Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Unlock_Tool_2.3.1.exe

Overview

General Information

Sample name:Unlock_Tool_2.3.1.exe
Analysis ID:1538171
MD5:72162382680c702829c6ceed17d2e507
SHA1:51324f4095fe73a99d080d9f0bba1c829430bb18
SHA256:eaae82540ddec53797abee6d3bf507acace850f3fff7cb2a03b6a26ab0b5c46f
Tags:exeuser-KnownStormChaser
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Self deletion via cmd or bat file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Unlock_Tool_2.3.1.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe" MD5: 72162382680C702829C6CEED17D2E507)
    • Unlock_Tool_2.3.1.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe" MD5: 72162382680C702829C6CEED17D2E507)
      • cmd.exe (PID: 5928 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe" & rd /s /q "C:\ProgramData\IDGIJEGHDAEC" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 7136 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
    • WerFault.exe (PID: 7480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 272 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199786602107"], "Botnet": "23a142269e47ce1692ccc9fb68473bc2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Unlock_Tool_2.3.1.exe.7ab930.2.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              0.2.Unlock_Tool_2.3.1.exe.7ab930.2.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                2.2.Unlock_Tool_2.3.1.exe.400000.2.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  2.2.Unlock_Tool_2.3.1.exe.400000.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                    2.2.Unlock_Tool_2.3.1.exe.400000.2.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      Click to see the 5 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-20T17:59:29.851328+020020287653Unknown Traffic192.168.2.64983965.109.142.154443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: Unlock_Tool_2.3.1.exeAvira: detected
                      Found malware configuration
                      Source: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199786602107"], "Botnet": "23a142269e47ce1692ccc9fb68473bc2"}
                      Multi AV Scanner detection for submitted file
                      Source: Unlock_Tool_2.3.1.exeReversingLabs: Detection: 65%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: Unlock_Tool_2.3.1.exeJoe Sandbox ML: detected
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49827 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 65.109.142.154:443 -> 192.168.2.6:49839 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49850 version: TLS 1.2
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_0079A7CB FindFirstFileExW,0_2_0079A7CB
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0079A7CB FindFirstFileExW,2_2_0079A7CB
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00415182 GetLogicalDriveStringsA,_memset,GetDriveTypeA,2_2_00415182
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 4x nop then mov eax, dword ptr fs:[00000030h]0_2_007AC1DD
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 4x nop then mov dword ptr [ebp-04h], eax0_2_007AC1DD
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 4x nop then mov eax, dword ptr fs:[00000030h]2_2_004014AD
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 4x nop then mov dword ptr [ebp-04h], eax2_2_004014AD

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199786602107
                      Source: global trafficHTTP traffic detected: GET /profiles/76561199786602107 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /lpnjoke HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
                      Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                      Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                      Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49839 -> 65.109.142.154:443
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 65.109.142.154Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.142.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.142.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.142.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.142.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.142.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.142.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.142.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.142.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.142.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.142.154
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00406963 InternetOpenA,InternetConnectA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,2_2_00406963
                      Source: global trafficHTTP traffic detected: GET /profiles/76561199786602107 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 65.109.142.154Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /lpnjoke HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/ equals www.youtube.com (Youtube)
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                      Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                      Source: global trafficDNS traffic detected: DNS query: t.me
                      Source: global trafficDNS traffic detected: DNS query: cowod.hopto.org
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.ered.com/explore/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.org
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.00000000012EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.org/
                      Source: Unlock_Tool_2.3.1.exe, 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.orgclass=
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.orgsive/header_logo.png
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.re
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hoptotml
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hoptowered.com/explore/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.oudflare
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://crl.entrust.net/ts1ca.crl0
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://ocsp.digicert.com0
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://ocsp.digicert.com0A
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://ocsp.entrust.net02
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://ocsp.entrust.net03
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ore.steampowered.com/explore/
                      Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://www.digicert.com/CPS0
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: http://www.entrust.net/rpa03
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                      Source: 76561199786602107[1].htm.2.drString found in binary or memory: https://65.109.142.154
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.142.154/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.142.154/%
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.142.154/0
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.142.154/L
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.142.154/U
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.142.154/c
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                      Source: 76561199786602107[1].htm.2.drString found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.c
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.stea
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/app
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=D_iTAfDsLH
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=4Xou
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=jq1jQyX1843y&amp
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
                      Source: 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=nBdvNPPzc0qI&
