.LIBCMT ref: 02F5773C
                                                                                                                                        • __getptd.LIBCMT ref: 02F5868A
                                                                                                                                          • Part of subcall function 02F5053D: __getptd_noexit.LIBCMT ref: 02F50540
                                                                                                                                          • Part of subcall function 02F5053D: __amsg_exit.LIBCMT ref: 02F5054D
                                                                                                                                        • __getptd.LIBCMT ref: 02F58698
                                                                                                                                        • __getptd.LIBCMT ref: 02F586A6
                                                                                                                                        • __getptd.LIBCMT ref: 02F586B1
                                                                                                                                        • _CallCatchBlock2.LIBCMT ref: 02F586D7
                                                                                                                                          • Part of subcall function 02F577C5: __CallSettingFrame@12.LIBCMT ref: 02F57811
                                                                                                                                          • Part of subcall function 02F5877E: __getptd.LIBCMT ref: 02F5878D
                                                                                                                                          • Part of subcall function 02F5877E: __getptd.LIBCMT ref: 02F5879B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1602911419-0
                                                                                                                                        • Opcode ID: 09191cda6977911469b930d76363a52337e949644b1881de2abc0641b8b5d828
                                                                                                                                        • Instruction ID: 2aa12cd591bdeb4c13ee360bd19b73549ab3c50f245bd6f62ad873746578096f
                                                                                                                                        • Opcode Fuzzy Hash: 09191cda6977911469b930d76363a52337e949644b1881de2abc0641b8b5d828
                                                                                                                                        • Instruction Fuzzy Hash: 8B11B4B59102199FDF00EFA4E844BEDBBB1FF08394F508069EA24A7251DB789A51DF60
                                                                                                                                        Function 0108081D Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 01080829
                                                                                                                                          • Part of subcall function 010818EE: __getptd_noexit.LIBCMT ref: 010818F1
                                                                                                                                          • Part of subcall function 010818EE: __amsg_exit.LIBCMT ref: 010818FE
                                                                                                                                        • __amsg_exit.LIBCMT ref: 01080849
                                                                                                                                        • __lock.LIBCMT ref: 01080859
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 01080876
                                                                                                                                        • _free.LIBCMT ref: 01080889
                                                                                                                                        • InterlockedIncrement.KERNEL32(02FE1670), ref: 010808A1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3470314060-0
                                                                                                                                        • Opcode ID: e7f5679ebe472d70f2ac4f674d1075ccbf57d6aeb4b4125d3d85ca7c905454ff
                                                                                                                                        • Instruction ID: 6ad0b7b06a7b38a8d72725b1945185f688cafca4029dd484c81e0801930c4f7a
                                                                                                                                        • Opcode Fuzzy Hash: e7f5679ebe472d70f2ac4f674d1075ccbf57d6aeb4b4125d3d85ca7c905454ff
                                                                                                                                        • Instruction Fuzzy Hash: 1F018431E19B22EFDB75BB6894047AD7BA0BF00720F44816AF4D4A7288CB3455C9CBD1
                                                                                                                                        Function 02F53796 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 02F537A2
                                                                                                                                          • Part of subcall function 02F5053D: __getptd_noexit.LIBCMT ref: 02F50540
                                                                                                                                          • Part of subcall function 02F5053D: __amsg_exit.LIBCMT ref: 02F5054D
                                                                                                                                        • __amsg_exit.LIBCMT ref: 02F537C2
                                                                                                                                        • __lock.LIBCMT ref: 02F537D2
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F537EF
                                                                                                                                        • _free.LIBCMT ref: 02F53802
                                                                                                                                        • InterlockedIncrement.KERNEL32(039A1680), ref: 02F5381A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3470314060-0
                                                                                                                                        • Opcode ID: 044ff6f08e57f882dc9540d443fd34c89339b8f22cffcc298f64749656c9f487
                                                                                                                                        • Instruction ID: d681ae7acb7a02a41284e481883e685322cdc992c7c7aaf6c09c27f5b2cec08c
                                                                                                                                        • Opcode Fuzzy Hash: 044ff6f08e57f882dc9540d443fd34c89339b8f22cffcc298f64749656c9f487
                                                                                                                                        • Instruction Fuzzy Hash: 7A01C436D40639ABDB15AB2CA804B5EBB70BF04BE2F050549DF0067280CB34A995CFD1
                                                                                                                                        Function 02F40238 Relevance: 9.0, APIs: 6, Instructions: 44windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,?,?,6EBCDBE2), ref: 02F40249
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,?,?,6EBCDBE2), ref: 02F4025A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000032,000004FF), ref: 02F40279
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F4028F
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F40299
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F4029F
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F402B1
                                                                                                                                        • SetLastError.KERNEL32(000005B4,?,?,?,?,?,?,?,6EBCDBE2), ref: 02F402D8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242711932-0
                                                                                                                                        • Opcode ID: 7af8785bc53a874fffeb18484b9acf5849ec718eabaddcd56ffcd99198a44c16
                                                                                                                                        • Instruction ID: 337cfc1719de7cb9d985e68cffeed6d9cffb7e45e764b4419b9ff7aba251c11a
                                                                                                                                        • Opcode Fuzzy Hash: 7af8785bc53a874fffeb18484b9acf5849ec718eabaddcd56ffcd99198a44c16
                                                                                                                                        • Instruction Fuzzy Hash: 4601BB71A90319BAFB289BA08C46FFD7A69AB48790F144919FB01B60C0EFF4D6448665
                                                                                                                                        Function 02F40327 Relevance: 9.0, APIs: 6, Instructions: 44windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM ref: 02F40339
                                                                                                                                        • timeGetTime.WINMM ref: 02F4034A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000032,000004FF), ref: 02F40369
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F4037F
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F40389
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F4038F
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F403A1
                                                                                                                                        • SetLastError.KERNEL32(000005B4), ref: 02F403C8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242711932-0
                                                                                                                                        • Opcode ID: 4521bf49e0456bf0c17f9f5d445a68d0515bb1afba821e520e42125c5f102da5
                                                                                                                                        • Instruction ID: a9f8497eccddb0e07e1ff6d30105b9cca551c93176be9d4723bb2102d547f2f3
                                                                                                                                        • Opcode Fuzzy Hash: 4521bf49e0456bf0c17f9f5d445a68d0515bb1afba821e520e42125c5f102da5
                                                                                                                                        • Instruction Fuzzy Hash: A9011272E84314BFFB1897A08C45FFD7A69AB44794F144919F701EA1C0DFF4D5408661
                                                                                                                                        Function 02F3AA87 Relevance: 9.0, APIs: 6, Instructions: 44windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM ref: 02F3AA99
                                                                                                                                        • timeGetTime.WINMM ref: 02F3AAAA
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000032,000004FF), ref: 02F3AAC9
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F3AADF
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F3AAE9
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F3AAEF
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F3AB01
                                                                                                                                        • SetLastError.KERNEL32(000005B4), ref: 02F3AB28
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242711932-0
                                                                                                                                        • Opcode ID: 4521bf49e0456bf0c17f9f5d445a68d0515bb1afba821e520e42125c5f102da5
                                                                                                                                        • Instruction ID: 1fb81268ba3cf3f11a342ca7eb5ce6812cd88bc6f8601426b00772e5fddd82fe
                                                                                                                                        • Opcode Fuzzy Hash: 4521bf49e0456bf0c17f9f5d445a68d0515bb1afba821e520e42125c5f102da5
                                                                                                                                        • Instruction Fuzzy Hash: E2016D72E80318FEFF24C7A18D49FFDB669AB48B90F14491AFB01A61C0EBB4D5008660
                                                                                                                                        Function 02F4ACF7 Relevance: 9.0, APIs: 6, Instructions: 44windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM ref: 02F4AD09
                                                                                                                                        • timeGetTime.WINMM ref: 02F4AD1A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000032,000004FF), ref: 02F4AD39
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F4AD4F
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F4AD59
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F4AD5F
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F4AD71
                                                                                                                                        • SetLastError.KERNEL32(000005B4), ref: 02F4AD98
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242711932-0
                                                                                                                                        • Opcode ID: 4521bf49e0456bf0c17f9f5d445a68d0515bb1afba821e520e42125c5f102da5
                                                                                                                                        • Instruction ID: a65ae9db3fbc220e15299c1f334c11172907c00fdffe6542d73d324e3a95d7d2
                                                                                                                                        • Opcode Fuzzy Hash: 4521bf49e0456bf0c17f9f5d445a68d0515bb1afba821e520e42125c5f102da5
                                                                                                                                        • Instruction Fuzzy Hash: DE016D72EC0319BAFB2487A08C55FFDBA39AB48B91F244919F702A60C0DFF4D5008660
                                                                                                                                        Function 02F4AC08 Relevance: 9.0, APIs: 6, Instructions: 44windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,?,?,6EBCDBE2), ref: 02F4AC19
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,?,?,6EBCDBE2), ref: 02F4AC2A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000032,000004FF), ref: 02F4AC49
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F4AC5F
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F4AC69
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F4AC6F
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F4AC81
                                                                                                                                        • SetLastError.KERNEL32(000005B4,?,?,?,?,?,?,?,6EBCDBE2), ref: 02F4ACA8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242711932-0
                                                                                                                                        • Opcode ID: 7af8785bc53a874fffeb18484b9acf5849ec718eabaddcd56ffcd99198a44c16
                                                                                                                                        • Instruction ID: 143c646bc030e1608700168e9bd52cbd96ef7efac9b5eb730281a005fe09edcd
                                                                                                                                        • Opcode Fuzzy Hash: 7af8785bc53a874fffeb18484b9acf5849ec718eabaddcd56ffcd99198a44c16
                                                                                                                                        • Instruction Fuzzy Hash: E401FB72E90318ABFB2487A08C95FFD7A28AB48790F144919E701A61C4EBF4D6049665
                                                                                                                                        Function 02F47D08 Relevance: 9.0, APIs: 6, Instructions: 44windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM ref: 02F47D19
                                                                                                                                        • timeGetTime.WINMM ref: 02F47D2A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000004,00000000,-00000032,000004FF), ref: 02F47D49
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 02F47D5F
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F47D69
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F47D6F
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F47D81
                                                                                                                                        • SetLastError.KERNEL32(000005B4), ref: 02F47DA8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$PeekTimetime$DispatchErrorLastMultipleObjectsTranslateWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4242711932-0
                                                                                                                                        • Opcode ID: 7af8785bc53a874fffeb18484b9acf5849ec718eabaddcd56ffcd99198a44c16
                                                                                                                                        • Instruction ID: baa6dc1181472c5ffb93f5f0a90c121f44a52fd093a968dabf6b5f7757bc8b48
                                                                                                                                        • Opcode Fuzzy Hash: 7af8785bc53a874fffeb18484b9acf5849ec718eabaddcd56ffcd99198a44c16
                                                                                                                                        • Instruction Fuzzy Hash: 77011D71EA0319BAFB2497A08C85FFDBA38AB48790F144919F702A61C0EFF4D5048661
                                                                                                                                        Function 10003940 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 209COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • crc32.Z(00000000,00000000,00000000), ref: 100039A8
                                                                                                                                        • deflateInit2_.Z(00000000,?,00000008,000000F1,00000008,?,1.1.4,00000038), ref: 10003A71
                                                                                                                                        • inflateInit2_.Z(00000000,000000F1,1.1.4,00000038), ref: 10003ABE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2717966199.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2717983727.0000000010011000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718021812.0000000010012000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718041790.0000000010013000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_10000000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Init2_$crc32deflateinflate
                                                                                                                                        • String ID: %c%c%c%c%c%c%c%c%c%c$1.1.4
                                                                                                                                        • API String ID: 1283633553-176813217
                                                                                                                                        • Opcode ID: 6fdf4c9b9b2ddfe97faccecd9fb68c1b9c80f4dc05d8dcbd4796d0d2fbaeb182
                                                                                                                                        • Instruction ID: 1113d68dd0f885da237aa3a2f6361cd2d41f97f986c62145d23706540c0ac286
                                                                                                                                        • Opcode Fuzzy Hash: 6fdf4c9b9b2ddfe97faccecd9fb68c1b9c80f4dc05d8dcbd4796d0d2fbaeb182
                                                                                                                                        • Instruction Fuzzy Hash: 2A612974A447819FE321CF29888165BFBE9FB862C0F508D3EE1CA83248D771E8458B53
                                                                                                                                        Function 02F478C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 133COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 02F479ED
                                                                                                                                        • GetLastError.KERNEL32(vector<T> too long), ref: 02F479F2
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F47A05
                                                                                                                                        Strings
                                                                                                                                        • vector<T> too long, xrefs: 02F479E8
                                                                                                                                        • CUdpNode::CreateWorkerThreads, xrefs: 02F47A0E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$Xinvalid_argumentstd::_
                                                                                                                                        • String ID: CUdpNode::CreateWorkerThreads$vector<T> too long
                                                                                                                                        • API String ID: 1024515993-170093053
                                                                                                                                        • Opcode ID: f87da4b18e4c53b60074c574c98640c62a1512fbcd5fc015c9f5a37db34f802b
                                                                                                                                        • Instruction ID: d3503ad3420b365d69b2ab60c7952f76b106e502bdfb14c7041524e62d8f013b
                                                                                                                                        • Opcode Fuzzy Hash: f87da4b18e4c53b60074c574c98640c62a1512fbcd5fc015c9f5a37db34f802b
                                                                                                                                        • Instruction Fuzzy Hash: 98411031B002055BDB28AE68CC95B7EFFA5EB48795F14866DDA46D7380DFF0A841C750
                                                                                                                                        Function 02F3F100 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 02F3F225
                                                                                                                                        • GetLastError.KERNEL32(vector<T> too long), ref: 02F3F22A
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F3F23A
                                                                                                                                        Strings
                                                                                                                                        • vector<T> too long, xrefs: 02F3F220
                                                                                                                                        • CTcpServer::CreateWorkerThreads, xrefs: 02F3F243
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$Xinvalid_argumentstd::_
                                                                                                                                        • String ID: CTcpServer::CreateWorkerThreads$vector<T> too long
                                                                                                                                        • API String ID: 1024515993-3928122342
                                                                                                                                        • Opcode ID: 18cb92a3d0047b52aca48956a07324a251e77ed984fdc22f63950c1acd031c05
                                                                                                                                        • Instruction ID: bacde4bdda9e23db7d22cfce5ddb887f965c2450d0454731ef5e144bfaa40f85
                                                                                                                                        • Opcode Fuzzy Hash: 18cb92a3d0047b52aca48956a07324a251e77ed984fdc22f63950c1acd031c05
                                                                                                                                        • Instruction Fuzzy Hash: C841D931F002019BEB29AE78DC81B2E7796FB84395F24472DDB06D7684DA70E8418790
                                                                                                                                        Function 02F49530 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 02F4965B
                                                                                                                                        • GetLastError.KERNEL32(vector<T> too long), ref: 02F49660
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F49673
                                                                                                                                        Strings
                                                                                                                                        • vector<T> too long, xrefs: 02F49656
                                                                                                                                        • CUdpServer::CreateWorkerThreads, xrefs: 02F4967C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$Xinvalid_argumentstd::_
                                                                                                                                        • String ID: CUdpServer::CreateWorkerThreads$vector<T> too long
                                                                                                                                        • API String ID: 1024515993-3580873441
                                                                                                                                        • Opcode ID: d5e652aae485f2ff8f828c170c1629b54d490ab55b71c5ae7496ea62edddc861
                                                                                                                                        • Instruction ID: ce544412ba977ad7c62f8fc49011b604c800e71ff432491dcdeb119fbb65ddbc
                                                                                                                                        • Opcode Fuzzy Hash: d5e652aae485f2ff8f828c170c1629b54d490ab55b71c5ae7496ea62edddc861
                                                                                                                                        • Instruction Fuzzy Hash: CB41C671B002025BDB289E68C88576F7B95EB84795F24462DDF06DB284EEF0E841CB50
                                                                                                                                        Function 02F2C8E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00000000,02F5D279,000000FF,?,02F3167B,00000000), ref: 02F2C93A
                                                                                                                                        • InterlockedIncrement.KERNEL32(02F75038), ref: 02F2C99B
                                                                                                                                          • Part of subcall function 02F223E0: __CxxThrowException@8.LIBCMT ref: 02F223F0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateEventException@8IncrementInterlockedThrow
                                                                                                                                        • String ID: %s%u-$0/Wu$hp-pool-
                                                                                                                                        • API String ID: 3406750178-3424780837
                                                                                                                                        • Opcode ID: 54a5c6054514fc7f9c8988ee7f85bbd4eb5564df593a189a2d80bdbcb00265cb
                                                                                                                                        • Instruction ID: 517d412b5700684dc92ebe26154523f5b4ff225134dd41e4e3b39e08307f4da9
                                                                                                                                        • Opcode Fuzzy Hash: 54a5c6054514fc7f9c8988ee7f85bbd4eb5564df593a189a2d80bdbcb00265cb
                                                                                                                                        • Instruction Fuzzy Hash: FC3118B1940B44DFD320CF6AD98465AFBF4FB08754B908A2EEA9AD7B40D375A5048F50
                                                                                                                                        Function 02F48740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?), ref: 02F48756
                                                                                                                                          • Part of subcall function 02F37A00: htons.WS2_32(?), ref: 02F37A18
                                                                                                                                          • Part of subcall function 02F37A00: WSAAddressToStringA.WS2_32(?,-0000001D,00000000,?,?), ref: 02F37A39
                                                                                                                                          • Part of subcall function 02F37A00: htons.WS2_32(?), ref: 02F37A56