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://help.steampowered.com/en/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                      Source: 76561199786602107[1].htm.2.drString found in binary or memory: https://steamcommunity.com/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/6
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://steamcommunity.com/discussions/
                      Source: 76561199786602107[1].htm.2.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199786602107
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://steamcommunity.com/market/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                      Source: Unlock_Tool_2.3.1.exe, Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199786602107
                      Source: Unlock_Tool_2.3.1.exe, 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199786602107g0b4cMozilla/5.0
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.000000000127A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199786602107h
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.000000000127A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199786602107y
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/Z
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://steamcommunity.com/workshop/
                      Source: 76561199786602107[1].htm.2.drString found in binary or memory: https://store.steampowered.com/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2400133479.00000000012DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                      Source: 76561199786602107[1].htm.2.drString found in binary or memory: https://store.steampowered.com/about/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://store.steampowered.com/explore/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://store.steampowered.com/mobile
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://store.steampowered.com/news/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://store.steampowered.com/points/shop/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://store.steampowered.com/stats/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/
                      Source: Unlock_Tool_2.3.1.exe, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/lpnjoke
                      Source: Unlock_Tool_2.3.1.exe, 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/lpnjokeg0b4cMozilla/5.0
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/lpnjokeh
                      Source: Unlock_Tool_2.3.1.exeString found in binary or memory: https://www.entrust.net/rpa0
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                      Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49827 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 65.109.142.154:443 -> 192.168.2.6:49839 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49850 version: TLS 1.2
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007CC0F70_2_007CC0F7
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_0079E0E80_2_0079E0E8
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007C71E70_2_007C71E7
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007C427F0_2_007C427F
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007D82E10_2_007D82E1
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007913170_2_00791317
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007924150_2_00792415
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007C64870_2_007C6487
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007D86B30_2_007D86B3
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007A28200_2_007A2820
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007D7AAE0_2_007D7AAE
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007D8A9B0_2_007D8A9B
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_0079DC600_2_0079DC60
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_00795E4E0_2_00795E4E
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_00798F680_2_00798F68
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007D7F430_2_007D7F43
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0041C4B72_2_0041C4B7
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0042D9832_2_0042D983
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0042D2132_2_0042D213
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0041954F2_2_0041954F
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0042DD6B2_2_0042DD6B
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0042CD7E2_2_0042CD7E
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0042D5B12_2_0042D5B1
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0041B7572_2_0041B757
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_007A28202_2_007A2820
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0079E0E82_2_0079E0E8
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_007913172_2_00791317
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0079DC602_2_0079DC60
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_007924152_2_00792415
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00795E4E2_2_00795E4E
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00798F682_2_00798F68
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: String function: 004047E8 appears 38 times
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: String function: 007923D0 appears 70 times
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: String function: 0079A48A appears 36 times
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: String function: 004104BC appears 36 times
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: String function: 004105DE appears 71 times
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 272
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: invalid certificate
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: Section: .data ZLIB complexity 0.9950630040322581
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/7@3/3
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0041147A CreateToolhelp32Snapshot,Process32First,Process32Next,2_2_0041147A
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0041196C __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z,__EH_prolog3_catch,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,2_2_0041196C
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199786602107[1].htmJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_03
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7336
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeFile created: C:\Users\user\AppData\Local\Temp\delays.tmpJump to behavior
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Unlock_Tool_2.3.1.exeReversingLabs: Detection: 65%
                      Source: unknownProcess created: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe"
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess created: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe"
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 272
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe" & rd /s /q "C:\ProgramData\IDGIJEGHDAEC" & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess created: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe" & rd /s /q "C:\ProgramData\IDGIJEGHDAEC" & exitJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0042587E LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,2_2_0042587E
                      Source: Unlock_Tool_2.3.1.exeStatic PE information: section name: .dash
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007DA240 push cs; ret 0_2_007DA241
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007DA210 push esp; retn 0003h0_2_007DA215
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007915F4 push eax; ret 0_2_00791653
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007DC845 push 0000004Ch; iretd 0_2_007DC856
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007C8B35 push ecx; ret 0_2_007C8B48
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007D9EC2 push ecx; ret 0_2_007D9ED5
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007A2F31 push ecx; ret 0_2_007A2F44
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0042F192 push ecx; ret 2_2_0042F1A5
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00422D89 push esi; ret 2_2_00422D8B
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0041DE05 push ecx; ret 2_2_0041DE18
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00432715 push 0000004Ch; iretd 2_2_00432726
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_007915F4 push eax; ret 2_2_00791653
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_007A2F31 push ecx; ret 2_2_007A2F44

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Self deletion via cmd or bat file
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess created: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe" & rd /s /q "C:\ProgramData\IDGIJEGHDAEC" & exit
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess created: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe" & rd /s /q "C:\ProgramData\IDGIJEGHDAEC" & exitJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: 0.2.Unlock_Tool_2.3.1.exe.7ab930.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Unlock_Tool_2.3.1.exe.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Unlock_Tool_2.3.1.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Unlock_Tool_2.3.1.exe.790000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Unlock_Tool_2.3.1.exe.7ab930.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Unlock_Tool_2.3.1.exe PID: 7336, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Unlock_Tool_2.3.1.exe PID: 7404, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: Unlock_Tool_2.3.1.exeBinary or memory string: DIR_WATCH.DLL
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL23:02:3123:02:3123:02:3123:02:3123:02:3123:02:31DELAYS.TMP%S%SNTDLL.DLL
                      Source: Unlock_Tool_2.3.1.exeBinary or memory string: SBIEDLL.DLL
                      Source: Unlock_Tool_2.3.1.exeBinary or memory string: API_LOG.DLL
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,2_2_0040180D
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeAPI coverage: 4.9 %
                      Source: C:\Windows\SysWOW64\timeout.exe TID: 7512Thread sleep count: 89 > 30Jump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_0079A7CB FindFirstFileExW,0_2_0079A7CB
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0079A7CB FindFirstFileExW,2_2_0079A7CB
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00415182 GetLogicalDriveStringsA,_memset,GetDriveTypeA,2_2_00415182
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00410F8F GetSystemInfo,2_2_00410F8F
                      Source: Amcache.hve.5.drBinary or memory string: VMware
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWzf
                      Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001308000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:}]
                      Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001218000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpJ)
                      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001218000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                      Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeAPI call chain: ExitProcess graph end nodegraph_2-31000
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeAPI call chain: ExitProcess graph end nodegraph_2-31016
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007915F4 LdrInitializeThunk,0_2_007915F4
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_00792178 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00792178
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0042587E LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,2_2_0042587E
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_00791659 mov edi, dword ptr fs:[00000030h]0_2_00791659
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007AC1DD mov eax, dword ptr fs:[00000030h]0_2_007AC1DD
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007AC1D2 mov eax, dword ptr fs:[00000030h]0_2_007AC1D2
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007AC1BA mov eax, dword ptr fs:[00000030h]0_2_007AC1BA
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007C330C mov eax, dword ptr fs:[00000030h]0_2_007C330C
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_0079765D mov ecx, dword ptr fs:[00000030h]0_2_0079765D
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_0079B9E5 mov eax, dword ptr fs:[00000030h]0_2_0079B9E5
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_004014AD mov eax, dword ptr fs:[00000030h]2_2_004014AD
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0040148A mov eax, dword ptr fs:[00000030h]2_2_0040148A
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_004014A2 mov eax, dword ptr fs:[00000030h]2_2_004014A2
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_004185DC mov eax, dword ptr fs:[00000030h]2_2_004185DC
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0079B9E5 mov eax, dword ptr fs:[00000030h]2_2_0079B9E5
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00791659 mov edi, dword ptr fs:[00000030h]2_2_00791659
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0079765D mov ecx, dword ptr fs:[00000030h]2_2_0079765D
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_0079C45E GetProcessHeap,0_2_0079C45E
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_00792178 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00792178
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_00792305 SetUnhandledExceptionFilter,0_2_00792305
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_00796984 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00796984
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_00791CCE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00791CCE
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0041D05A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0041D05A
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0041D9DC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0041D9DC
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0042767E SetUnhandledExceptionFilter,2_2_0042767E
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00792178 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00792178
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00796984 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00796984
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00792305 SetUnhandledExceptionFilter,2_2_00792305
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00791CCE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00791CCE

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: Process Memory Space: Unlock_Tool_2.3.1.exe PID: 7336, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Unlock_Tool_2.3.1.exe PID: 7404, type: MEMORYSTR
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_0040F51F _memset,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,2_2_0040F51F
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeMemory written: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess created: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe" & rd /s /q "C:\ProgramData\IDGIJEGHDAEC" & exitJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_007ABE6B cpuid 0_2_007ABE6B
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,0_2_007D0163
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_007D22F6
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,0_2_007D47D0
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free,0_2_007D58C0
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,0_2_007D4AEE
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_007D3B44
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: GetLocaleInfoA,2_2_00410DB0