                                                                                                                                          • Part of subcall function 02F37A00: StrChrA.SHLWAPI(?,00000025,?,?,?,02F30C78,?,?), ref: 02F37A86
                                                                                                                                          • Part of subcall function 02F37A00: _memmove.LIBCMT ref: 02F37AAA
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F487A6
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F487B0
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?,?,?), ref: 02F487D2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlockedhtons$AddressDecrementErrorExchangeFreeHeapLastString_memmove
                                                                                                                                        • String ID: <
                                                                                                                                        • API String ID: 1270688484-4251816714
                                                                                                                                        • Opcode ID: cd85e02ceeb58cb0c5671f869c04d7a175085f9cb369e3fcf89f6aa1199bf368
                                                                                                                                        • Instruction ID: a9d491618bc90b6157287de2c14ba068a119cd6ebc17578e85ccc0e36536cc39
                                                                                                                                        • Opcode Fuzzy Hash: cd85e02ceeb58cb0c5671f869c04d7a175085f9cb369e3fcf89f6aa1199bf368
                                                                                                                                        • Instruction Fuzzy Hash: 881130716402099FCB14DF64DD84EDBBBBDEF48345B004559EA06D7240DA70EA15CBA0
                                                                                                                                        Function 02F47A30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateIoCompletionPort.KERNEL32(?,?,?,00000000,?,?,?,02F4732A,?,?,?), ref: 02F47A4D
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,000000F1,00000000,00000000,?,?,?,?,02F4732A,?,?,?), ref: 02F47A7D
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,02F4732A,?,?,?), ref: 02F47A9C
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F47AAF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CompletionErrorLast$CreatePortPostQueuedStatus
                                                                                                                                        • String ID: CUdpNode::StartAccept
                                                                                                                                        • API String ID: 350138180-1978929408
                                                                                                                                        • Opcode ID: 443b8f7e9e071afcd51865e5fdbf1b61498b34b55d7cd9e83804fb41e4bb9838
                                                                                                                                        • Instruction ID: c53467e2fda6c326fc1f2e3cc519167e0265aa889cbda85afdeb0315e1b111a7
                                                                                                                                        • Opcode Fuzzy Hash: 443b8f7e9e071afcd51865e5fdbf1b61498b34b55d7cd9e83804fb41e4bb9838
                                                                                                                                        • Instruction Fuzzy Hash: 1711C671A40304EFD320DFA9DC44B5BF7E8EF88790F104909FA1993240CBB1A9108B60
                                                                                                                                        Function 10001840 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • deflateInit_.Z ref: 1000188F
                                                                                                                                          • Part of subcall function 10003000: deflateInit2_.Z(00000038,00000038,00000008,0000000F,00000008,00000000,?,?,10001894), ref: 1000301C
                                                                                                                                        • deflate.Z(?,00000004), ref: 100018A0
                                                                                                                                        • deflateEnd.Z(00000038,?,00000004), ref: 100018B1
                                                                                                                                        • deflateEnd.Z(00000038,?,00000004), ref: 100018D4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2717966199.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2717983727.0000000010011000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718021812.0000000010012000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718041790.0000000010013000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_10000000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: deflate$Init2_Init_
                                                                                                                                        • String ID: 1.1.4
                                                                                                                                        • API String ID: 281832837-362073112
                                                                                                                                        • Opcode ID: 471c5657e9c8797e59539922db82542368fd111ab8e5ea337675904b32f69195
                                                                                                                                        • Instruction ID: 0149ef16792967abe585693b6f9d09fabb760760dae36cf8f58ba7648ed28bb2
                                                                                                                                        • Opcode Fuzzy Hash: 471c5657e9c8797e59539922db82542368fd111ab8e5ea337675904b32f69195
                                                                                                                                        • Instruction Fuzzy Hash: 87117075508301AFD300DF59C880B8BBBE8EF88790F40892EFA9987264D775D909CB92
                                                                                                                                        Function 10008330 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • inflateInit_.Z ref: 10008372
                                                                                                                                          • Part of subcall function 100059E0: inflateInit2_.Z(?,0000000F,?,?), ref: 100059F1
                                                                                                                                        • inflate.Z(?,00000004), ref: 10008383
                                                                                                                                        • inflateEnd.Z(00000038,?,00000004), ref: 10008394
                                                                                                                                        • inflateEnd.Z(00000038,?,00000004), ref: 100083B7
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2717966199.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2717983727.0000000010011000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718021812.0000000010012000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718041790.0000000010013000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_10000000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: inflate$Init2_Init_
                                                                                                                                        • String ID: 1.1.4
                                                                                                                                        • API String ID: 3660615380-362073112
                                                                                                                                        • Opcode ID: a598d1fe7184e396efc40c5e9efd834b3284e2691a103eb00852bd610085e216
                                                                                                                                        • Instruction ID: c7498599f9d850a5a9d73f86be1a7bef61f8a2ae1eee3f1f68a422aa2cf2df00
                                                                                                                                        • Opcode Fuzzy Hash: a598d1fe7184e396efc40c5e9efd834b3284e2691a103eb00852bd610085e216
                                                                                                                                        • Instruction Fuzzy Hash: 2B012D76608301AFD340DF58C841A4FB7E4EFC9690F80891DFAD897264E771D905CB92
                                                                                                                                        Function 02F58A05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • ___BuildCatchObject.LIBCMT ref: 02F58A18
                                                                                                                                          • Part of subcall function 02F58973: ___BuildCatchObjectHelper.LIBCMT ref: 02F589A9
                                                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 02F58A2F
                                                                                                                                        • ___FrameUnwindToState.LIBCMT ref: 02F58A3D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                                                        • String ID: csm$csm
                                                                                                                                        • API String ID: 2163707966-3733052814
                                                                                                                                        • Opcode ID: 963b8ca2d535485ad8cb560e7fc4b2a5f9d36ffb60d70dc080298b950874575e
                                                                                                                                        • Instruction ID: 77706adbe783b3f71a1b8bcf825abb28781472c7bb3cdbeb467808691e2faf1d
                                                                                                                                        • Opcode Fuzzy Hash: 963b8ca2d535485ad8cb560e7fc4b2a5f9d36ffb60d70dc080298b950874575e
                                                                                                                                        • Instruction Fuzzy Hash: DB01EF75401129FBDF22AF61CC44EEA7E6AEF083D4F008010FF1A55520D73699A2EBA5
                                                                                                                                        Function 02F38EF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryfileloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,02F37D16), ref: 02F38EFA
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateFileTransactedA), ref: 02F38F0A
                                                                                                                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,02F37D16), ref: 02F38F4A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressCreateFileHandleModuleProc
                                                                                                                                        • String ID: CreateFileTransactedA$kernel32.dll
                                                                                                                                        • API String ID: 2580138172-3827029016
                                                                                                                                        • Opcode ID: 03bc143431c7a64859c216eb316f38fc48934ff942067e9a4528e4bb5d86acd3
                                                                                                                                        • Instruction ID: 3154628a9c4d2042dfe97ccf70808e197599f9e4cecd7bf3c5f521b927d7b652
                                                                                                                                        • Opcode Fuzzy Hash: 03bc143431c7a64859c216eb316f38fc48934ff942067e9a4528e4bb5d86acd3
                                                                                                                                        • Instruction Fuzzy Hash: 83F0AC30BD0305BAFA321A309C9AF257655AB41FD5F644908F759F90C0DBE9F194C518
                                                                                                                                        Function 10003BD0 Relevance: 7.7, APIs: 5, Instructions: 206COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • inflate.Z(?,00000000), ref: 10003C8F
                                                                                                                                        • crc32.Z(?,?,?,?,00000000), ref: 10003CA7
                                                                                                                                        • inflateReset.Z(?,?,00000000), ref: 10003CDE
                                                                                                                                        • crc32.Z(00000000,00000000,00000000,?,?,00000000), ref: 10003CEF
                                                                                                                                        • crc32.Z(?,?,?), ref: 10003D2C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2717966199.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2717983727.0000000010011000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718021812.0000000010012000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718041790.0000000010013000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_10000000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: crc32$inflate$Reset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3696799415-0
                                                                                                                                        • Opcode ID: 83460813fa723ffe4d5192fdc9ebc2acf8a5f959ef03b96841dfc277ed564f83
                                                                                                                                        • Instruction ID: 4d578f2c10cf1e2a052ada6c267f34396e1c135e897c16ee8050c8714194c554
                                                                                                                                        • Opcode Fuzzy Hash: 83460813fa723ffe4d5192fdc9ebc2acf8a5f959ef03b96841dfc277ed564f83
                                                                                                                                        • Instruction Fuzzy Hash: C471097560424A9BEB14CF29D880A9F7BE8EF842A4F11C62AFD15DB384D771E9408B90
                                                                                                                                        Function 02F29970 Relevance: 7.7, APIs: 5, Instructions: 177COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4104443479-0
                                                                                                                                        • Opcode ID: f1d6769761f4b6a31f8a4902eeb25eaafaf1e88932b227e38dd7b3c39a246076
                                                                                                                                        • Instruction ID: cd3208678f422fe88327d2988da8922333347831e039f83c09e9087b9ca5f433
                                                                                                                                        • Opcode Fuzzy Hash: f1d6769761f4b6a31f8a4902eeb25eaafaf1e88932b227e38dd7b3c39a246076
                                                                                                                                        • Instruction Fuzzy Hash: 67617E71A01615AFDB14CF69C580BA9B7E5BF08354F24866DD95AC7700EB70EA48CF80
                                                                                                                                        Function 02F49900 Relevance: 7.7, APIs: 5, Instructions: 154timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F3C5E0: WaitForSingleObject.KERNEL32(?,000000FF), ref: 02F3C63C
                                                                                                                                        • sendto.WS2_32(000000FF,02F60640,00000010,00000000,?,-0000001D), ref: 02F499E0
                                                                                                                                        • timeGetTime.WINMM(?,?,?), ref: 02F499FD
                                                                                                                                        • timeGetTime.WINMM ref: 02F49A0A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-0000001E,000004FF), ref: 02F49A24
                                                                                                                                        • SetLastError.KERNEL32(000005B4), ref: 02F49A55
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: TimeWaittime$ErrorLastMultipleObjectObjectsSinglesendto
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2424163294-0
                                                                                                                                        • Opcode ID: eceb8a0c3c006e91ca20f6c390e47fb66f9580e7951149e2282ade2ad1f3a853
                                                                                                                                        • Instruction ID: 9eb63c47f2ab3c8bf7753ac099ef9a2b5692d2a585caf38c78afae8dc1e689ec
                                                                                                                                        • Opcode Fuzzy Hash: eceb8a0c3c006e91ca20f6c390e47fb66f9580e7951149e2282ade2ad1f3a853
                                                                                                                                        • Instruction Fuzzy Hash: 4451C471F006149FDB14DF68CC81AAEBBB5EF85390F14462AE616D7280DFF1A901CB50
                                                                                                                                        Function 02F47DD0 Relevance: 7.6, APIs: 5, Instructions: 140COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 02F47E08
                                                                                                                                        • _memmove.LIBCMT ref: 02F47E40
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 02F47EAA
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000001,000000FF,?,00000001,000000FF), ref: 02F47EC4
                                                                                                                                        • SetEvent.KERNEL32 ref: 02F47F4C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCompletionEventHandleMultipleObjectsPostQueuedStatusWait_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2875591274-0
                                                                                                                                        • Opcode ID: 22d181244e0631a76605a0b54e7cc901f81432e36496abcece0e082c7635aeb7
                                                                                                                                        • Instruction ID: 141e32a936e93d1250952db8e25e19c3197667cbc5c8a420517899571f3cfab2
                                                                                                                                        • Opcode Fuzzy Hash: 22d181244e0631a76605a0b54e7cc901f81432e36496abcece0e082c7635aeb7
                                                                                                                                        • Instruction Fuzzy Hash: CB417EB1E00215AFD754DF6CC88079ABBA5FF08784F10466EDA19DB241EB72AD12CF80
                                                                                                                                        Function 02F49E50 Relevance: 7.6, APIs: 5, Instructions: 118timesynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F2AB30: GetCurrentThreadId.KERNEL32 ref: 02F2AB4C
                                                                                                                                          • Part of subcall function 02F2AB30: WaitForSingleObject.KERNEL32(?,000000FF,02F48F37,?,?), ref: 02F2AB81
                                                                                                                                          • Part of subcall function 02F2AB30: GetCurrentThreadId.KERNEL32 ref: 02F2AB87
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,00000000,?,?,00000000), ref: 02F49EA0
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F49EB7
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?,?), ref: 02F49F2E
                                                                                                                                        • DeleteTimerQueueTimer.KERNEL32(?,?,000000FF,?,?,00000000,?,?,?,?), ref: 02F49F72
                                                                                                                                        • timeGetTime.WINMM(?,?,00000000,?,?,?,?), ref: 02F49F78
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalCurrentObjectSectionSingleThreadTimerWait$DeleteEnterLeaveQueueTimetime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 623514114-0
                                                                                                                                        • Opcode ID: 02048017563612cec20582f3a54487fe6d67daec3320b78dc825b4a527e3d0ca
                                                                                                                                        • Instruction ID: 82ed1e037a889da7671460ae42aa1a303aa9e83ca67e780962cb3b515cc6cdda
                                                                                                                                        • Opcode Fuzzy Hash: 02048017563612cec20582f3a54487fe6d67daec3320b78dc825b4a527e3d0ca
                                                                                                                                        • Instruction Fuzzy Hash: 4B418471A00619ABD710DF64CD80A9BB7B9FF047A0F108619EE2597680DBB4F914CFD0
                                                                                                                                        Function 02F3AE70 Relevance: 7.6, APIs: 5, Instructions: 111memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F3AEA7
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?,?,00000001,?,?,?,?,00000000,?,02F3AD57,?,?,?), ref: 02F3AEC9
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F3AED8
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F3AF38
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F3AF53
                                                                                                                                          • Part of subcall function 02F39F00: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F29
                                                                                                                                          • Part of subcall function 02F39F00: EnterCriticalSection.KERNEL32(?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F33
                                                                                                                                          • Part of subcall function 02F39F00: LeaveCriticalSection.KERNEL32(?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F52
                                                                                                                                          • Part of subcall function 02F39F00: LeaveCriticalSection.KERNEL32(?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F55
                                                                                                                                          • Part of subcall function 02F39F00: timeGetTime.WINMM(?,00000000,?,?,?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F84
                                                                                                                                          • Part of subcall function 02F3AF80: InterlockedIncrement.KERNEL32(?), ref: 02F3AFAD
                                                                                                                                          • Part of subcall function 02F3AF80: setsockopt.WS2_32(?,0000FFFF,00007010,?,00000004), ref: 02F3AFD2
                                                                                                                                          • Part of subcall function 02F3AF80: InterlockedDecrement.KERNEL32(?), ref: 02F3B029
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$Decrement$CriticalSection$EnterLeave$FreeHeapIncrementTimesetsockopttime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3832054917-0
                                                                                                                                        • Opcode ID: ac1d2e37a29e4e1f2f7bd33219fbea759c3bf4fa14de97e44a3a5bed49d5d99f
                                                                                                                                        • Instruction ID: d66bb8d86486bcb53b9be7ffbb3702b1d5d3b8bae796949711c7fe23b5d92b83
                                                                                                                                        • Opcode Fuzzy Hash: ac1d2e37a29e4e1f2f7bd33219fbea759c3bf4fa14de97e44a3a5bed49d5d99f
                                                                                                                                        • Instruction Fuzzy Hash: 223150B2A002099BDB16DFAADC84EBB779DEF886A5B04451AFF54C7204D734D850DB70
                                                                                                                                        Function 01097FE7 Relevance: 7.6, APIs: 5, Instructions: 109stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 01097FFB
                                                                                                                                          • Part of subcall function 0107DE61: RaiseException.KERNEL32(01187F78,?,?,010A3881,01187F78,?,?,010A33F7,?,010A3881,011D617C), ref: 0107DEA3
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 01098014
                                                                                                                                        • __EH_prolog.LIBCMT ref: 0109801E
                                                                                                                                          • Part of subcall function 0109AE8F: _memset.LIBCMT ref: 0109AEA6
                                                                                                                                        • _memset.LIBCMT ref: 01098056
                                                                                                                                        • lstrcpynA.KERNEL32(?,00000104,00000104,010A3881,011D617C), ref: 0109810B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Exception@8Throw_memset$ExceptionH_prologRaiselstrcpyn
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2877536555-0
                                                                                                                                        • Opcode ID: ead710491bb07bd1bbc7e1a7638d0665c62c371f358b4dcbca4d16f7c3194b43
                                                                                                                                        • Instruction ID: 0107a365d30986515b6fa9957fbf72f3bdf5844efd7f798079ebf37f87b35f05
                                                                                                                                        • Opcode Fuzzy Hash: ead710491bb07bd1bbc7e1a7638d0665c62c371f358b4dcbca4d16f7c3194b43
                                                                                                                                        • Instruction Fuzzy Hash: E3418BB1A01709EFDB65DF69C880B9BBBE8FF15304F00886EE6DA97241C774A504DB61
                                                                                                                                        Function 01020630 Relevance: 7.6, APIs: 5, Instructions: 103synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • midiStreamStop.WINMM(00000000,00000000,011AE364,00000000,0102019A,00000000,011AE608,01012DE6,011AE608,?,01012B9F,011AE608,01010B56,00000001,00000000,000000FF), ref: 01020665
                                                                                                                                        • midiOutReset.WINMM(00000000,?,01012B9F,011AE608,01010B56,00000001,00000000,000000FF), ref: 01020683
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000007D0,?,01012B9F,011AE608,01010B56,00000001,00000000,000000FF), ref: 010206A6
                                                                                                                                        • midiStreamClose.WINMM(00000000,?,01012B9F,011AE608,01010B56,00000001,00000000,000000FF), ref: 010206E3
                                                                                                                                        • midiStreamClose.WINMM(00000000,?,01012B9F,011AE608,01010B56,00000001,00000000,000000FF), ref: 01020717
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: midi$Stream$Close$ObjectResetSingleStopWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3142198506-0
                                                                                                                                        • Opcode ID: 732c6273e91096454f79a1e167d0a4c168c8209ac9a39cf40a3c3f1b6ab0d036
                                                                                                                                        • Instruction ID: 30e38fbf488e084d8085566c54eac100bc610eb2b5c13dec02e206858c4ab47b
                                                                                                                                        • Opcode Fuzzy Hash: 732c6273e91096454f79a1e167d0a4c168c8209ac9a39cf40a3c3f1b6ab0d036
                                                                                                                                        • Instruction Fuzzy Hash: A0314072700B218FD7709F68D48855BB7E5BB98305B248A6EF2C6C6544C775E8458F90