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_0042B11C
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,2_2_0042B211
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,2_2_00429AA0
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,2_2_0042B2B8
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,2_2_0042B313
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,2_2_0042AB90
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,2_2_00425433
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,2_2_0042B4E4
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,2_2_004274EC
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_004275C6
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_0042B5D0
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: EnumSystemLocalesA,2_2_0042B5A6
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,2_2_00429DBE
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,2_2_0042E5BF
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,2_2_0042B673
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_00428E14
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_0042B637
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: GetLocaleInfoA,2_2_0042E6F4
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 0_2_00792065 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00792065
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00410C28 GetProcessHeap,HeapAlloc,GetUserNameA,2_2_00410C28
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeCode function: 2_2_00410D03 GetTimeZoneInformation,2_2_00410D03
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                      Source: Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001218000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Vidar stealer
                      Source: Yara matchFile source: 0.2.Unlock_Tool_2.3.1.exe.7ab930.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Unlock_Tool_2.3.1.exe.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Unlock_Tool_2.3.1.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Unlock_Tool_2.3.1.exe.790000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Unlock_Tool_2.3.1.exe.7ab930.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Unlock_Tool_2.3.1.exe PID: 7336, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Unlock_Tool_2.3.1.exe PID: 7404, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected Vidar stealer
                      Source: Yara matchFile source: 0.2.Unlock_Tool_2.3.1.exe.7ab930.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Unlock_Tool_2.3.1.exe.400000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.Unlock_Tool_2.3.1.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Unlock_Tool_2.3.1.exe.790000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Unlock_Tool_2.3.1.exe.7ab930.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Unlock_Tool_2.3.1.exe PID: 7336, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Unlock_Tool_2.3.1.exe PID: 7404, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Native API                      		Boot or Logon Initialization Scripts211
                      Process Injection                      		3
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                      Software Packing                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      DLL Side-Loading                      		NTDS45
                      System Information Discovery                      		Distributed Component Object ModelInput Capture113
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      File Deletion                      		LSA Secrets161
                      Security Software Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials2
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Virtualization/Sandbox Evasion                      		DCSync2
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                      Process Injection                      		Proc Filesystem1
                      Application Window Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                      System Owner/User Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538171 Sample: Unlock_Tool_2.3.1.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 24 steamcommunity.com 2->24 26 t.me 2->26 28 cowod.hopto.org 2->28 36 Found malware configuration 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 9 Unlock_Tool_2.3.1.exe 2->9         started        signatures3 process4 signatures5 44 Self deletion via cmd or bat file 9->44 46 Contains functionality to inject code into remote processes 9->46 48 Injects a PE file into a foreign processes 9->48 12 Unlock_Tool_2.3.1.exe 1 204 9->12         started        16 WerFault.exe 19 16 9->16         started        process6 dnsIp7 30 steamcommunity.com 104.102.49.254, 443, 49827 AKAMAI-ASUS United States 12->30 32 t.me 149.154.167.99, 443, 49850 TELEGRAMRU United Kingdom 12->32 34 65.109.142.154, 443, 49839 ALABANZA-BALTUS United States 12->34 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Self deletion via cmd or bat file 12->52 54 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->54 56 Tries to harvest and steal ftp login credentials 12->56 18 cmd.exe 1 12->18         started        signatures8 process9 process10 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Unlock_Tool_2.3.1.exe66%ReversingLabsWin32.Trojan.StealC
                      Unlock_Tool_2.3.1.exe100%AviraHEUR/AGEN.1305290
                      Unlock_Tool_2.3.1.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://player.vimeo.com0%URL Reputationsafe
                      http://cowod.hopto.org0%URL Reputationsafe
                      https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                      https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
                      http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                      http://cowod.hopto.org_DEBUG.zip/c0%URL Reputationsafe
                      http://cowod.hopto.0%URL Reputationsafe
                      https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                      http://cowod.hopto0%URL Reputationsafe
                      https://steam.tv/0%URL Reputationsafe
                      http://www.entrust.net/rpa030%URL Reputationsafe
                      https://store.steampowered.com/points/shop/0%URL Reputationsafe
                      https://lv.queniujq.cn0%URL Reputationsafe
                      https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                      https://checkout.steampowered.com/0%URL Reputationsafe
                      http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
                      https://store.steampowered.com/;0%URL Reputationsafe
                      https://www.entrust.net/rpa00%URL Reputationsafe
                      https://store.steampowered.com/about/0%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://ocsp.entrust.net020%URL Reputationsafe
                      https://help.steampowered.com/en/0%URL Reputationsafe
                      https://store.steampowered.com/news/0%URL Reputationsafe
                      https://recaptcha.net/recaptcha/;0%URL Reputationsafe
                      https://store.steampowered.com/stats/0%URL Reputationsafe
                      https://medal.tv0%URL Reputationsafe
                      https://broadcast.st.dl.eccdnx.com0%URL Reputationsafe
                      https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                      http://crl.entrust.net/ts1ca.crl00%URL Reputationsafe
                      https://login.steampowered.com/0%URL Reputationsafe
                      http://cowod.hopto.org/0%URL Reputationsafe
                      https://recaptcha.net0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      steamcommunity.com
                      		104.102.49.254