                                                                                                                                        Function 02F4C360 Relevance: 7.6, APIs: 5, Instructions: 95memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _free.LIBCMT ref: 02F4C436
                                                                                                                                          • Part of subcall function 02F34E40: HeapFree.KERNEL32(00000008,00000000,?,?,00000000,02F3C6B6), ref: 02F34E81
                                                                                                                                        • DeleteCriticalSection.KERNEL32(0000007C,6EBCDBE2,?,?,?,6EBCDBE2), ref: 02F4C3C3
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,6EBCDBE2), ref: 02F4C3DE
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,6EBCDBE2), ref: 02F4C3FB
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,6EBCDBE2), ref: 02F4C40E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseFreeHandleHeap$CriticalDeleteSection_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 104725616-0
                                                                                                                                        • Opcode ID: b758733a2f21875fcd06c5c6e7df2ba81740df3ea9f493d147099c71b10b4ac5
                                                                                                                                        • Instruction ID: ef1e5b539c20ace5180f4e2b02b60dcb4172a74085089a0541448e8a6dd05198
                                                                                                                                        • Opcode Fuzzy Hash: b758733a2f21875fcd06c5c6e7df2ba81740df3ea9f493d147099c71b10b4ac5
                                                                                                                                        • Instruction Fuzzy Hash: 7B31A1B1E006199FCB20CF28CA44B6AFBF8FF44B94F10491AEA65E7240C775A904CB90
                                                                                                                                        Function 02F4BD00 Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(02F4B096,00000000,00000001), ref: 02F4BD32
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,02F4B50D,?,?,?,02F4B096,00000000,?,?), ref: 02F4BD41
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,02F4B50D,?,?,?,02F4B096,00000000,?,?), ref: 02F4BD50
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3376869089-0
                                                                                                                                        • Opcode ID: 52579999eb6c963bc23e76b42d30da561a7262c2d27a0d0dfee3b37139846df6
                                                                                                                                        • Instruction ID: 9e8fb25024a905d0b27be27fd873518304b5481e785c247e6e1ea9fb87514c4c
                                                                                                                                        • Opcode Fuzzy Hash: 52579999eb6c963bc23e76b42d30da561a7262c2d27a0d0dfee3b37139846df6
                                                                                                                                        • Instruction Fuzzy Hash: 15218371E402089BD720CB59DD84B6ABBF9EF88794F204558FF06CB651CBB2E950CB50
                                                                                                                                        Function 02F2C9F0 Relevance: 7.6, APIs: 5, Instructions: 88synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,6EBCDBE2), ref: 02F2CA3F
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F2CA4D
                                                                                                                                        • _free.LIBCMT ref: 02F2CA6D
                                                                                                                                        • _free.LIBCMT ref: 02F2CA80
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 02F2CA9A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$CloseErrorHandleLastObjectSingleWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3341676821-0
                                                                                                                                        • Opcode ID: 1eaa8ddcb1e6e5f31e8de9a20f2cabd15cc7980d19b57fdcb1bda48b1ad986f1
                                                                                                                                        • Instruction ID: 4675ff911e152597ec05689c44e7f841308157eff653576dbbe6d894e8e54b10
                                                                                                                                        • Opcode Fuzzy Hash: 1eaa8ddcb1e6e5f31e8de9a20f2cabd15cc7980d19b57fdcb1bda48b1ad986f1
                                                                                                                                        • Instruction Fuzzy Hash: E631D4B1A006569FCB10CF69D894A1AF7E8FF053A0B144B6EE629D7680D734A808CF90
                                                                                                                                        Function 02F36990 Relevance: 7.6, APIs: 5, Instructions: 82timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F36DD0: InterlockedCompareExchange.KERNEL32(?,00000002,00000001), ref: 02F36DE0
                                                                                                                                          • Part of subcall function 02F36DD0: InterlockedCompareExchange.KERNEL32(?,00000002,00000000), ref: 02F36DEC
                                                                                                                                          • Part of subcall function 02F36DD0: WaitForSingleObject.KERNEL32(0000029C,00000005,?,?,02F3699E,?,?,?,02F2CA39,000000FF,6EBCDBE2), ref: 02F36E09
                                                                                                                                          • Part of subcall function 02F36DD0: SetLastError.KERNEL32(0000139F,?,?,02F3699E,?,?,?,02F2CA39,000000FF,6EBCDBE2), ref: 02F36E17
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,02F2CA39,000000FF,6EBCDBE2), ref: 02F369B3
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,02F2CA39,000000FF,6EBCDBE2), ref: 02F369CA
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-0000000F,000004FF), ref: 02F369E9
                                                                                                                                        • SetLastError.KERNEL32(000005B4,?,?,?,?,?,02F2CA39,000000FF,6EBCDBE2), ref: 02F36A18
                                                                                                                                        • SetEvent.KERNEL32(?), ref: 02F36A5F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CompareErrorExchangeInterlockedLastTimeWaittime$EventMultipleObjectObjectsSingle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 96278755-0
                                                                                                                                        • Opcode ID: 60fa8aa1cc2361cc0b9120fecb28bcf199e5a19ca76da281dfe2c4f8266a13f9
                                                                                                                                        • Instruction ID: 32ccbc1aabdcdf5b26e7b3a91ff80662d68da7a921f0b6380f391e0ff1cc6aa8
                                                                                                                                        • Opcode Fuzzy Hash: 60fa8aa1cc2361cc0b9120fecb28bcf199e5a19ca76da281dfe2c4f8266a13f9
                                                                                                                                        • Instruction Fuzzy Hash: B2210871A403106FDB259F69D88466AB7ECEF483A4B104B2DEB16C72C0D7B09944CB59
                                                                                                                                        Function 02F4BDE0 Relevance: 7.6, APIs: 6, Instructions: 82COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,02F4B096,?,?,?,02F4B50D,?,?,?,02F4B096,00000000,?,?), ref: 02F4BDF9
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,02F4B50D,?,?,?,02F4B096,00000000,?,?), ref: 02F4BE08
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,02F4B50D,?,?,?,02F4B096,00000000,?,?), ref: 02F4BE2A
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,02F4B096,?,?,?,02F4B50D,?,?,?,02F4B096,00000000,?,?), ref: 02F4BE45
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,02F4B50D,?,?,?,02F4B096,00000000,?,?), ref: 02F4BE54
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,02F4B50D,?,?,?,02F4B096,00000000,?,?), ref: 02F4BE8E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$Enter
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2978645861-0
                                                                                                                                        • Opcode ID: 7cdea3e1480aa1c9d5f14cac17bee4adaec2c93229ee5b33dc9cf19961ef7090
                                                                                                                                        • Instruction ID: 1f676acd7edaa26adc4ca79e0045d44e052896bd28c7648fd21f15fbcbfbd87b
                                                                                                                                        • Opcode Fuzzy Hash: 7cdea3e1480aa1c9d5f14cac17bee4adaec2c93229ee5b33dc9cf19961ef7090
                                                                                                                                        • Instruction Fuzzy Hash: F8216236F40B148BD725CA29D884A2BFBFABFC8788750881DE74687701CBB6F4418B50
                                                                                                                                        Function 02F4BB40 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memmove.LIBCMT ref: 02F4BB74
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(02F4BA37,00000000), ref: 02F4BB87
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4BBA8
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?), ref: 02F4BBCD
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02F4BBE0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$Exchange$DecrementFreeHeap_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2620105004-0
                                                                                                                                        • Opcode ID: ffbfd7b585940098c9a252af05d54b09156b863ed49ca890daed22a24c5fe71d
                                                                                                                                        • Instruction ID: 945487bfe41871618c4f07fbab07426c2bf6d3781f08cd87c6fbaf62d3655371
                                                                                                                                        • Opcode Fuzzy Hash: ffbfd7b585940098c9a252af05d54b09156b863ed49ca890daed22a24c5fe71d
                                                                                                                                        • Instruction Fuzzy Hash: 1E218371A00208AFD714DF69DC45AAAB7A8EF04798B048558FE09C7251EB74ED04CBA1
                                                                                                                                        Function 02F333A0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 77COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        • CTcpServer::CheckParams, xrefs: 02F3EC40
                                                                                                                                        • @KL, xrefs: 02F3EBC3
                                                                                                                                        • CTcpPackServerT<class CTcpServer>::CheckParams, xrefs: 02F333D7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast
                                                                                                                                        • String ID: @KL$CTcpPackServerT<class CTcpServer>::CheckParams$CTcpServer::CheckParams
                                                                                                                                        • API String ID: 1452528299-2312607382
                                                                                                                                        • Opcode ID: dc6438142fce5d9bb0764801451bb112cb5b42ae908a0502fb31c99fc7a9ec08
                                                                                                                                        • Instruction ID: 4e30babde610f76dc0840ef25329f2fd30c51c8110ab685a59f08cf275389e94
                                                                                                                                        • Opcode Fuzzy Hash: dc6438142fce5d9bb0764801451bb112cb5b42ae908a0502fb31c99fc7a9ec08
                                                                                                                                        • Instruction Fuzzy Hash: 372110B0B00640CBEF639A24D9597597AD6EF20FCDF2468A9D708C9681D776E483CF01
                                                                                                                                        Function 02F44C40 Relevance: 7.6, APIs: 5, Instructions: 76networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • setsockopt.WS2_32(?,0000FFFF,00000020,?,00000004), ref: 02F44C86
                                                                                                                                        • WSAEventSelect.WS2_32(?,?,00000023), ref: 02F44CAC
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,7556DFA0,?,?,02F44658,?,?,?,?,?), ref: 02F44CBE
                                                                                                                                        • GetLastError.KERNEL32(?,7556DFA0,?,?,02F44658,?,?,?,?,?), ref: 02F44CD5
                                                                                                                                        • WSASetLastError.WS2_32(00000000,?,7556DFA0,?,?,02F44658,?,?,?,?,?), ref: 02F44CE5
                                                                                                                                          • Part of subcall function 02F38140: setsockopt.WS2_32(?,00000000,0000000A,?,00000004), ref: 02F3816E
                                                                                                                                          • Part of subcall function 02F38140: setsockopt.WS2_32(?,00000000,0000000B,?,00000004), ref: 02F3818A
                                                                                                                                          • Part of subcall function 02F38140: setsockopt.WS2_32(?,00000000,0000000C,7556DFA0,00000008), ref: 02F381BD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: setsockopt$ErrorLast$EventSelect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4116459464-0
                                                                                                                                        • Opcode ID: 11460ba7993ce9685acaade38c2fa9826582f8c8badd3523be01afafad91e65f
                                                                                                                                        • Instruction ID: 9eca565b638fb56aec7b0a0869bac2594c57061e413bf74ba01db36041b7d6a8
                                                                                                                                        • Opcode Fuzzy Hash: 11460ba7993ce9685acaade38c2fa9826582f8c8badd3523be01afafad91e65f
                                                                                                                                        • Instruction Fuzzy Hash: 7E21D572B002149BDB10DF68DC84B6A776DFF887A0F140695FF08DB285D774D9158BA0
                                                                                                                                        Function 02F33A00 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        • @KL, xrefs: 02F39515
                                                                                                                                        • CTcpAgent::CheckParams, xrefs: 02F39586
                                                                                                                                        • CTcpPackAgentT<class CTcpAgent>::CheckParams, xrefs: 02F33A37
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast
                                                                                                                                        • String ID: @KL$CTcpAgent::CheckParams$CTcpPackAgentT<class CTcpAgent>::CheckParams
                                                                                                                                        • API String ID: 1452528299-1424756162
                                                                                                                                        • Opcode ID: b68648b14b5175622204b5a980b255e6a476a6c37bfac6c2db2ceebec185ff92
                                                                                                                                        • Instruction ID: 1ca9218be7e42a4128be685f604914c3b0856d1fb34af480847041246ec73f2b
                                                                                                                                        • Opcode Fuzzy Hash: b68648b14b5175622204b5a980b255e6a476a6c37bfac6c2db2ceebec185ff92
                                                                                                                                        • Instruction Fuzzy Hash: 12215375F002408BEFA28A24E84971932D5EB507EDF6415A9D709C9281D3F5C6C3DB49
                                                                                                                                        Function 02F43010 Relevance: 7.6, APIs: 5, Instructions: 74threadnetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(000010D8,6EBCDBE2,?,?,?,?,?,02F5CC98,000000FF), ref: 02F43046
                                                                                                                                        • InterlockedIncrement.KERNEL32(00000000), ref: 02F43052
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F4305F
                                                                                                                                        • WSASetLastError.WS2_32(0000000D,?,?,?,?,?,02F5CC98,000000FF), ref: 02F430B8
                                                                                                                                          • Part of subcall function 02F43B70: WSASetLastError.WS2_32(0000000D,6EBCDBE2,?,?,00000000), ref: 02F43BC8
                                                                                                                                        • InterlockedDecrement.KERNEL32(00000000), ref: 02F430C4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$Interlocked$CurrentDecrementIncrementThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1167117881-0
                                                                                                                                        • Opcode ID: ffdfcc80c118f4ffdbd22241dfe97cc615feea1758f6037bb5e1bcf363df8b2d
                                                                                                                                        • Instruction ID: 95945625fea2cefc198e6c82b3064056636a97b5e9e34d344bcc672c34124a1e
                                                                                                                                        • Opcode Fuzzy Hash: ffdfcc80c118f4ffdbd22241dfe97cc615feea1758f6037bb5e1bcf363df8b2d
                                                                                                                                        • Instruction Fuzzy Hash: 81218871E04218AFD714CF58D844F5ABBB9EF48BD4F118699FA0697340DB74AD008BA0
                                                                                                                                        Function 02F43990 Relevance: 7.6, APIs: 6, Instructions: 74COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?), ref: 02F439C8
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F439DC
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F439F3
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F439F6
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F43A31
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F43A3B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$Enter
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2978645861-0
                                                                                                                                        • Opcode ID: 0c47ddb5f1f267ff095681915d2511eac07315b929559d0ae5a047142573314e
                                                                                                                                        • Instruction ID: a4392d77dedfd45e60d2b29af83b0a7f5bdc2a8aa696a88424054d6db2b44fdf
                                                                                                                                        • Opcode Fuzzy Hash: 0c47ddb5f1f267ff095681915d2511eac07315b929559d0ae5a047142573314e
                                                                                                                                        • Instruction Fuzzy Hash: 4121AF71E007189BD720CF69D880B5AFBF8FB48764F100A6AE90A93740DB75A9048A50
                                                                                                                                        Function 02F3F730 Relevance: 7.6, APIs: 5, Instructions: 69timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F3F759
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F3F763
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3F782
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3F785
                                                                                                                                        • timeGetTime.WINMM(?,00000000,?,?,?), ref: 02F3F7B4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave$Timetime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2979242471-0
                                                                                                                                        • Opcode ID: 818232c70689d40d1cba9fb4f8e653bad865da93258f3ed014184f80292957a5
                                                                                                                                        • Instruction ID: 95c26d24e31feef6afbc7a0a33bb4d671ce3f012fc36793a66f56d636e0ba30c
                                                                                                                                        • Opcode Fuzzy Hash: 818232c70689d40d1cba9fb4f8e653bad865da93258f3ed014184f80292957a5
                                                                                                                                        • Instruction Fuzzy Hash: 30216D75901718AFD711DF24CDC4AABB7F9FF84384F00891AEA4683A40DB74B901CBA0
                                                                                                                                        Function 02F39F00 Relevance: 7.6, APIs: 5, Instructions: 69timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F29
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F33
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F52
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F55
                                                                                                                                        • timeGetTime.WINMM(?,00000000,?,?,?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F39F84
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave$Timetime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2979242471-0
                                                                                                                                        • Opcode ID: 43e2a5ba67660d61f99f0ea6f2babf7b41fd905e69ff20c153e416ca7f02bfa3
                                                                                                                                        • Instruction ID: c5e671570d4f2c43a33e9ecf4c8ac1ca3391a8dc4667ecc4b8fd7eca1f32cc14
                                                                                                                                        • Opcode Fuzzy Hash: 43e2a5ba67660d61f99f0ea6f2babf7b41fd905e69ff20c153e416ca7f02bfa3
                                                                                                                                        • Instruction Fuzzy Hash: 91218E71901718AFD715DF24CDC4AABB7FAFF85384F008819EA4693640DBB0B9018BA0
                                                                                                                                        Function 02F4DCEE Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 02F4DCFC
                                                                                                                                          • Part of subcall function 02F4D0D9: __FF_MSGBANNER.LIBCMT ref: 02F4D0F2
                                                                                                                                          • Part of subcall function 02F4D0D9: __NMSG_WRITE.LIBCMT ref: 02F4D0F9
                                                                                                                                          • Part of subcall function 02F4D0D9: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D11E
                                                                                                                                        • _free.LIBCMT ref: 02F4DD0F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap_free_malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1020059152-0
                                                                                                                                        • Opcode ID: fad7d499f89b2b1ea7faa5005f252fb61d2b6bfc5c63ac8d17a63eeb8927fee7
                                                                                                                                        • Instruction ID: bf20abc431f6418b8ebc05d92e0670e8d3edf19d4ce2bfe6786f5fc0bf71ce17
                                                                                                                                        • Opcode Fuzzy Hash: fad7d499f89b2b1ea7faa5005f252fb61d2b6bfc5c63ac8d17a63eeb8927fee7
                                                                                                                                        • Instruction Fuzzy Hash: 5E115432D40615ABDB212B74AC0465D7FB5BF463F0B104925FB569B240DFB4C9518A90
                                                                                                                                        Function 02F46C20 Relevance: 7.6, APIs: 5, Instructions: 64networkthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F46C24
                                                                                                                                        • send.WS2_32(02F2D897,02F60640,00000010,00000000), ref: 02F46C60
                                                                                                                                        • WSACloseEvent.WS2_32(?), ref: 02F46C8A
                                                                                                                                        • shutdown.WS2_32(02F2D897,00000001), ref: 02F46C9E
                                                                                                                                        • closesocket.WS2_32(02F2D897), ref: 02F46CA8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCurrentEventThreadclosesocketsendshutdown
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4251041364-0
                                                                                                                                        • Opcode ID: 0c72360234024e870f8665b504209dd607a014497806c7ff8957c3832082561d
                                                                                                                                        • Instruction ID: b628778a2407aac1ebbccd5bf2a0192530d327f158e42a45ca56ad9ea2ce5953
                                                                                                                                        • Opcode Fuzzy Hash: 0c72360234024e870f8665b504209dd607a014497806c7ff8957c3832082561d
                                                                                                                                        • Instruction Fuzzy Hash: 55117C30A00B108BD6309F29D84895AF7F9FF89791B104B19F796C3780DB75EA428B90
                                                                                                                                        Function 02F3B050 Relevance: 7.6, APIs: 5, Instructions: 63memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(00000000,?), ref: 02F3B07A
                                                                                                                                          • Part of subcall function 02F39370: SetLastError.KERNEL32(00000000,6EBCDBE2,?,?), ref: 02F393A3
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F3B08D
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F3B0A8
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F3B0C0
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,02F3AD57,?,?,?), ref: 02F3B0E2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$Exchange$DecrementErrorFreeHeapLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 532140803-0
                                                                                                                                        • Opcode ID: 02d7800a388ff45a5dadd5764ecbb64634cf036882b740e0ddc8e47004ac05ec
                                                                                                                                        • Instruction ID: a6155c1daa3e3d3313d6a5ae4d6808b677d8f766eeb71a8bca35a2d4e0ab9e85
                                                                                                                                        • Opcode Fuzzy Hash: 02d7800a388ff45a5dadd5764ecbb64634cf036882b740e0ddc8e47004ac05ec
                                                                                                                                        • Instruction Fuzzy Hash: 5B1152F2940610ABC626AB74DC94E9BB76DBF44A857000909FF13C3141DB74E940CBA1