                      		truetrue
                        		unknown
                        t.me
                        		149.154.167.99
                        		truefalse
                          		unknown
                          cowod.hopto.org
                          		unknown
                          		unknownfalse
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://t.me/lpnjokefalse
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://player.vimeo.comUnlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://steamcommunity.com/login/home/?goto=profiles%2F7656119978660210776561199786602107[1].htm.2.drfalse
                                		unknown
                                https://steamcommunity.com/?subsection=broadcastsUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                  		unknown
                                  http://cowod.hopto.orgUnlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcVUnlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                    		unknown
                                    https://store.steampowered.com/subscriber_agreement/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.gstatic.cn/recaptcha/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                      		unknown
                                      https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engliUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                        		unknown
                                        https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                          		unknown
                                          https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=jq1jQyX1843y&ampUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                            		unknown
                                            https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                              		unknown
                                              http://www.valvesoftware.com/legal.htmUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://recaptcha.net/recaptcha/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.youtube.comUnlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.google.comUnlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://steamcommunity.com/profiles/76561199786602107yUnlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.000000000127A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://cowod.hopto.org_DEBUG.zip/cUnlock_Tool_2.3.1.exe, 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://cowod.hopto.orgclass=Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://cowod.hopto.Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://t.me/lpnjokeg0b4cMozilla/5.0Unlock_Tool_2.3.1.exe, 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://steamcommunity.com/profiles/76561199786602107hUnlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.000000000127A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://cowod.hoptoUnlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://community.cloudflare.steamstatic.com/public/css/appUnlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://65.109.142.15476561199786602107[1].htm.2.drfalse
                                                                		unknown
                                                                https://s.ytimg.com;Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://steam.tv/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                    		unknown
                                                                    http://www.entrust.net/rpa03Unlock_Tool_2.3.1.exefalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=4XouUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                      		unknown
                                                                      https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                        		unknown
                                                                        https://store.steampowered.com/points/shop/Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPKUnlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                          		unknown
                                                                          https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&ampUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                            		unknown
                                                                            https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=D_iTAfDsLHUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                              		unknown
                                                                              https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                		unknown
                                                                                https://sketchfab.comUnlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://lv.queniujq.cnUnlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://www.youtube.com/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://store.steampowered.com/privacy_agreement/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                        		unknown
                                                                                        https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?vUnlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://community.cloudflare.steaUnlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                              		unknown
                                                                                              https://www.google.com/recaptcha/Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://checkout.steampowered.com/Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://cowod.hoptotmlUnlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28bUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                    		unknown
                                                                                                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.pngUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                      		unknown
                                                                                                      http://crl.entrust.net/2048ca.crl0Unlock_Tool_2.3.1.exefalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://store.steampowered.com/;Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2400133479.00000000012DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engliUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                        		unknown
                                                                                                        https://www.entrust.net/rpa0Unlock_Tool_2.3.1.exefalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://store.steampowered.com/about/76561199786602107[1].htm.2.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://cowod.hopto.orgsive/header_logo.pngUnlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://community.cloudflare.steamstatic.com/Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://steamcommunity.com/my/wishlist/Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                              		unknown
                                                                                                              https://t.me/Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                  		unknown
                                                                                                                  http://ocsp.entrust.net03Unlock_Tool_2.3.1.exefalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://ocsp.entrust.net02Unlock_Tool_2.3.1.exefalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://help.steampowered.com/en/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://steamcommunity.com/market/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                    		unknown