                                                                                                                                        Function 02F3A130 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,7742E820,?,02F5B760,000000FF,?,02F39F73,?,?,?,?,?,02F3B007,?), ref: 02F3A165
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,7742E820,?,02F5B760,000000FF,?,02F39F73,?,?,?,?,?,02F3B007,?), ref: 02F3A191
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,02F39F73,?,?,?,?,?,02F3B007,?,00000000,00000000,00000000), ref: 02F3A1B4
                                                                                                                                        • shutdown.WS2_32(?,00000001), ref: 02F3A1CD
                                                                                                                                        • closesocket.WS2_32(?), ref: 02F3A1D4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Enter$Leaveclosesocketshutdown
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3384241815-0
                                                                                                                                        • Opcode ID: 399c1e102cae9f10d8f656dd73ee7129bf5c7ffe0ec2206ef6d9b5a16721ea9c
                                                                                                                                        • Instruction ID: 2935d61264a3e08055fddd2bc25dea7cb8455544592eb45818c53ef69057e12c
                                                                                                                                        • Opcode Fuzzy Hash: 399c1e102cae9f10d8f656dd73ee7129bf5c7ffe0ec2206ef6d9b5a16721ea9c
                                                                                                                                        • Instruction Fuzzy Hash: EB214F76A40308EFD710CF55D884FAABBF9FB49750F108A19FA5687380C775AA108FA0
                                                                                                                                        Function 02F40BF0 Relevance: 7.6, APIs: 5, Instructions: 63memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(?,?), ref: 02F40C1A
                                                                                                                                          • Part of subcall function 02F3EA20: SetLastError.KERNEL32(00000000,6EBCDBE2), ref: 02F3EA53
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(02F40945,?), ref: 02F40C2D
                                                                                                                                        • InterlockedExchangeAdd.KERNEL32(02F40945,?), ref: 02F40C48
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F40C60
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02F40760,?,?,?), ref: 02F40C82
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$Exchange$DecrementErrorFreeHeapLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 532140803-0
                                                                                                                                        • Opcode ID: a6dbbe742c6462ee505e5257b779fc023f1f18f1889b2069ae5e509bc75366e1
                                                                                                                                        • Instruction ID: 6855b88f59d2c3622295dadc0fbac110715a2d2da08a76aea8007cd62a5e548e
                                                                                                                                        • Opcode Fuzzy Hash: a6dbbe742c6462ee505e5257b779fc023f1f18f1889b2069ae5e509bc75366e1
                                                                                                                                        • Instruction Fuzzy Hash: B511A572A50620EBD718AB64DDC4E9BBBADBF456C1300090DFB06D3140DFB4E6498BB1
                                                                                                                                        Function 02F3F930 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,7742E820,?,02F5B760,000000FF,?,02F3F7A3,?,?,?), ref: 02F3F965
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,7742E820,?,02F5B760,000000FF,?,02F3F7A3,?,?,?), ref: 02F3F991
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,02F3F7A3,?,?,?), ref: 02F3F9B4
                                                                                                                                        • shutdown.WS2_32 ref: 02F3F9CD
                                                                                                                                        • closesocket.WS2_32(?), ref: 02F3F9D4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Enter$Leaveclosesocketshutdown
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3384241815-0
                                                                                                                                        • Opcode ID: 11690e276741aadd7bef8488e00b69f242fe61aec232c8b2f871c46cbec26cb2
                                                                                                                                        • Instruction ID: ae776d7ed347d4769c1f64b6813c83cf6f4936b11891cde9009e91063d5299d6
                                                                                                                                        • Opcode Fuzzy Hash: 11690e276741aadd7bef8488e00b69f242fe61aec232c8b2f871c46cbec26cb2
                                                                                                                                        • Instruction Fuzzy Hash: 4A213D76A40308EFD710CF54D884FAABBF9FB49750F108A19FA1687380C775AA008B60
                                                                                                                                        Function 02F36CC0 Relevance: 7.6, APIs: 5, Instructions: 59timesynchronizationthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM ref: 02F36CD0
                                                                                                                                        • timeGetTime.WINMM(00000000,?,?), ref: 02F36CF9
                                                                                                                                        • WaitForSingleObject.KERNEL32(0000029C,00000001), ref: 02F36D1A
                                                                                                                                        • SwitchToThread.KERNEL32 ref: 02F36D22
                                                                                                                                        • SetLastError.KERNEL32(000005B4), ref: 02F36D4C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Timetime$ErrorLastObjectSingleSwitchThreadWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 410572411-0
                                                                                                                                        • Opcode ID: a5d4516ff2685cdbec90f9b8820e134e17992d91b591133df104b87cd220ede8
                                                                                                                                        • Instruction ID: 99fbd3cfe3e32111bebd5166cc2108e54e685b18f5654e4e132901f3889d229b
                                                                                                                                        • Opcode Fuzzy Hash: a5d4516ff2685cdbec90f9b8820e134e17992d91b591133df104b87cd220ede8
                                                                                                                                        • Instruction Fuzzy Hash: 6F11C272D00208BBEB219FA9D884BAEF77CFF44395F104529EE01D7280C775DA54CA58
                                                                                                                                        Function 02F3F470 Relevance: 7.6, APIs: 5, Instructions: 57timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • closesocket.WS2_32(?), ref: 02F3F486
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,02F3F369,?,?,02F2B9C5), ref: 02F3F4A1
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,02F3F369,?,?,02F2B9C5), ref: 02F3F4B9
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000064,000004FF), ref: 02F3F4D4
                                                                                                                                        • SetLastError.KERNEL32(000005B4,?,?,?,?,?,02F3F369,?,?,02F2B9C5), ref: 02F3F501
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Timetime$ErrorLastMultipleObjectsWaitclosesocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 413038252-0
                                                                                                                                        • Opcode ID: 3713d399753c0fc8d630cb67d081b4fe2dd7fac8aac05888c10d371e1ecc17c2
                                                                                                                                        • Instruction ID: e993a43d7b1f43a065cb60149649250ef46321bc3cc45528d9062a41659bf5e1
                                                                                                                                        • Opcode Fuzzy Hash: 3713d399753c0fc8d630cb67d081b4fe2dd7fac8aac05888c10d371e1ecc17c2
                                                                                                                                        • Instruction Fuzzy Hash: 6C012632E403156BE625AA78DD49A69B298AF053F4F10071AFF66D37D0DBB09D008661
                                                                                                                                        Function 02F49AD0 Relevance: 7.6, APIs: 5, Instructions: 56timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • closesocket.WS2_32(?), ref: 02F49AE9
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,02F497BF,?,?,?,02F2D158), ref: 02F49B07
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,02F497BF,?,?,?,02F2D158), ref: 02F49B1A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,-00000046,000004FF), ref: 02F49B35
                                                                                                                                        • SetLastError.KERNEL32(000005B4,?,?,?,?,?,02F497BF,?,?,?,02F2D158), ref: 02F49B62
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Timetime$ErrorLastMultipleObjectsWaitclosesocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 413038252-0
                                                                                                                                        • Opcode ID: d1a0b855beb3ec5ca794a7d1a87496b22d0c53b0041562c0bad234269478bc4c
                                                                                                                                        • Instruction ID: 1c5b08f451a11753bf54ca0c0e86d3469a5923339b50f15e53de462e4bcf6fc7
                                                                                                                                        • Opcode Fuzzy Hash: d1a0b855beb3ec5ca794a7d1a87496b22d0c53b0041562c0bad234269478bc4c
                                                                                                                                        • Instruction Fuzzy Hash: A401C831F403156BEA1456788C49AAAB65C9B463F4F100719EB66D32D0DFF0AA148A51
                                                                                                                                        Function 02F47C40 Relevance: 7.6, APIs: 5, Instructions: 56timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • closesocket.WS2_32(?), ref: 02F47C59
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,02F47AF9,?,?,02F2E3E6), ref: 02F47C77
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,02F47AF9,?,?,02F2E3E6), ref: 02F47C8A
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000004,00000000,-00000064,000004FF), ref: 02F47CA5
                                                                                                                                        • SetLastError.KERNEL32(000005B4,?,?,?,?,?,02F47AF9,?,?,02F2E3E6), ref: 02F47CD2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Timetime$ErrorLastMultipleObjectsWaitclosesocket
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 413038252-0
                                                                                                                                        • Opcode ID: e2dcba5a49e007b1881c2e489a5b949c0720ecdee0c9ac742dc8dc5a525b6daa
                                                                                                                                        • Instruction ID: d5a217c64dfa6145a9e574eb28fe0f5e876eaf086bd2ad4d3dda4b78ab31544a
                                                                                                                                        • Opcode Fuzzy Hash: e2dcba5a49e007b1881c2e489a5b949c0720ecdee0c9ac742dc8dc5a525b6daa
                                                                                                                                        • Instruction Fuzzy Hash: A701C471A403245FF62476789D49A6DFA989F453B5F11071AEB26D32C0DFF09A008AA1
                                                                                                                                        Function 02F429E0 Relevance: 7.6, APIs: 5, Instructions: 54memorytimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F44250: _free.LIBCMT ref: 02F44276
                                                                                                                                          • Part of subcall function 02F353E0: DeleteTimerQueueEx.KERNEL32(00000000,000000FF,02F6820C), ref: 02F353E9
                                                                                                                                          • Part of subcall function 02F353E0: CreateTimerQueue.KERNEL32(02F6820C), ref: 02F35403
                                                                                                                                        • DeleteTimerQueueEx.KERNEL32(?,000000FF), ref: 02F49860
                                                                                                                                          • Part of subcall function 02F223E0: __CxxThrowException@8.LIBCMT ref: 02F223F0
                                                                                                                                        • CreateTimerQueue.KERNEL32 ref: 02F4987E
                                                                                                                                        • HeapDestroy.KERNEL32(?), ref: 02F498A3
                                                                                                                                        • HeapCreate.KERNEL32(?,?,?), ref: 02F498BE
                                                                                                                                        • SetEvent.KERNEL32 ref: 02F498EE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: QueueTimer$Create$DeleteHeap$DestroyEventException@8Throw_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1974466372-0
                                                                                                                                        • Opcode ID: 99c7a9022406875feaac641db94a5ebfbd455902a35b05bec01005961e1afee1
                                                                                                                                        • Instruction ID: f6e5649e08ce7ed5d1d95605d7948d95abfb152f5a17cde09807e093019f8ed5
                                                                                                                                        • Opcode Fuzzy Hash: 99c7a9022406875feaac641db94a5ebfbd455902a35b05bec01005961e1afee1
                                                                                                                                        • Instruction Fuzzy Hash: BE114F71A047109BD7209F78DC48BD7B7E9AF49391F40091DAA6AD7240DBB0A904CF94
                                                                                                                                        Function 00F97F52 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 00F97F5E
                                                                                                                                          • Part of subcall function 00F96975: __getptd_noexit.LIBCMT ref: 00F96978
                                                                                                                                          • Part of subcall function 00F96975: __amsg_exit.LIBCMT ref: 00F96985
                                                                                                                                        • __amsg_exit.LIBCMT ref: 00F97F7E
                                                                                                                                        • __lock.LIBCMT ref: 00F97F8E
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 00F97FAB
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 00F97FD6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2715965943.0000000000FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_f90000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4271482742-0
                                                                                                                                        • Opcode ID: 1e8e21f9293ee8769bf84e8c14c3d6b998d586a919311f145cebedc1751b356c
                                                                                                                                        • Instruction ID: 57af4dc6824984dc84f4c22949f038f6514961329623fa13a4301774ec361b1b
                                                                                                                                        • Opcode Fuzzy Hash: 1e8e21f9293ee8769bf84e8c14c3d6b998d586a919311f145cebedc1751b356c
                                                                                                                                        • Instruction Fuzzy Hash: 75019232D18B15ABFF25BB69AC0576EB7A0BF40B28F040156E810B7291CB386D41FBD1
                                                                                                                                        Function 00F94467 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __lock.LIBCMT ref: 00F94485
                                                                                                                                          • Part of subcall function 00F95321: __mtinitlocknum.LIBCMT ref: 00F95337
                                                                                                                                          • Part of subcall function 00F95321: __amsg_exit.LIBCMT ref: 00F95343
                                                                                                                                          • Part of subcall function 00F95321: RtlEnterCriticalSection.NTDLL(?), ref: 00F9534B
                                                                                                                                        • ___sbh_find_block.LIBCMT ref: 00F94490
                                                                                                                                        • ___sbh_free_block.LIBCMT ref: 00F9449F
                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00F9DD50,0000000C,00F95302,00000000,00F9DE00,0000000C,00F9533C,?,?,?,00F9947F,00000004,00F9DFD0,0000000C), ref: 00F944CF
                                                                                                                                        • GetLastError.KERNEL32(?,00F9947F,00000004,00F9DFD0,0000000C,00F96D14,?,?,00000000,00000000,00000000,?,00F96927,00000001,00000214), ref: 00F944E0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2715965943.0000000000FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_f90000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2714421763-0
                                                                                                                                        • Opcode ID: 14dbea814918bbb213c1e9c939248d4c6e1971a6c3e097f9d28f50e769197f9e
                                                                                                                                        • Instruction ID: c835968a805ccca0d920d8d6b8ae70c56c11e3aa3744340eb77ae54c0379bb67
                                                                                                                                        • Opcode Fuzzy Hash: 14dbea814918bbb213c1e9c939248d4c6e1971a6c3e097f9d28f50e769197f9e
                                                                                                                                        • Instruction Fuzzy Hash: 7001A731C05609AAFF32BFB4AD06F5E3764AF10B61F24410AF904AA091CB7D9541BB90
                                                                                                                                        Function 010866FC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 01086708
                                                                                                                                          • Part of subcall function 010818EE: __getptd_noexit.LIBCMT ref: 010818F1
                                                                                                                                          • Part of subcall function 010818EE: __amsg_exit.LIBCMT ref: 010818FE
                                                                                                                                        • __getptd.LIBCMT ref: 0108671F
                                                                                                                                        • __amsg_exit.LIBCMT ref: 0108672D
                                                                                                                                        • __lock.LIBCMT ref: 0108673D
                                                                                                                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 01086751
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 938513278-0
                                                                                                                                        • Opcode ID: 8a46dcf37e920658d9611f6f924caa9088325d019106b518207994e34a70ca18
                                                                                                                                        • Instruction ID: ae98cf8efc788045168c156c8abb8b986ffc5f349448915228575fa79876457a
                                                                                                                                        • Opcode Fuzzy Hash: 8a46dcf37e920658d9611f6f924caa9088325d019106b518207994e34a70ca18
                                                                                                                                        • Instruction Fuzzy Hash: 90F09032A4D7129FDB75BBACA801B8D3B907F20720F524249D5D1AB2C0DB7545419A96
                                                                                                                                        Function 02F53F17 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 02F53F23
                                                                                                                                          • Part of subcall function 02F5053D: __getptd_noexit.LIBCMT ref: 02F50540
                                                                                                                                          • Part of subcall function 02F5053D: __amsg_exit.LIBCMT ref: 02F5054D
                                                                                                                                        • __getptd.LIBCMT ref: 02F53F3A
                                                                                                                                        • __amsg_exit.LIBCMT ref: 02F53F48
                                                                                                                                        • __lock.LIBCMT ref: 02F53F58
                                                                                                                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 02F53F6C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 938513278-0
                                                                                                                                        • Opcode ID: 143c3c68b73d4a7af6b981f6f65583c578d8c4a5119094eb6b056d82a1fde5c3
                                                                                                                                        • Instruction ID: 115e5af864787c84e551b47e2498913e463f3d173c48096bf16bbd1f0105fa92
                                                                                                                                        • Opcode Fuzzy Hash: 143c3c68b73d4a7af6b981f6f65583c578d8c4a5119094eb6b056d82a1fde5c3
                                                                                                                                        • Instruction Fuzzy Hash: B3F0CD32944624AAEA25BB68AC05B4EB2F26F04BE0F02018CDB1467280CF648445CF95
                                                                                                                                        Function 02F4DDEF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F4D728: _doexit.LIBCMT ref: 02F4D734
                                                                                                                                        • ___set_flsgetvalue.LIBCMT ref: 02F4DE01
                                                                                                                                          • Part of subcall function 02F50382: TlsGetValue.KERNEL32(00000000,02F504DB,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?,?), ref: 02F5038B
                                                                                                                                          • Part of subcall function 02F50382: DecodePointer.KERNEL32(?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?,?,?,02F4D5FB,00000008), ref: 02F5039D
                                                                                                                                          • Part of subcall function 02F50382: TlsSetValue.KERNEL32(00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?,?,?,02F4D5FB), ref: 02F503AC
                                                                                                                                        • ___fls_getvalue@4.LIBCMT ref: 02F4DE0C
                                                                                                                                          • Part of subcall function 02F50362: TlsGetValue.KERNEL32(?,?,02F4DE11,00000000), ref: 02F50370
                                                                                                                                        • ___fls_setvalue@8.LIBCMT ref: 02F4DE1F
                                                                                                                                          • Part of subcall function 02F503B6: DecodePointer.KERNEL32(?,?,?,02F4DE24,00000000,?,00000000), ref: 02F503C7
                                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 02F4DE28
                                                                                                                                        • ExitThread.KERNEL32 ref: 02F4DE2F
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F4DE35
                                                                                                                                        • __freefls@4.LIBCMT ref: 02F4DE55
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 781180411-0
                                                                                                                                        • Opcode ID: 80580f2d7bdf861b313b156172d3c4faf92f426ff5a352be5916ab80a74632d6
                                                                                                                                        • Instruction ID: 0fb4ee633e715f8430ce8dd2592b6dcaa3568f9b82ec1dda267ff519283057dd
                                                                                                                                        • Opcode Fuzzy Hash: 80580f2d7bdf861b313b156172d3c4faf92f426ff5a352be5916ab80a74632d6
                                                                                                                                        • Instruction Fuzzy Hash: EFE0B631C04229A7DB003BF18C0899F7E6E9E483D0B110858BF5093512DF79AA218AA1
                                                                                                                                        Function 10009510 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • unzCloseCurrentFile.Z(?), ref: 1000953A
                                                                                                                                        • 0167C4C5.CRTDLL(00000000), ref: 100095AF
                                                                                                                                        • inflateInit2_.Z(00000004,000000F1,1.1.4,00000038), ref: 10009664
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2717966199.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2717983727.0000000010011000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718021812.0000000010012000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718041790.0000000010013000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_10000000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: 0167CloseCurrentFileInit2_inflate
                                                                                                                                        • String ID: 1.1.4
                                                                                                                                        • API String ID: 674683547-362073112
                                                                                                                                        • Opcode ID: c291eec9ec72cdda43d71ca67d7bf39b02643c83dcd015821575b0966aa4edcf
                                                                                                                                        • Instruction ID: 1db5ebac1de868ec58977abc796855c6a8c79a7a2164809c8d03f430ba4ead26
                                                                                                                                        • Opcode Fuzzy Hash: c291eec9ec72cdda43d71ca67d7bf39b02643c83dcd015821575b0966aa4edcf
                                                                                                                                        • Instruction Fuzzy Hash: 4551BFB19047048FEB55CF19DC80A9AB7E5FF89390F10426AEC498B34AE772D948CB51
                                                                                                                                        Function 02F2E200 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,6EBCDBE2,00000008,00000000), ref: 02F2E23F
                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02F5BD33,000000FF), ref: 02F2E27D
                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02F5BD33,000000FF), ref: 02F2E292
                                                                                                                                          • Part of subcall function 02F223E0: __CxxThrowException@8.LIBCMT ref: 02F223F0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoNativeSystem$CreateEventException@8Throw
                                                                                                                                        • String ID: 0/Wu
                                                                                                                                        • API String ID: 3940031611-938174528
                                                                                                                                        • Opcode ID: eb4e6f529f03e7cd2c4ac971d30d1359fe5c917484285d0b6eba4466387ca821
                                                                                                                                        • Instruction ID: 14fcc3f1468693dd2d84fa432e352cc5a420a1ffc88f60c902c3237efe23820f
                                                                                                                                        • Opcode Fuzzy Hash: eb4e6f529f03e7cd2c4ac971d30d1359fe5c917484285d0b6eba4466387ca821
                                                                                                                                        • Instruction Fuzzy Hash: A451E0B0A00A16AFC754CF6AD984696FBF4FB09354F50862ED529C7A40E770A524CFC0
                                                                                                                                        Function 100058E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • inflateEnd.Z(000000F1,?,?,?,000000F1,1.1.4,00000038), ref: 100059A5
                                                                                                                                        • inflateReset.Z(000000F1,?,?,?,000000F1,1.1.4,00000038), ref: 100059B4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2717966199.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2717983727.0000000010011000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718021812.0000000010012000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718041790.0000000010013000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_10000000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: inflate$Reset
                                                                                                                                        • String ID: 8
                                                                                                                                        • API String ID: 1157945372-4194326291
                                                                                                                                        • Opcode ID: b66d2cf16541eea2198bea528dd45245815d195d3797367e7242a6f108cce013
                                                                                                                                        • Instruction ID: a992e698df9e70fe396c03a739dfd61cc69ce307c94dbf54eeb812a86db5b790
                                                                                                                                        • Opcode Fuzzy Hash: b66d2cf16541eea2198bea528dd45245815d195d3797367e7242a6f108cce013
                                                                                                                                        • Instruction Fuzzy Hash: E0217C71500A00CFE724CF19D44495BB7E4EF843B1F118A1EE4868B69AD7B2E881CBA5
                                                                                                                                        Function 02F4C010 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • sendto.WS2_32(?,00000000,00000000,00000000,0000000C,-0000001D), ref: 02F4C03F
                                                                                                                                        • WSAGetLastError.WS2_32(?,02F4B25E,?), ref: 02F4C04A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLastsendto
                                                                                                                                        • String ID: fail$succ
                                                                                                                                        • API String ID: 687199322-833859129
                                                                                                                                        • Opcode ID: 21dea5159a9b7d26279845e3dc2f6c3b15bfb2e84e0dd74222d7fbf0d297b4c5
                                                                                                                                        • Instruction ID: 529c3cd821165204667563349f18528ea5bd312b7c7e906590265e1d5b85bb84
                                                                                                                                        • Opcode Fuzzy Hash: 21dea5159a9b7d26279845e3dc2f6c3b15bfb2e84e0dd74222d7fbf0d297b4c5
                                                                                                                                        • Instruction Fuzzy Hash: DE01F4B2A501146BD208DA6CEC05F7AB719EB107A1F54C765F718E72C1D7B4F92087E0
                                                                                                                                        Function 02F3F0B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,02F3EB47,?), ref: 02F3F0B8
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F3F0C6
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F3F0D6
                                                                                                                                        Strings
                                                                                                                                        • CTcpServer::CreateCompletePort, xrefs: 02F3F0DF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CompletionCreatePort
                                                                                                                                        • String ID: CTcpServer::CreateCompletePort
                                                                                                                                        • API String ID: 3924628623-733961914
                                                                                                                                        • Opcode ID: 9fa1bfe6919e258d02d50c78361e4bde4fb2484ee6c671ac6ed90601fed2b5c9
                                                                                                                                        • Instruction ID: 5f270451e8e32ff54e22d2f62f78f3fabdd2bbdea97230a0ed3f5d52f34c9cd5
                                                                                                                                        • Opcode Fuzzy Hash: 9fa1bfe6919e258d02d50c78361e4bde4fb2484ee6c671ac6ed90601fed2b5c9
                                                                                                                                        • Instruction Fuzzy Hash: BFE04F35D82726ABE3202F349D09B5A7E94BF05BE4F140515FA15D52D0E7B4A120CB91
                                                                                                                                        Function 02F494E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,02F48FE5), ref: 02F494E8
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F494F9
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F4950C
                                                                                                                                        Strings
                                                                                                                                        • CUdpServer::CreateCompletePort, xrefs: 02F49515
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CompletionCreatePort
                                                                                                                                        • String ID: CUdpServer::CreateCompletePort
                                                                                                                                        • API String ID: 3924628623-1286698189
                                                                                                                                        • Opcode ID: 509ccde8458bfcbe42f9c2d6aa987545bfc7688e38a44017631e91fb772cd1f7
                                                                                                                                        • Instruction ID: 70323a435dcdbf81548e3ec6c3c434282b3007b6cfdfc277d77e82370e98cfc3
                                                                                                                                        • Opcode Fuzzy Hash: 509ccde8458bfcbe42f9c2d6aa987545bfc7688e38a44017631e91fb772cd1f7
                                                                                                                                        • Instruction Fuzzy Hash: 50E0D831E40321A7E3101F349C09B96BED4BF09BE0F100610FE28D51C0EBB46210CA91
                                                                                                                                        Function 02F47870 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,02F47317,?,?), ref: 02F47878
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F47889
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F4789C
                                                                                                                                        Strings
                                                                                                                                        • CUdpNode::CreateCompletePort, xrefs: 02F478A5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CompletionCreatePort
                                                                                                                                        • String ID: CUdpNode::CreateCompletePort
                                                                                                                                        • API String ID: 3924628623-3144090018
                                                                                                                                        • Opcode ID: 288bf98c103368b0f26aeaa40f42c86879b05216cf4b1b943c46123038564696
                                                                                                                                        • Instruction ID: 10517331fdc938e786c25fb6c02e817552a504f536c9a677b1d26282aa48e781
                                                                                                                                        • Opcode Fuzzy Hash: 288bf98c103368b0f26aeaa40f42c86879b05216cf4b1b943c46123038564696
                                                                                                                                        • Instruction Fuzzy Hash: 07E01231A41725A6E3102F749C0AB97BE94BF09BE0F140615FA29D51C0EBB46150C691
                                                                                                                                        Function 02F39930 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,02F39490), ref: 02F39938
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F39946
                                                                                                                                        • SetLastError.KERNEL32 ref: 02F39956
                                                                                                                                        Strings
                                                                                                                                        • CTcpAgent::CreateCompletePort, xrefs: 02F3995F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CompletionCreatePort
                                                                                                                                        • String ID: CTcpAgent::CreateCompletePort
                                                                                                                                        • API String ID: 3924628623-1826625961
                                                                                                                                        • Opcode ID: 1ad2e0765f84296ead8cff088ed5fc3549d44894ebae9539d4004cac26a18080
                                                                                                                                        • Instruction ID: b1ff58df9a6228d011bf735f9a42545622200575d3b6c6a111e54deb7c82d4ef
                                                                                                                                        • Opcode Fuzzy Hash: 1ad2e0765f84296ead8cff088ed5fc3549d44894ebae9539d4004cac26a18080
                                                                                                                                        • Instruction Fuzzy Hash: 8BE04F31E81766BBE7102F749C09B967F94BF05BE4F240915FA25E51C0E7B4A1608B91
                                                                                                                                        Function 00F93280 Relevance: 6.3, APIs: 4, Instructions: 309threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00F932BA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2715965943.0000000000FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_f90000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2882836952-0
                                                                                                                                        • Opcode ID: fc2b0fbbc860284be49ea42ac6339f265135a9379a6b1cc2f9fe99898c825024
                                                                                                                                        • Instruction ID: 387a2eb4e2dd1377f57bc55972ad478d72aa0da014a2dacf23177ad8aac1dfee
                                                                                                                                        • Opcode Fuzzy Hash: fc2b0fbbc860284be49ea42ac6339f265135a9379a6b1cc2f9fe99898c825024
                                                                                                                                        • Instruction Fuzzy Hash: C1E1D1B5E00209DFEF14CF98D984BEEBBB1BB48304F248159E815A7345D735AA44EFA1
                                                                                                                                        Function 02F42150 Relevance: 6.3, APIs: 5, Instructions: 51COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(0000139F), ref: 02F42164
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 02F42186
                                                                                                                                        • SetLastError.KERNEL32(0000139F), ref: 02F4219A
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F421A1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2124651672-0
                                                                                                                                        • Opcode ID: 27c66e34832fd70d0236427d2f7a85f10d9b5ecf57ee364bd8935d39840d5e08
                                                                                                                                        • Instruction ID: 6bd9263d1bc8601271ffefa4ceeca814a8c05fb0e681711a7bc65f38c4e8ade6
                                                                                                                                        • Opcode Fuzzy Hash: 27c66e34832fd70d0236427d2f7a85f10d9b5ecf57ee364bd8935d39840d5e08
                                                                                                                                        • Instruction Fuzzy Hash: 73018432A407399FC3115FA8D405AA6BBE4BF45BA1F024A25FF25DB280C770A950CBD0
                                                                                                                                        Function 02F434F0 Relevance: 6.3, APIs: 5, Instructions: 32COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(0000139F,?,?,?,?,?,?,02F431D3), ref: 02F434FE
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,02F431D3), ref: 02F4350E
                                                                                                                                        • SetLastError.KERNEL32(0000139F,?,?,?,?,?,?,02F431D3), ref: 02F4351F
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,02F431D3), ref: 02F43526
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2124651672-0
                                                                                                                                        • Opcode ID: 76027475f84a882fccf6d066577637a4c7c54c5196cb57a3b8bb37c2dbaa92a3
                                                                                                                                        • Instruction ID: 1e0652d1e34cdad12dfdd15377bbb7d97f9b72f18817d2770ad0e327e24ed454
                                                                                                                                        • Opcode Fuzzy Hash: 76027475f84a882fccf6d066577637a4c7c54c5196cb57a3b8bb37c2dbaa92a3
                                                                                                                                        • Instruction Fuzzy Hash: 7BF05432940724CFC7506B28F8086AABBF8BF49B71B050A49F722975D0C7B0A9418751
                                                                                                                                        Function 01020F90 Relevance: 6.2, APIs: 4, Instructions: 246COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • midiStreamOpen.WINMM(011AE380,011AE3A8,00000001,010215B0,011AE364,00030000,00000000,011AE364,?,00000000), ref: 01020FBB
                                                                                                                                        • midiStreamProperty.WINMM ref: 010210A2
                                                                                                                                        • midiOutPrepareHeader.WINMM(00000000,00000000,00000040,00000001,00000000,00000000,011AE364,?,00000000), ref: 010211F0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: midi$Stream$HeaderOpenPrepareProperty
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2061886437-0
                                                                                                                                        • Opcode ID: bbe7857aa0ec37cdd8080e4fba27ed50999e7a09daa6c3bb219b05e45aa42cc2
                                                                                                                                        • Instruction ID: 4de3ae2992952d77616b02b15f974eed43203a695f7ae0757b27346151cf62a4
                                                                                                                                        • Opcode Fuzzy Hash: bbe7857aa0ec37cdd8080e4fba27ed50999e7a09daa6c3bb219b05e45aa42cc2
                                                                                                                                        • Instruction Fuzzy Hash: F2A18D716006168FD724CF28D8D0BAAB7F6FB84304F50496EE69AC7650EB76F919CB40
                                                                                                                                        Function 02F42BE0 Relevance: 6.2, APIs: 4, Instructions: 183COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(000010D8,6EBCDBE2), ref: 02F42C6B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1452528299-0
                                                                                                                                        • Opcode ID: 8eb267e71f6e5e204c172bfaecec3f1af2b6dba494db375297b3340456f4cb88
                                                                                                                                        • Instruction ID: 97b765c2e161d90e2d915267fca29c285a7e4a62c4b1a3ee72692138837a0ba1
                                                                                                                                        • Opcode Fuzzy Hash: 8eb267e71f6e5e204c172bfaecec3f1af2b6dba494db375297b3340456f4cb88
                                                                                                                                        • Instruction Fuzzy Hash: 7E516072A046199BCB14CF58D880B9EBBB5FF887A0F11857AEE15E7340DB71A910CB94
                                                                                                                                        Function 02F4B830 Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(000010D8,6EBCDBE2), ref: 02F4B8BF
                                                                                                                                        • _memmove.LIBCMT ref: 02F4B93A
                                                                                                                                        • SetLastError.KERNEL32(000005B6,?,6EBCDBE2), ref: 02F4B972
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?), ref: 02F4B9A0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$FreeHeap_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3805261358-0
                                                                                                                                        • Opcode ID: 5f76407fa8afd990086dc452b6f036e048874b64cebd561a6b2c471d1ec592fb
                                                                                                                                        • Instruction ID: 0268cdec5ce845f023ab319d54de5f6ecef2889416512e52330ba8c6fd591c33
                                                                                                                                        • Opcode Fuzzy Hash: 5f76407fa8afd990086dc452b6f036e048874b64cebd561a6b2c471d1ec592fb
                                                                                                                                        • Instruction Fuzzy Hash: CB51C032E087559FD710CF68D890B1ABBE5FF88798F144A6EEA4497341DB71E801CB91
                                                                                                                                        Function 02F49FF0 Relevance: 6.1, APIs: 4, Instructions: 121timesynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateTimerQueueTimer.KERNEL32(?,?,02F4C090,00000000,00000000,00000000,00000020,6EBCDBE2,?,00000060,00000000,?), ref: 02F4A04A
                                                                                                                                        • timeGetTime.WINMM(6EBCDBE2,?,00000060,00000000,?,?,?), ref: 02F4A059
                                                                                                                                        • _memmove.LIBCMT ref: 02F4A082
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02F4A117
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Timer$CreateObjectQueueSingleTimeWait_memmovetime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1084678350-0
                                                                                                                                        • Opcode ID: 3b88bc4b1817159422aee04faafaf5b3c807ae6b778569ad80e8bdd25728ab77
                                                                                                                                        • Instruction ID: 51a1d3f5ec6db42f316c0b194cdf1df1986ee90d086cf88404ff5f536b764774
                                                                                                                                        • Opcode Fuzzy Hash: 3b88bc4b1817159422aee04faafaf5b3c807ae6b778569ad80e8bdd25728ab77
                                                                                                                                        • Instruction Fuzzy Hash: E541E371A40605AFD714DF69C880B9ABBF8FF09794F00852AEA1AC7680DB74E544CF90
                                                                                                                                        Function 02F403F0 Relevance: 6.1, APIs: 4, Instructions: 117COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000), ref: 02F4041F
                                                                                                                                        • _memmove.LIBCMT ref: 02F40451
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 02F404B7
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000001,000000FF,?,00000001,000000FF), ref: 02F404D4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCompletionHandleMultipleObjectsPostQueuedStatusWait_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3218539664-0
                                                                                                                                        • Opcode ID: 67deeb6a77523eea16d3deafe5c45ee6a08626ae0c45a60d60b0a5a5d6aa7e1e
                                                                                                                                        • Instruction ID: 38809c1131279de28fdb58f7d04daeabe14529a84835042c597d170a64e031ea
                                                                                                                                        • Opcode Fuzzy Hash: 67deeb6a77523eea16d3deafe5c45ee6a08626ae0c45a60d60b0a5a5d6aa7e1e
                                                                                                                                        • Instruction Fuzzy Hash: 7531C272E40229ABDB289F68DE44B9EBBA5FF44794F400529DF11A7250DFB0AD118BD0
                                                                                                                                        Function 02F39C70 Relevance: 6.1, APIs: 4, Instructions: 117timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM(6EBCDBE2,?,?,?,?,?,?,?,?,?,?,6EBCDBE2), ref: 02F39C9F
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,?,?,?,?,?,?,6EBCDBE2), ref: 02F39CB9
                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,6EBCDBE2,00000000,-00000064,000004FF), ref: 02F39CD8
                                                                                                                                        • SetLastError.KERNEL32(000005B4,?,?,?,?,?,?,?,?,?,?,6EBCDBE2), ref: 02F39D05
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Timetime$ErrorLastMultipleObjectsWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3474523637-0
                                                                                                                                        • Opcode ID: 14bc7c58229ae2de434e9aec74c1a3dcad849e7447d6522facb34b03eddc972d
                                                                                                                                        • Instruction ID: 287c811a658adf30fb7dfbcb1a74a0f7d80df2e6ca73a39cf14fc3a0ae1715b5
                                                                                                                                        • Opcode Fuzzy Hash: 14bc7c58229ae2de434e9aec74c1a3dcad849e7447d6522facb34b03eddc972d
                                                                                                                                        • Instruction Fuzzy Hash: 5E41A371E00214AFDB15DF68D885BADB7B5EF487A4F044629EA17E7380DBB0A844CF90
                                                                                                                                        Function 00F914E0 Relevance: 6.1, APIs: 4, Instructions: 116libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,00F91803,00000000,?,?), ref: 00F91542
                                                                                                                                        • GetProcAddress.KERNEL32(?,00000002), ref: 00F91589
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00F91803,00000000,?,?), ref: 00F915FB
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00F91803,00000000,?,?), ref: 00F915FE
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2715965943.0000000000FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_f90000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$AddressFreeHandleLoadModuleProc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1437655972-0
                                                                                                                                        • Opcode ID: 0f7744ac581c3a3bc7704d83a89cbaeead8585defde2c9afc294d353eeefc914
                                                                                                                                        • Instruction ID: d15f06789474b2e6a965083e101dc240bd1846c1db490754a21348e54ba57878
                                                                                                                                        • Opcode Fuzzy Hash: 0f7744ac581c3a3bc7704d83a89cbaeead8585defde2c9afc294d353eeefc914
                                                                                                                                        • Instruction Fuzzy Hash: 33418975A0430A8FDB20CF19D880A57B7E4FF84368F5A097DE946CB211E730E949DB91
                                                                                                                                        Function 01098F48 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$_malloc_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1510366324-0
                                                                                                                                        • Opcode ID: 1b711233172cb4a87e4048eca0fa5803c17c7eb7129829a14ca7ec2608ae23b2
                                                                                                                                        • Instruction ID: 43a4f316a0353dd552578054944d83f02b1ba4a98293a345ebdd31b8c7781940
                                                                                                                                        • Opcode Fuzzy Hash: 1b711233172cb4a87e4048eca0fa5803c17c7eb7129829a14ca7ec2608ae23b2
                                                                                                                                        • Instruction Fuzzy Hash: 0131A8B16007055FDB249F2DC8E1E5AB3DAEB55714B10C92EF3AACB790D675E840DB10
                                                                                                                                        Function 02F3B0F0 Relevance: 6.1, APIs: 4, Instructions: 107memorytimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,02F3AF34,?,?,?,?,00000000,?,02F3AD57,?,?,?), ref: 02F3B11F
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?,?,?,?,?,02F3AF34,?,?,?,?,00000000,?,02F3AD57), ref: 02F3B1A2
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F3B1C1
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,00000004,00000004,?,00000002,00000004,00000000), ref: 02F3B1FC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeap$ErrorLastTimetime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3989459056-0
                                                                                                                                        • Opcode ID: c64d563f6ce6e05ba4837bc8634d0b2b994a6e3f17fe8385e54644e1502300cf
                                                                                                                                        • Instruction ID: a493f441108b014cfcb24fe976d9498cbb60486620bddc2ecaf3f033b59e8455
                                                                                                                                        • Opcode Fuzzy Hash: c64d563f6ce6e05ba4837bc8634d0b2b994a6e3f17fe8385e54644e1502300cf
                                                                                                                                        • Instruction Fuzzy Hash: AA316172E40219ABE721AB69DC91F6B73ADEF45794F104526FB05CB240DBB4E9008BA1
                                                                                                                                        Function 02F40C90 Relevance: 6.1, APIs: 4, Instructions: 107memorytimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM(?,?,?,?,02F40928,?,?,?,?,00000000,?,02F40760,?,?,?), ref: 02F40CBF
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?,?,?,?,?,02F40928,?,?,?,?,00000000,?,02F40760), ref: 02F40D42
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F40D61
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?), ref: 02F40D9C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeHeap$ErrorLastTimetime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3989459056-0
                                                                                                                                        • Opcode ID: 08dcdc850b860e86a21b9ee3131a64a85f03240d4f274248c88ae6a465feef51
                                                                                                                                        • Instruction ID: d65a828c0cfd8babc7e92f55452bc94cf1b0875951bcc4390b9bc69648315d40
                                                                                                                                        • Opcode Fuzzy Hash: 08dcdc850b860e86a21b9ee3131a64a85f03240d4f274248c88ae6a465feef51
                                                                                                                                        • Instruction Fuzzy Hash: 1231C171B10205ABD724DF69DC80FAB7BA9AF45790F104529FF45CB240DFB5E9048BA1
                                                                                                                                        Function 02F55B77 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02F55BAB
                                                                                                                                        • __isleadbyte_l.LIBCMT ref: 02F55BDE
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,02F4D9F4,?,00000000,00000000,?,?,?,?,02F4D9F4,00000000), ref: 02F55C0F
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,02F4D9F4,00000001,00000000,00000000,?,?,?,?,02F4D9F4,00000000), ref: 02F55C7D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3058430110-0
                                                                                                                                        • Opcode ID: 530ddd30537e546aa85e68f0377bfb48ac3e0c8f58a318a3d2bae00484fc851f
                                                                                                                                        • Instruction ID: 27f7e6786b0fc803315fa4158101038768aa0332f30953beecff865d22ed9341
                                                                                                                                        • Opcode Fuzzy Hash: 530ddd30537e546aa85e68f0377bfb48ac3e0c8f58a318a3d2bae00484fc851f
                                                                                                                                        • Instruction Fuzzy Hash: F831D371A00266EFDB21DF64C888AAD7BB5BF01395F544568EB618B191D730DA40CB50
                                                                                                                                        Function 02F4B560 Relevance: 6.1, APIs: 4, Instructions: 92timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02F4B5EE
                                                                                                                                        • timeGetTime.WINMM(?,02F4B076,?,?), ref: 02F4B604
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4B653
                                                                                                                                          • Part of subcall function 02F4B280: EnterCriticalSection.KERNEL32(?,6EBCDBE2,00000000,?,?,?), ref: 02F4B2B4
                                                                                                                                          • Part of subcall function 02F4B280: LeaveCriticalSection.KERNEL32(?,?), ref: 02F4B2DF
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F4B635
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalInterlockedSection$DecrementEnterErrorIncrementLastLeaveTimetime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1282575898-0
                                                                                                                                        • Opcode ID: b8793d370f9d33ca4b2aa23c3d4197e4d0369319966432d8c00fc4860732f57d
                                                                                                                                        • Instruction ID: b019120a452a72748ffb1b879cd0b95236237182eaab3e02b35bbc8d39208e56
                                                                                                                                        • Opcode Fuzzy Hash: b8793d370f9d33ca4b2aa23c3d4197e4d0369319966432d8c00fc4860732f57d
                                                                                                                                        • Instruction Fuzzy Hash: DD31D575E44705AFEB208F64DC80B6ABBA9EB44794F10457AEB05D7282DFB0E9108E60
                                                                                                                                        Function 02F46890 Relevance: 6.1, APIs: 4, Instructions: 92networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • recv.WS2_32(?,?,?,00000000), ref: 02F468AF
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,02F5C3E3,000000FF), ref: 02F46904
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F4692C
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,02F5C3E3,000000FF), ref: 02F4695A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$recv
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 316788870-0
                                                                                                                                        • Opcode ID: ed0c69b162e5e2ab4ed45af33d7fadcbeacd75c70e6ad1e5bd9edcd1b4d32b10
                                                                                                                                        • Instruction ID: c9b6e8a095a8f83ec3e46fd51dbbe98504e86f6700321fcbd9261c6ab0c43635
                                                                                                                                        • Opcode Fuzzy Hash: ed0c69b162e5e2ab4ed45af33d7fadcbeacd75c70e6ad1e5bd9edcd1b4d32b10
                                                                                                                                        • Instruction Fuzzy Hash: AB316FB1A007008FE734CF69D4D4B1BBBE9EB89394F104A2EE646C7640DBB5F9458B50
                                                                                                                                        Function 02F408A0 Relevance: 6.1, APIs: 4, Instructions: 90memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F408C6
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?,?,?,00000000,?,02F40760,?,?,?), ref: 02F40901
                                                                                                                                          • Part of subcall function 02F40970: InterlockedDecrement.KERNEL32(?), ref: 02F409A5
                                                                                                                                          • Part of subcall function 02F40970: HeapFree.KERNEL32(00000000,00000000,?,?,?,02F408BD,?,?,?,00000000,?,02F40760,?,?,?), ref: 02F409C7
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F4092C
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F40949
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DecrementInterlocked$FreeHeap
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 671496076-0
                                                                                                                                        • Opcode ID: 9f7e5e9091dcbe79c92f2d9b49265039384721d9530c325ff289acf8249c0e58
                                                                                                                                        • Instruction ID: d11624a00e38b459d2b372b5b655723be72fd29efcddebfdced0dc3ae7b72330
                                                                                                                                        • Opcode Fuzzy Hash: 9f7e5e9091dcbe79c92f2d9b49265039384721d9530c325ff289acf8249c0e58
                                                                                                                                        • Instruction Fuzzy Hash: A921A436700319ABD718DE99DC94EBF7B69EF982A5704451EFB05C3200DF71D8118BA0
                                                                                                                                        Function 10008BD0 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2717966199.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2717983727.0000000010011000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718021812.0000000010012000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718041790.0000000010013000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_10000000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e395d3d35a680b64743918be52ef025664ae2b526cca0b08274a881d338fbf46
                                                                                                                                        • Instruction ID: 21d2bec7623f58d5885465b91a18182f169ecd750cc0d38388bfaa2893da8ba9
                                                                                                                                        • Opcode Fuzzy Hash: e395d3d35a680b64743918be52ef025664ae2b526cca0b08274a881d338fbf46
                                                                                                                                        • Instruction Fuzzy Hash: 3221D7323057019BF320DA2CAD81FE7B3E4FF857A0F44452AF5D487584EA62F64487A1
                                                                                                                                        Function 02F44FE0 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • recvfrom.WS2_32(?,?,?,00000000,?,?), ref: 02F45020
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,02F44DDB), ref: 02F4502E
                                                                                                                                        • GetLastError.KERNEL32 ref: 02F45059
                                                                                                                                        • WSAGetLastError.WS2_32(?,?,02F44DDB), ref: 02F4508A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$recvfrom
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1216204354-0
                                                                                                                                        • Opcode ID: e747a2f1e7c9d24155c07a2fd923a30aaa5c35508bd3bbd5885344d065a0ffea
                                                                                                                                        • Instruction ID: e864e4eebcef514d92d62cb2eb32bbc3b72a4bc37d6a7d03fac1fdd248943413
                                                                                                                                        • Opcode Fuzzy Hash: e747a2f1e7c9d24155c07a2fd923a30aaa5c35508bd3bbd5885344d065a0ffea
                                                                                                                                        • Instruction Fuzzy Hash: D021C175A007019FE720DE6CD884B5ABBE8EF58B60F504A1DE61AC3380EB75F9408B91
                                                                                                                                        Function 02F45890 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2), ref: 02F458C0
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F458DB
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F45954
                                                                                                                                        • SetEvent.KERNEL32(?), ref: 02F45970
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$EnterEvent
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3394196147-0
                                                                                                                                        • Opcode ID: b57eb1c4c8c2da778631a78a93a6112db01925e5e673f5057aadeab1bab103da
                                                                                                                                        • Instruction ID: 4dd07630cd82cbc8e1cad5f2ef96bb5344ab415e1cbc9c18e0fa361cd9b0f3a9
                                                                                                                                        • Opcode Fuzzy Hash: b57eb1c4c8c2da778631a78a93a6112db01925e5e673f5057aadeab1bab103da
                                                                                                                                        • Instruction Fuzzy Hash: A33123B1A047059FD714DF69D590BAAFBF4FB08750F508A6EEA5A87340EB32A900CB40
                                                                                                                                        Function 02F47120 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,?,00000000,02F5B7B8,000000FF,?,02F46F55), ref: 02F4714E
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,00000000,02F5B7B8,000000FF,?,02F46F55), ref: 02F47169
                                                                                                                                        • LeaveCriticalSection.KERNEL32(02F46F55), ref: 02F471D5
                                                                                                                                        • SetEvent.KERNEL32(?), ref: 02F471F0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$EnterEvent
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3394196147-0
                                                                                                                                        • Opcode ID: 580c097d84bccc900967da19de6169fd6b0026952c969939796e582b8015afc0
                                                                                                                                        • Instruction ID: ce5e725c641f095c8a1c8b71824914de11b3605b817d6af52b89a4da87568472
                                                                                                                                        • Opcode Fuzzy Hash: 580c097d84bccc900967da19de6169fd6b0026952c969939796e582b8015afc0
                                                                                                                                        • Instruction Fuzzy Hash: 1431F5B1A04B04DFD714CF69D984BAAFBF5FB48740F508A6ED91A87741EB35A900CB40
                                                                                                                                        Function 02F3DF00 Relevance: 6.1, APIs: 4, Instructions: 72networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$recv
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 316788870-0
                                                                                                                                        • Opcode ID: 2940c1acb9245e8e18b895ddc83cd4231435b0569e78f351fc3eb20b17531300
                                                                                                                                        • Instruction ID: 611ea98ac7ae72df854c2ede9b94cec30c65ef0855e296d1876df227e2b9a097
                                                                                                                                        • Opcode Fuzzy Hash: 2940c1acb9245e8e18b895ddc83cd4231435b0569e78f351fc3eb20b17531300
                                                                                                                                        • Instruction Fuzzy Hash: 6F2158B5A017008BE3348F69D480B27B7E5AF88754F104A2DE64AC7780D774E8458B50
                                                                                                                                        Function 02F3C680 Relevance: 6.1, APIs: 4, Instructions: 71memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _free.LIBCMT ref: 02F3C718
                                                                                                                                          • Part of subcall function 02F34E40: HeapFree.KERNEL32(00000008,00000000,?,?,00000000,02F3C6B6), ref: 02F34E81
                                                                                                                                        • DeleteCriticalSection.KERNEL32(00000070), ref: 02F3C6E2
                                                                                                                                        • DeleteCriticalSection.KERNEL32(00000058), ref: 02F3C6E8
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 02F3C6F3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalDeleteFreeHeapSection$_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 210024702-0
                                                                                                                                        • Opcode ID: f0889350a2768bc09e03b36a1c7f91cd502eded782700d6d8429e6f96a7be2c0
                                                                                                                                        • Instruction ID: 71b030066680f7e5958fb21aecd6abc5d874bf9babc0c8d0edc5122240d559cd
                                                                                                                                        • Opcode Fuzzy Hash: f0889350a2768bc09e03b36a1c7f91cd502eded782700d6d8429e6f96a7be2c0
                                                                                                                                        • Instruction Fuzzy Hash: 932179B5A00609AFC710DF69C980A5AB7F9FFC8354B20895ADA59E7240D731B901CF90
                                                                                                                                        Function 02F320A0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _free.LIBCMT ref: 02F320E6
                                                                                                                                          • Part of subcall function 02F4D16D: HeapFree.KERNEL32(00000000,00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D183
                                                                                                                                          • Part of subcall function 02F4D16D: GetLastError.KERNEL32(00000000,?,02F5052E,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33,?), ref: 02F4D195
                                                                                                                                        • _free.LIBCMT ref: 02F320EF
                                                                                                                                        • CloseHandle.KERNEL32(CCCCCCCC,6EBCDBE2,?,?,00000000,?,?,02F5BC28,000000FF,?,02F2BA33), ref: 02F32134
                                                                                                                                        • CloseHandle.KERNEL32(CCCCCCC3,6EBCDBE2,?,?,00000000,?,?,02F5BC28,000000FF,?,02F2BA33), ref: 02F32157
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle_free$ErrorFreeHeapLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1377863804-0
                                                                                                                                        • Opcode ID: aa9d7d9d78ded8534f8f2568e2482e8f2105eb68c79881966d187813afa17a46
                                                                                                                                        • Instruction ID: 1d849e4233e75d7a4f90b1fa9cd074a7342ba377c4404de83105c59c8a6cb65b
                                                                                                                                        • Opcode Fuzzy Hash: aa9d7d9d78ded8534f8f2568e2482e8f2105eb68c79881966d187813afa17a46
                                                                                                                                        • Instruction Fuzzy Hash: C42192B2940616ABD710EF68DD80A9AF7B8FF04790F414629EF29A7280C774BD15CB90
                                                                                                                                        Function 010802B7 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __getptd_noexit
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3074181302-0
                                                                                                                                        • Opcode ID: b2c2bb93389fd5de5720cff28c30f20e251e5b974f1c65fd5b6c43806dfc1379
                                                                                                                                        • Instruction ID: 5ffcd4f0385be76c57579a7293f28eaff6c0d2edac0a84456822c2be41815243
                                                                                                                                        • Opcode Fuzzy Hash: b2c2bb93389fd5de5720cff28c30f20e251e5b974f1c65fd5b6c43806dfc1379
                                                                                                                                        • Instruction Fuzzy Hash: E811EE32A05206AFEB713B68DD04BAF3FA9FB81361F148165F9E4961A4DA718C48C794
                                                                                                                                        Function 02F3C7F0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F3C83F
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,?,?), ref: 02F3C853
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CompareExchangeInterlocked
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3335655927-0
                                                                                                                                        • Opcode ID: a3b3a00d693c6dc062d259706a92a6c7a9c814f0d0dab19c2f9a5ded97c32292
                                                                                                                                        • Instruction ID: c84ee5161fec377772afe50392ccdda0a8bb07994e48397d3aef2a1363f3e47d
                                                                                                                                        • Opcode Fuzzy Hash: a3b3a00d693c6dc062d259706a92a6c7a9c814f0d0dab19c2f9a5ded97c32292
                                                                                                                                        • Instruction Fuzzy Hash: A521A1B5A00208EBD730CF58D984F96F3F9FF89710F10495AEA86C7240C731AA55DBA0
                                                                                                                                        Function 02F3AF80 Relevance: 6.1, APIs: 4, Instructions: 68memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02F3AFAD
                                                                                                                                        • setsockopt.WS2_32(?,0000FFFF,00007010,?,00000004), ref: 02F3AFD2
                                                                                                                                          • Part of subcall function 02F39240: EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,?,?,00000000,02F5B698,000000FF,?,02F3AFE8), ref: 02F3926E
                                                                                                                                          • Part of subcall function 02F39240: LeaveCriticalSection.KERNEL32(?,?,02F3AFE8), ref: 02F3928B
                                                                                                                                        • HeapFree.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000), ref: 02F3B022
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F3B029
                                                                                                                                          • Part of subcall function 02F3B310: HeapFree.KERNEL32(?,00000000,?,?,?,?,?,?,?,02F3AFF9,?,?), ref: 02F3B3B2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalFreeHeapInterlockedSection$DecrementEnterIncrementLeavesetsockopt
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2428991505-0
                                                                                                                                        • Opcode ID: 71a32ba7b5b1b59202947c0047c33aeefb10a52bffd86aa7795cc4161d4ed164
                                                                                                                                        • Instruction ID: 42eaa44b5e05c09604cb533b311f3f1495f53b033b3c3e4f3a599eff94fcc5f9
                                                                                                                                        • Opcode Fuzzy Hash: 71a32ba7b5b1b59202947c0047c33aeefb10a52bffd86aa7795cc4161d4ed164
                                                                                                                                        • Instruction Fuzzy Hash: BC1172B1A40618AFD721DB64DC81F6AB7BDFF49B50F10452AFB05DB280DBB4A9048B61
                                                                                                                                        Function 02F37060 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetFileSize.KERNEL32(?,?), ref: 02F3706E
                                                                                                                                        • CreateFileMappingA.KERNEL32(?,00000000,00000002,?,00000000,00000000), ref: 02F37083
                                                                                                                                        • MapViewOfFileEx.KERNEL32(00000000,00000004,00000000,00000000,?,00000000,?,00000000,00000002,?,00000000,00000000), ref: 02F370C3
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,00000002,?,00000000,00000000), ref: 02F370DA
                                                                                                                                          • Part of subcall function 02F368C0: GetLastError.KERNEL32(02F351EC), ref: 02F368C0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CloseCreateErrorHandleLastMappingSizeView
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 322783378-0
                                                                                                                                        • Opcode ID: aa89e3d56ea44a29ea4f50308047f69ab23e89866e59a90546a7d277fb78e32a
                                                                                                                                        • Instruction ID: 1d77c6ee79c8a92603890c6f6c9a6d51b2cef4f1ed2fb7b048a9525e5e8ac9db
                                                                                                                                        • Opcode Fuzzy Hash: aa89e3d56ea44a29ea4f50308047f69ab23e89866e59a90546a7d277fb78e32a
                                                                                                                                        • Instruction Fuzzy Hash: 4A1173B5A40708ABD320DFA5DC45B2BF7FCEF84B40F10495DEA49D3650E770A9048B91
                                                                                                                                        Function 02F40970 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F409A5
                                                                                                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,02F408BD,?,?,?,00000000,?,02F40760,?,?,?), ref: 02F409C7
                                                                                                                                          • Part of subcall function 02F3F730: EnterCriticalSection.KERNEL32(?), ref: 02F3F759
                                                                                                                                          • Part of subcall function 02F3F730: EnterCriticalSection.KERNEL32(?), ref: 02F3F763
                                                                                                                                          • Part of subcall function 02F3F730: LeaveCriticalSection.KERNEL32(?), ref: 02F3F782
                                                                                                                                          • Part of subcall function 02F3F730: LeaveCriticalSection.KERNEL32(?), ref: 02F3F785
                                                                                                                                          • Part of subcall function 02F3F730: timeGetTime.WINMM(?,00000000,?,?,?), ref: 02F3F7B4
                                                                                                                                        • closesocket.WS2_32(02F40760), ref: 02F409D6
                                                                                                                                        • PostQueuedCompletionStatus.KERNEL32(?,000000F1,00000000,00000000,?,02F408BD,?,?,?,00000000,?,02F40760,?,?,?), ref: 02F409E6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave$CompletionDecrementFreeHeapInterlockedPostQueuedStatusTimeclosesockettime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2020902681-0
                                                                                                                                        • Opcode ID: b72b438adb53589150ec1a359515a7bb948c91321c5f0a350b6168ae1f48e9df
                                                                                                                                        • Instruction ID: 9bff639bff36189d9f89486b23fb4ae4bde7dd1a0424bbe1224a702223a08e07
                                                                                                                                        • Opcode Fuzzy Hash: b72b438adb53589150ec1a359515a7bb948c91321c5f0a350b6168ae1f48e9df
                                                                                                                                        • Instruction Fuzzy Hash: 8C019E31A40304ABE638DBA9CDA8F1BBBACAF25790F100919FB45C6690DF74E5008B61
                                                                                                                                        Function 02F33DD0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        • CTcpClient::CheckParams, xrefs: 02F3D642
                                                                                                                                        • CTcpPackClientT<class CTcpClient>::CheckParams, xrefs: 02F33DFC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast
                                                                                                                                        • String ID: CTcpClient::CheckParams$CTcpPackClientT<class CTcpClient>::CheckParams
                                                                                                                                        • API String ID: 1452528299-2097985869
                                                                                                                                        • Opcode ID: e21e52fa36b690d0b39ed8a487f7efba8ab67a0f17acc6a33f052a2042cd5261
                                                                                                                                        • Instruction ID: 2e9df24d412d84305673e6544fe73b50733b99de8a4ba85e6423bfb2b32db2e1
                                                                                                                                        • Opcode Fuzzy Hash: e21e52fa36b690d0b39ed8a487f7efba8ab67a0f17acc6a33f052a2042cd5261
                                                                                                                                        • Instruction Fuzzy Hash: D4118230A447509BF7315A28AC8975A73E4EF00799F400A29F75AD69D1DBB0E4808F51
                                                                                                                                        Function 02F45350 Relevance: 6.0, APIs: 4, Instructions: 50threadnetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F45354
                                                                                                                                        • WSACloseEvent.WS2_32(?), ref: 02F45396
                                                                                                                                        • shutdown.WS2_32(02F2DF07,00000001), ref: 02F453AA
                                                                                                                                        • closesocket.WS2_32(02F2DF07), ref: 02F453B4
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCurrentEventThreadclosesocketshutdown
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 802825583-0
                                                                                                                                        • Opcode ID: f95d607163b8fd7cbe9ec2afe13e90b4fe192265cc7e298ee49a45e8c4cf7525
                                                                                                                                        • Instruction ID: 1952bb352daa3510e9604b11c516d0d60bed52766043263577122c31aee2c24f
                                                                                                                                        • Opcode Fuzzy Hash: f95d607163b8fd7cbe9ec2afe13e90b4fe192265cc7e298ee49a45e8c4cf7525
                                                                                                                                        • Instruction Fuzzy Hash: E5018075600B108FC634EF2DE84496AFBFABF987547144B19F696C3790DBB0E8028B90
                                                                                                                                        Function 02F58247 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3016257755-0
                                                                                                                                        • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                                        • Instruction ID: 842715fb33c9cdf6f7e7504b890811f9bd7171d2dada27c0f21a2f029cc7fd61
                                                                                                                                        • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                                        • Instruction Fuzzy Hash: 4E11787250059AFBCF126E84CC058EE3F63BB59395B488415FF1959130C732C9B2AB81
                                                                                                                                        Function 02F37F40 Relevance: 6.0, APIs: 4, Instructions: 46networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 02F37F63
                                                                                                                                        • WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 02F37F7D
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F37F88
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 02F37F99
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked$DecrementErrorIncrementLastRecv
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2764021884-0
                                                                                                                                        • Opcode ID: b79381a830e68a5364adf99d1ad5fd4e643bd41ee6ceead709332e1d7fd1080e
                                                                                                                                        • Instruction ID: f66172578362deae7ebed11562f60054f2812646c37a939d7264b94d9a692b2b
                                                                                                                                        • Opcode Fuzzy Hash: b79381a830e68a5364adf99d1ad5fd4e643bd41ee6ceead709332e1d7fd1080e
                                                                                                                                        • Instruction Fuzzy Hash: 31014471D01218AFD314DFA8E9849AAF7FCFB48665F500669FA09D3540D6706E148BE1
                                                                                                                                        Function 02F421F0 Relevance: 6.0, APIs: 4, Instructions: 44timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM ref: 02F42214
                                                                                                                                        • InterlockedIncrement.KERNEL32(02F78214), ref: 02F4222A
                                                                                                                                        • InterlockedIncrement.KERNEL32(02F78214), ref: 02F42235
                                                                                                                                        • timeGetTime.WINMM ref: 02F42248
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: IncrementInterlockedTimetime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 159728177-0
                                                                                                                                        • Opcode ID: 05ba31156c150d6cd3d3d0c608478bfd85d51c48f6c37a8e14a0a4952162a6c2
                                                                                                                                        • Instruction ID: f2983a3427a33c0e8e755cc1393c40f461f173c798ea4e48448531e2e2d11f7a
                                                                                                                                        • Opcode Fuzzy Hash: 05ba31156c150d6cd3d3d0c608478bfd85d51c48f6c37a8e14a0a4952162a6c2
                                                                                                                                        • Instruction Fuzzy Hash: 10015271E407058FD760DF69E844606FFE9AF596D1710493EEA49C3600E7B0DA018BA0
                                                                                                                                        Function 02F43900 Relevance: 6.0, APIs: 4, Instructions: 44timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM(?,00000000,?,?,02F43390,00000000,?,?,?,00000000), ref: 02F43924
                                                                                                                                        • InterlockedIncrement.KERNEL32(02F78214), ref: 02F4393A
                                                                                                                                        • InterlockedIncrement.KERNEL32(02F78214), ref: 02F43945
                                                                                                                                        • timeGetTime.WINMM(?,02F43390,00000000,?,?,?,00000000), ref: 02F43958
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: IncrementInterlockedTimetime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 159728177-0
                                                                                                                                        • Opcode ID: d4035904e2eb51343cfbeb72c758567b2ee6aae28fee4e25d291b843a6a9d162
                                                                                                                                        • Instruction ID: b673d9fa009faa8a9055ec2a23f16fd8b6f60a7ef325cd1981d09ca6b26eb812
                                                                                                                                        • Opcode Fuzzy Hash: d4035904e2eb51343cfbeb72c758567b2ee6aae28fee4e25d291b843a6a9d162
                                                                                                                                        • Instruction Fuzzy Hash: 20015E71E40B048FD724DFA9E844606FFE9AF59690720892ED64AC3610EBB0A955CBA0
                                                                                                                                        Function 02F4D059 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 02F4D073
                                                                                                                                          • Part of subcall function 02F4D0D9: __FF_MSGBANNER.LIBCMT ref: 02F4D0F2
                                                                                                                                          • Part of subcall function 02F4D0D9: __NMSG_WRITE.LIBCMT ref: 02F4D0F9
                                                                                                                                          • Part of subcall function 02F4D0D9: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02F50230,?,00000001,?,?,02F50BA3,00000018,02F67FB8,0000000C,02F50C33), ref: 02F4D11E
                                                                                                                                        • std::exception::exception.LIBCMT ref: 02F4D0A8
                                                                                                                                        • std::exception::exception.LIBCMT ref: 02F4D0C2
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 02F4D0D3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 615853336-0
                                                                                                                                        • Opcode ID: 4b9e1123555d045cc908e23ea27724a14892724be32ee613d8ab29d4cb647665
                                                                                                                                        • Instruction ID: ec28575bd35395b925c6b9ab035b67c6f29cdd0fac3b2280d610f0b364a800a1
                                                                                                                                        • Opcode Fuzzy Hash: 4b9e1123555d045cc908e23ea27724a14892724be32ee613d8ab29d4cb647665
                                                                                                                                        • Instruction Fuzzy Hash: C5F0CD71D002099AEB14FF54DD05A6DBFA9BF41BD4F14042AEB0597180DFF0DA45CB91
                                                                                                                                        Function 02F2AD50 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F2AD69
                                                                                                                                        • TranslateMessage.USER32(?), ref: 02F2AD84
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 02F2AD8A
                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 02F2AD98
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$Peek$DispatchTranslate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1795658109-0
                                                                                                                                        • Opcode ID: 63399ad581caca17f62709c73433753826d1c805047471b4f40e2f1874511e0e
                                                                                                                                        • Instruction ID: ce974db86bcc42dc25e30d084468fcaac906173a8c2b2808eae8be834f05d5c7
                                                                                                                                        • Opcode Fuzzy Hash: 63399ad581caca17f62709c73433753826d1c805047471b4f40e2f1874511e0e
                                                                                                                                        • Instruction Fuzzy Hash: 32F0BB32F5031D76EA10D6A4DC81FEAB36C9B44B44F404515F700EB0C1EAB5F50687A4
                                                                                                                                        Function 02F36DD0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000002,00000001), ref: 02F36DE0
                                                                                                                                        • InterlockedCompareExchange.KERNEL32(?,00000002,00000000), ref: 02F36DEC
                                                                                                                                        • WaitForSingleObject.KERNEL32(0000029C,00000005,?,?,02F3699E,?,?,?,02F2CA39,000000FF,6EBCDBE2), ref: 02F36E09
                                                                                                                                        • SetLastError.KERNEL32(0000139F,?,?,02F3699E,?,?,?,02F2CA39,000000FF,6EBCDBE2), ref: 02F36E17
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CompareExchangeInterlocked$ErrorLastObjectSingleWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 322141815-0
                                                                                                                                        • Opcode ID: b7546e0dc73933ad73a4d3a4deb71f94378aa57ad416f806021dfc1ab8ebda9d
                                                                                                                                        • Instruction ID: 4d10bff81cc45517db06060dd2fa4d9f4f7b8ecf15ebafd8638df111cf7a7950
                                                                                                                                        • Opcode Fuzzy Hash: b7546e0dc73933ad73a4d3a4deb71f94378aa57ad416f806021dfc1ab8ebda9d
                                                                                                                                        • Instruction Fuzzy Hash: 77F089326402146AE631A619EC45F9AB79DEF857D0F150401F300DB180C3B0E986969C
                                                                                                                                        Function 02F31A50 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F21970: HeapFree.KERNEL32(?,00000000,?,?,?,02F21441), ref: 02F2198D
                                                                                                                                          • Part of subcall function 02F21970: _free.LIBCMT ref: 02F219A9
                                                                                                                                        • HeapDestroy.KERNEL32(00000000,?,00000000,02F2B2FF,?), ref: 02F31A63
                                                                                                                                        • HeapCreate.KERNEL32(?,?,?,?,00000000,02F2B2FF,?), ref: 02F31A75
                                                                                                                                        • _free.LIBCMT ref: 02F31A85
                                                                                                                                        • HeapDestroy.KERNEL32(?,?,00000000,02F2B2FF,?), ref: 02F31AB2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Destroy_free$CreateFree
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4097506873-0
                                                                                                                                        • Opcode ID: 9cd9bc319750169d329aeb71494d59bd0719d25ba2d23f6e300d7c9cfdc9eba0
                                                                                                                                        • Instruction ID: 6b692b00b331c8577c44b11576b44333a870d66cd643cfedf6ea11525d55c5ea
                                                                                                                                        • Opcode Fuzzy Hash: 9cd9bc319750169d329aeb71494d59bd0719d25ba2d23f6e300d7c9cfdc9eba0
                                                                                                                                        • Instruction Fuzzy Hash: B3F037B5A007129BE720DF24D848B13FBF8FF84B91F108918EA5983240DB34E815CBA0
                                                                                                                                        Function 02F31DC0 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F35610: HeapFree.KERNEL32(?,00000000,00000008,00000000,75566230,02F6820C), ref: 02F3562E
                                                                                                                                          • Part of subcall function 02F35610: _free.LIBCMT ref: 02F3564A
                                                                                                                                        • HeapDestroy.KERNEL32(00000000,?,?,02F2BA6D,?), ref: 02F31DD3
                                                                                                                                        • HeapCreate.KERNEL32(?,?,?,?,?,02F2BA6D,?), ref: 02F31DE5
                                                                                                                                        • _free.LIBCMT ref: 02F31DF5
                                                                                                                                        • HeapDestroy.KERNEL32(?,?,?,02F2BA6D,?), ref: 02F31E22
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap$Destroy_free$CreateFree
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4097506873-0
                                                                                                                                        • Opcode ID: 78a7b9d40a95f0f6a4e2113d5735cae283f88fdfd25aec3733cc2734e7527fc1
                                                                                                                                        • Instruction ID: ae4313871faa6a80911eb4c614a42dde2d886c6383967cd92a07a2f336e67441
                                                                                                                                        • Opcode Fuzzy Hash: 78a7b9d40a95f0f6a4e2113d5735cae283f88fdfd25aec3733cc2734e7527fc1
                                                                                                                                        • Instruction Fuzzy Hash: 85F04FB55007029BE7109F25D848B13FBF8FF84B90F108918EA5A83640DB75F451CBA0
                                                                                                                                        Function 00F94E60 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 00F94E7A
                                                                                                                                          • Part of subcall function 00F94544: __FF_MSGBANNER.LIBCMT ref: 00F94567
                                                                                                                                          • Part of subcall function 00F94544: __NMSG_WRITE.LIBCMT ref: 00F9456E
                                                                                                                                          • Part of subcall function 00F94544: RtlAllocateHeap.NTDLL(00000000,?), ref: 00F945BB
                                                                                                                                        • std::bad_alloc::bad_alloc.LIBCMT ref: 00F94E9D
                                                                                                                                          • Part of subcall function 00F94DF6: std::exception::exception.LIBCMT ref: 00F94E02
                                                                                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 00F94EB1
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 00F94EBF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2715965943.0000000000FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_f90000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1411284514-0
                                                                                                                                        • Opcode ID: 1a426f3f8af712e8d2cf786bc7655ef87eb2d06b4ae2af6dfad2cefa77191e75
                                                                                                                                        • Instruction ID: 6c59e2f7d1893d92dc013cb367de9bdfac506b2a2671c15cb36d1d3a08331dcf
                                                                                                                                        • Opcode Fuzzy Hash: 1a426f3f8af712e8d2cf786bc7655ef87eb2d06b4ae2af6dfad2cefa77191e75
                                                                                                                                        • Instruction Fuzzy Hash: 67F0A735D0020967FF197770EC06D5937A86F913A4B244066F801D90D2DF68FE47B191
                                                                                                                                        Function 02F2AB30 Relevance: 6.0, APIs: 4, Instructions: 32threadsynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F2AC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F2ACA5
                                                                                                                                          • Part of subcall function 02F2AC90: SwitchToThread.KERNEL32(?,02F21AA6,?), ref: 02F2ACB9
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F2AB4C
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F2AB57
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,02F48F37,?,?), ref: 02F2AB81
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F2AB87
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Thread$Current$CompareExchangeInterlockedObjectSingleSwitchWait
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2292024209-0
                                                                                                                                        • Opcode ID: ede6e9e162206bf5520195fc1d17b830d8c34ad14b5e7e666a28569ba7469666
                                                                                                                                        • Instruction ID: 7900878cff3351d5748213cb90ed0fa0bdc105e1c0b48f7fd42b27086fb10d7e
                                                                                                                                        • Opcode Fuzzy Hash: ede6e9e162206bf5520195fc1d17b830d8c34ad14b5e7e666a28569ba7469666
                                                                                                                                        • Instruction Fuzzy Hash: 03F09072901B22CFC3304F25C848A16B7F2EF45BE1B008E19D77A86990E734A448CF11
                                                                                                                                        Function 00F986BE Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 00F986CA
                                                                                                                                          • Part of subcall function 00F96975: __getptd_noexit.LIBCMT ref: 00F96978
                                                                                                                                          • Part of subcall function 00F96975: __amsg_exit.LIBCMT ref: 00F96985
                                                                                                                                        • __getptd.LIBCMT ref: 00F986E1
                                                                                                                                        • __amsg_exit.LIBCMT ref: 00F986EF
                                                                                                                                        • __lock.LIBCMT ref: 00F986FF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2715965943.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2715965943.0000000000FA4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_f90000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3521780317-0
                                                                                                                                        • Opcode ID: 477f9e2b45924339b83f17ec948f13123686d364014054af7c1637ae5891aec2
                                                                                                                                        • Instruction ID: 7327e74c98955e679570d9e0a16c94aadcbe7fa8b7fbd7bac93907252b5b3518
                                                                                                                                        • Opcode Fuzzy Hash: 477f9e2b45924339b83f17ec948f13123686d364014054af7c1637ae5891aec2
                                                                                                                                        • Instruction Fuzzy Hash: F1F03032911B089BFF61BBB58D0675D73A06F02BA0F104519E445DB292CF78AD42FB56
                                                                                                                                        Function 10002DE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717983727.0000000010001000.00000040.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2717966199.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2717983727.0000000010011000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718021812.0000000010012000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2718041790.0000000010013000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_10000000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: deflate$Reset
                                                                                                                                        • String ID: 8
                                                                                                                                        • API String ID: 1941576812-4194326291
                                                                                                                                        • Opcode ID: b486b86fb956d30e339a4a7c7c01c3a4a28e7504aa3834bacd2475624ac95d50
                                                                                                                                        • Instruction ID: c6a0ef9c2357908ffff8e6822198ec01936030b01066ee0aa966953a9fe592a8
                                                                                                                                        • Opcode Fuzzy Hash: b486b86fb956d30e339a4a7c7c01c3a4a28e7504aa3834bacd2475624ac95d50
                                                                                                                                        • Instruction Fuzzy Hash: CF51A371600B429FD314CF29D480A66B7F5FF98390F10863EE55A87A54E771F891CB90
                                                                                                                                        Function 02F29770 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: recv sn=%lu
                                                                                                                                        • API String ID: 0-1144994348
                                                                                                                                        • Opcode ID: bee7d9bdff8bbfdc0f7d37e06c91d37ac422c5d6449420dd1afc09118ecf251b
                                                                                                                                        • Instruction ID: 759f0202592cd4931c5df3ff6d00900b2c30f06ef1230df6eabbe24c5686cdb8
                                                                                                                                        • Opcode Fuzzy Hash: bee7d9bdff8bbfdc0f7d37e06c91d37ac422c5d6449420dd1afc09118ecf251b
                                                                                                                                        • Instruction Fuzzy Hash: 9E518871A00615AFD710CF29C580B96F7F5FF49360F648669DA198B680E7B1F858CB90
                                                                                                                                        Function 02F21AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F2AC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F2ACA5
                                                                                                                                          • Part of subcall function 02F2AC90: SwitchToThread.KERNEL32(?,02F21AA6,?), ref: 02F2ACB9
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02F21B43
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 02F21B7D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CompareExchangeInterlockedObjectSingleSwitchThreadWaitXinvalid_argumentstd::_
                                                                                                                                        • String ID: list<T> too long
                                                                                                                                        • API String ID: 4003689891-4027344264
                                                                                                                                        • Opcode ID: 4469b8b5082f30ff0df9f9510a4e8bd1ea0cb45be630ec37e6b70d1d287ea7f4
                                                                                                                                        • Instruction ID: f4f11e1b5a54785c7e05919d049603a521978b4ca20223097514f5fb94828d80
                                                                                                                                        • Opcode Fuzzy Hash: 4469b8b5082f30ff0df9f9510a4e8bd1ea0cb45be630ec37e6b70d1d287ea7f4
                                                                                                                                        • Instruction Fuzzy Hash: B9218371600615EFD714DF64DD80F9BF7B9FB49760F10871AEA2A97280DB34A905CBA0
                                                                                                                                        Function 02F3CA70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F2AC90: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02F2ACA5
                                                                                                                                          • Part of subcall function 02F2AC90: SwitchToThread.KERNEL32(?,02F21AA6,?), ref: 02F2ACB9
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02F3CAD3
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 02F3CB0D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CompareExchangeInterlockedObjectSingleSwitchThreadWaitXinvalid_argumentstd::_
                                                                                                                                        • String ID: list<T> too long
                                                                                                                                        • API String ID: 4003689891-4027344264
                                                                                                                                        • Opcode ID: fa17c07386a648a823e98850d8947efdf070752d56fb7a992eef52a4e6d8f504
                                                                                                                                        • Instruction ID: e3129782cfa470c04e3308a90b8000b5384b47f6765818132d4806ad732bc0ed
                                                                                                                                        • Opcode Fuzzy Hash: fa17c07386a648a823e98850d8947efdf070752d56fb7a992eef52a4e6d8f504
                                                                                                                                        • Instruction Fuzzy Hash: 6521AE71600605AFC705DF64D980F9AF7F9FB49760F10872AEA2A97280DB34E804CBA0
                                                                                                                                        Function 02F37100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • StrChrA.SHLWAPI(?,0000003A,?,02F375E6,6EBCDBE2), ref: 02F3711C
                                                                                                                                        • _swscanf.LIBCMT ref: 02F37155
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _swscanf
                                                                                                                                        • String ID: %d.%d.%d.%d%c
                                                                                                                                        • API String ID: 2748852333-2398565245
                                                                                                                                        • Opcode ID: adf6de9cca79ab6b892842854886e1fd2b15572c4903ff087e7c283f2074c7d7
                                                                                                                                        • Instruction ID: 38ce7d76f856ba05002e5e18738372c10caaf66742167c910358574c3efe97a1
                                                                                                                                        • Opcode Fuzzy Hash: adf6de9cca79ab6b892842854886e1fd2b15572c4903ff087e7c283f2074c7d7
                                                                                                                                        • Instruction Fuzzy Hash: 1911A772E0110CB7EB25FEA49C51BBEF365DB09688F00059EEB46A6580EA6596108751
                                                                                                                                        Function 02F380B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSARecvFrom.WS2_32(00000002,?,00000001,00000002,02F4CAA0,00000002,?,00000000,00000000), ref: 02F380FB
                                                                                                                                        • WSAGetLastError.WS2_32 ref: 02F38106
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorFromLastRecv
                                                                                                                                        • String ID: D'
                                                                                                                                        • API String ID: 1754479778-1892035989
                                                                                                                                        • Opcode ID: c047ed4133f35fa0fe900a3c893a17730a361a9b7424e23abaadf9367e1fa513
                                                                                                                                        • Instruction ID: 2f948077d6d23e43f49fa44525e4136612139ac5ed9d310c860a3660beb2d8c1
                                                                                                                                        • Opcode Fuzzy Hash: c047ed4133f35fa0fe900a3c893a17730a361a9b7424e23abaadf9367e1fa513
                                                                                                                                        • Instruction Fuzzy Hash: BD11CA72D01208AFDB14DF58DC859EEBBBCEB44390F5042A9F905D7280E774DA54CB90
                                                                                                                                        Function 02F3C9F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 02F3CA03
                                                                                                                                          • Part of subcall function 02F4CF75: std::exception::exception.LIBCMT ref: 02F4CF8A
                                                                                                                                          • Part of subcall function 02F4CF75: __CxxThrowException@8.LIBCMT ref: 02F4CF9F
                                                                                                                                          • Part of subcall function 02F4CF75: std::exception::exception.LIBCMT ref: 02F4CFB0
                                                                                                                                        • _memmove.LIBCMT ref: 02F3CA2E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                        • String ID: vector<T> too long
                                                                                                                                        • API String ID: 1785806476-3788999226
                                                                                                                                        • Opcode ID: 4e08a2243bb8a835f5dd49e6206258eb4635d6c30a801e15b464298bbd91b5b7
                                                                                                                                        • Instruction ID: b77493bd32cf45ed6b6e41b414d7dfa592ca130b2df9f59af61df226f95214f4
                                                                                                                                        • Opcode Fuzzy Hash: 4e08a2243bb8a835f5dd49e6206258eb4635d6c30a801e15b464298bbd91b5b7
                                                                                                                                        • Instruction Fuzzy Hash: 9C01A7B1A002059FDB24DF68CC91C2BB7D9EB54350714492EE55BC3340EB74F9008B60
                                                                                                                                        Function 02F5877E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 02F57773: __getptd.LIBCMT ref: 02F57779
                                                                                                                                          • Part of subcall function 02F57773: __getptd.LIBCMT ref: 02F57789
                                                                                                                                        • __getptd.LIBCMT ref: 02F5878D
                                                                                                                                          • Part of subcall function 02F5053D: __getptd_noexit.LIBCMT ref: 02F50540
                                                                                                                                          • Part of subcall function 02F5053D: __amsg_exit.LIBCMT ref: 02F5054D
                                                                                                                                        • __getptd.LIBCMT ref: 02F5879B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                        • String ID: csm
                                                                                                                                        • API String ID: 803148776-1018135373
                                                                                                                                        • Opcode ID: ed37fec5f76a2d54f78250d1dcca3dfa275971352f5c23ce2009e9b9ced458c2
                                                                                                                                        • Instruction ID: 441fe02676f8ad3afc4f8b5a6af4b9004acfb252b6ae245566b72e580f73e068
                                                                                                                                        • Opcode Fuzzy Hash: ed37fec5f76a2d54f78250d1dcca3dfa275971352f5c23ce2009e9b9ced458c2
                                                                                                                                        • Instruction Fuzzy Hash: 7E012835C016298ACF249F26F8846ADB7B6FF04391F54442DDB5056690CF3086C2CE95
                                                                                                                                        Function 02F4FD34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • DecodePointer.KERNEL32(?,02F4FD6D,00000000,00000000,00000000,00000000,00000000,02F54A88,?,02F4EC8B,00000003,02F4D0F7,00000001,00000000,00000000), ref: 02F4FD3F
                                                                                                                                        • __invoke_watson.LIBCMT ref: 02F4FD5B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DecodePointer__invoke_watson
                                                                                                                                        • String ID: PNEw
                                                                                                                                        • API String ID: 4034010525-3542233003
                                                                                                                                        • Opcode ID: 04bf1d81e60b393af94d1e2e29bff0a60ea68449b2b2081ff58a1ca223c33432
                                                                                                                                        • Instruction ID: 0bfbd720f23009061234626c542b523b3b4dbb41b9e7aa34ad66f3bfdc5ebc66
                                                                                                                                        • Opcode Fuzzy Hash: 04bf1d81e60b393af94d1e2e29bff0a60ea68449b2b2081ff58a1ca223c33432
                                                                                                                                        • Instruction Fuzzy Hash: 7CE0E23285020DBBDF062FA1DC089ABBF7AEB44390B544920FF1989420DB76C971EB90
                                                                                                                                        Function 02F4DF01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DecodePointer
                                                                                                                                        • String ID: PNEw
                                                                                                                                        • API String ID: 3527080286-3542233003
                                                                                                                                        • Opcode ID: 4158761d9e1b6e1c657c0bf5b75086cc36de7882f1d9f059d61e48a5bdcb6387
                                                                                                                                        • Instruction ID: 6ad0ebef46e28876502c805eb444354249924f7adc82d7d87945d9c0142f96e0
                                                                                                                                        • Opcode Fuzzy Hash: 4158761d9e1b6e1c657c0bf5b75086cc36de7882f1d9f059d61e48a5bdcb6387
                                                                                                                                        • Instruction Fuzzy Hash: D2C04C31F9560969FD5437F01C0AF6D3D16EB01BE6F044935AB069D1C0FED18510A433
                                                                                                                                        Function 02F48180 Relevance: 5.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(0000139F), ref: 02F481D1
                                                                                                                                        • SetLastError.KERNEL32(0000273F), ref: 02F481FF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1452528299-0
                                                                                                                                        • Opcode ID: 8e56069acf083c0bae742241b407159c436bd2556e6050886816dac571522958
                                                                                                                                        • Instruction ID: f8bf10caf57c4724dd8f3b569c992637fe6b6174f721126170d76b461099a239
                                                                                                                                        • Opcode Fuzzy Hash: 8e56069acf083c0bae742241b407159c436bd2556e6050886816dac571522958
                                                                                                                                        • Instruction Fuzzy Hash: 12417132A087558BD714CF58D88066BBBE5FB887E4F104A6EEE4597240DB71ED00CB91
                                                                                                                                        Function 02F332C0 Relevance: 5.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,?,?,?,02F5BB38,000000FF), ref: 02F332F1
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,02F5BB38,000000FF), ref: 02F3330E
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,02F5BB38,000000FF), ref: 02F33338
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F33381
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$Enter
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2978645861-0
                                                                                                                                        • Opcode ID: e904d0e24d701a7d4353556ee7bb773f564cab56faa4f80345087e26f957a2a1
                                                                                                                                        • Instruction ID: fa7735ba82c40605280a863a7fd6501af6d316391a35f44091e2e24a3bdeca1d
                                                                                                                                        • Opcode Fuzzy Hash: e904d0e24d701a7d4353556ee7bb773f564cab56faa4f80345087e26f957a2a1
                                                                                                                                        • Instruction Fuzzy Hash: 4521B576A44618AFD714CF59E880BAAF7F8FB88760F00866AFE15C7740D735A910CB90
                                                                                                                                        Function 02F33920 Relevance: 5.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,?,?,?,02F5BB38,000000FF), ref: 02F33951
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,02F5BB38,000000FF), ref: 02F3396E
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,02F5BB38,000000FF), ref: 02F33998
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F339E1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$Enter
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2978645861-0
                                                                                                                                        • Opcode ID: 9b881f1fb3aabab8b42c20c2e6f739c57491acfe90b2e87daaf3403bcf72872c
                                                                                                                                        • Instruction ID: 2655ef0367b6afd66cceb80fa659809da71bd999e963a2b047aeb76df35dca69
                                                                                                                                        • Opcode Fuzzy Hash: 9b881f1fb3aabab8b42c20c2e6f739c57491acfe90b2e87daaf3403bcf72872c
                                                                                                                                        • Instruction Fuzzy Hash: 1221A676A44618AFC714CF58D880BAAF7E9FB48760F00866AFE0587740D735A910CB90
                                                                                                                                        Function 02F39370 Relevance: 5.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(00000000,6EBCDBE2,?,?), ref: 02F393A3
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,?), ref: 02F393EA
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F39401
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F39425
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2124651672-0
                                                                                                                                        • Opcode ID: 3ffd10822fe42f1d9d0d60cf27b738e1f810305ccb5e0fde3af5d5a475c8a017
                                                                                                                                        • Instruction ID: 51bed1b8e9ca3e6d4f163c9c1e5724857a5625451801feabd76ff77a00558015
                                                                                                                                        • Opcode Fuzzy Hash: 3ffd10822fe42f1d9d0d60cf27b738e1f810305ccb5e0fde3af5d5a475c8a017
                                                                                                                                        • Instruction Fuzzy Hash: C0315AB5A04619AFCB14CF64D984F6AB7F9FF4C390F508A29EA0687740D7B0E910CB90
                                                                                                                                        Function 02F3EA20 Relevance: 5.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(00000000,6EBCDBE2), ref: 02F3EA53
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2), ref: 02F3EA9A
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 02F3EAB1
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 02F3EAD5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2124651672-0
                                                                                                                                        • Opcode ID: 5ca319c9da5c37ec7c9746174e0119212684a4ce269c2c1cd7404ec733e5372d
                                                                                                                                        • Instruction ID: 384d0f460fb5bd12ed4cf8237b39cc35e0ca848845120fa4d304b5b8e4a0f396
                                                                                                                                        • Opcode Fuzzy Hash: 5ca319c9da5c37ec7c9746174e0119212684a4ce269c2c1cd7404ec733e5372d
                                                                                                                                        • Instruction Fuzzy Hash: 7B312675A00619EFDB15DF64D884B6ABBF9FF48790F108A29EA0687740D774E900CB90
                                                                                                                                        Function 02F48EC0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?), ref: 02F48ED7
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?), ref: 02F48F27
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?), ref: 02F48F44
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?), ref: 02F48F6D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2124651672-0
                                                                                                                                        • Opcode ID: c7e81c817eb748803197d17280b5aca589b8e129bb92c3634c1c8607b749e420
                                                                                                                                        • Instruction ID: f5e10223e891be13fb0bd961bcf77a8bb8a77c5d1cd8c3165e6062908bef6583
                                                                                                                                        • Opcode Fuzzy Hash: c7e81c817eb748803197d17280b5aca589b8e129bb92c3634c1c8607b749e420
                                                                                                                                        • Instruction Fuzzy Hash: 41218E75E10219EFDB14DF54C880AAABBAABF48390F1182A5EE059B305DB70ED40CBD0
                                                                                                                                        Function 02F39240 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,6EBCDBE2,?,?,?,00000000,02F5B698,000000FF,?,02F3AFE8), ref: 02F3926E
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,02F3AFE8), ref: 02F3928B
                                                                                                                                        • SetLastError.KERNEL32(00000000,?,02F3AFE8), ref: 02F392A9
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,02F3AFE8), ref: 02F392C2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2717037533.0000000002F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F20000, based on PE: true
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_2f20000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$EnterErrorLast
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3832147951-0
                                                                                                                                        • Opcode ID: daa40cb3fdb6fc7638ee219b0f5967c9cb0e3141637164b56959827839e99f3f
                                                                                                                                        • Instruction ID: 1b0d72d1fe8ad8272193d5d57a9c8edd5b0ceabdfef65f629dd1fb0966c5545f
                                                                                                                                        • Opcode Fuzzy Hash: daa40cb3fdb6fc7638ee219b0f5967c9cb0e3141637164b56959827839e99f3f
                                                                                                                                        • Instruction Fuzzy Hash: 74117332E446189FD715CF88D844BAAF7F8FB89B50F004A6AEA15D3740DBB5A9008B90
                                                                                                                                        Function 010A44EE Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(011D6300,?,00000000,?,0118FEC4,010A38C7,00000010,?,00000100,0118FEC4,?,?,010A32AE,010A3311,010A2B97,0109F70C), ref: 010A4529
                                                                                                                                        • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,0118FEC4,010A38C7,00000010,?,00000100,0118FEC4,?,?,010A32AE,010A3311,010A2B97,0109F70C), ref: 010A453B
                                                                                                                                        • LeaveCriticalSection.KERNEL32(011D6300,?,00000000,?,0118FEC4,010A38C7,00000010,?,00000100,0118FEC4,?,?,010A32AE,010A3311,010A2B97,0109F70C), ref: 010A4544
                                                                                                                                        • EnterCriticalSection.KERNEL32(00000000,00000000,?,0118FEC4,010A38C7,00000010,?,00000100,0118FEC4,?,?,010A32AE,010A3311,010A2B97,0109F70C,00000100), ref: 010A4556
                                                                                                                                          • Part of subcall function 010A445B: GetVersion.KERNEL32(?,010A44FE,0118FEC4,010A38C7,00000010,?,00000100,0118FEC4,?,?,010A32AE,010A3311,010A2B97,0109F70C,00000100,0109F6A5), ref: 010A446E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.2716384899.0000000000FE5000.00000020.00000001.01000000.00000007.sdmp, Offset: 00FB0000, based on PE: true
                                                                                                                                        • Associated: 00000002.00000002.2716041171.0000000000FB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716064858.0000000000FB1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716091120.0000000000FB6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716115608.0000000000FB7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716140044.0000000000FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716164934.0000000000FBD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716188271.0000000000FBE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716212396.0000000000FC1000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716235174.0000000000FC3000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716258416.0000000000FC5000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716282531.0000000000FC6000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716308886.0000000000FCA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716334197.0000000000FCE000.00000020.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716361438.0000000000FE2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716508150.00000000010A8000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716525833.00000000010AB000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716543511.00000000010AC000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716607923.000000000118C000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716625629.000000000118E000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716642079.0000000001190000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716660170.0000000001199000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716681407.000000000119B000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.000000000119F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011AE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716698294.00000000011D6000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        • Associated: 00000002.00000002.2716778147.00000000011DD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_fb0000_czrdnq8b.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1193629340-0
                                                                                                                                        • Opcode ID: 5782b57de67ffa939945b40eef59d1e926398330468f3c326d016a34f88f8161
                                                                                                                                        • Instruction ID: 29dcd58ca1695196394298386ed8bfc38ad9f9859b72ce90b3c879b0819d19b7
                                                                                                                                        • Opcode Fuzzy Hash: 5782b57de67ffa939945b40eef59d1e926398330468f3c326d016a34f88f8161
                                                                                                                                        • Instruction Fuzzy Hash: 3BF0623500721AEFCB64DFACE884956B3ADFB00317B844536E699C340ADB79F199CB90