                                                                                                                    https://store.steampowered.com/news/Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://steamcommunity.com/profiles/76561199786602107g0b4cMozilla/5.0Unlock_Tool_2.3.1.exe, 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://65.109.142.154/0Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                            		unknown
                                                                                                                            https://65.109.142.154/%Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://recaptcha.net/recaptcha/;Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://steamcommunity.com/discussions/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                		unknown
                                                                                                                                http://cowod.hopto.reUnlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://store.steampowered.com/stats/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englisUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                    		unknown
                                                                                                                                    https://medal.tvUnlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://broadcast.st.dl.eccdnx.comUnlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&ampUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                      		unknown
                                                                                                                                      https://store.steampowered.com/steam_refunds/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gifUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                        		unknown
                                                                                                                                        https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?vUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                          		unknown
                                                                                                                                          https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pUnlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                            		unknown
                                                                                                                                            https://65.109.142.154/LUnlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=nBdvNPPzc0qI&Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                                		unknown
                                                                                                                                                https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://crl.entrust.net/ts1ca.crl0Unlock_Tool_2.3.1.exefalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://steamcommunity.com/workshop/Unlock_Tool_2.3.1.exe, 00000002.00000003.2400297153.0000000001299000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://login.steampowered.com/Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://steamcommunity.com/6Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001218000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://community.cUnlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=englUnlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=76561199786602107[1].htm.2.drfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=enUnlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://65.109.142.154/UUnlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://cowod.hopto.org/Unlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.00000000012EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                		unknown
                                                                                                                                                                https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&amUnlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engliUnlock_Tool_2.3.1.exe, 00000002.00000002.2447739196.0000000001291000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, 76561199786602107[1].htm.2.drfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://recaptcha.netUnlock_Tool_2.3.1.exe, 00000002.00000003.2400483429.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2421704792.00000000012A4000.00000004.00000020.00020000.00000000.sdmp, Unlock_Tool_2.3.1.exe, 00000002.00000003.2399682592.00000000012A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    		unknown

                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                    Public IPs

                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                    104.102.49.254
                                                                                                                                                                    		steamcommunity.comUnited States
                                                                                                                                                                    		16625AKAMAI-ASUStrue
                                                                                                                                                                    65.109.142.154
                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                    		11022ALABANZA-BALTUSfalse
                                                                                                                                                                    149.154.167.99
                                                                                                                                                                    		t.meUnited Kingdom
                                                                                                                                                                    		62041TELEGRAMRUfalse

                                                                                                                                                                    General Information

                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                    Analysis ID:1538171
                                                                                                                                                                    Start date and time:2024-10-20 17:58:09 +02:00
                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                    Overall analysis duration:0h 5m 10s
                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                    Report type:full
                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                    Number of analysed new started processes analysed:25
                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                    Technologies:
                                                                                                                                                                    • HCA enabled
                                                                                                                                                                    • EGA enabled
                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                    Sample name:Unlock_Tool_2.3.1.exe
                                                                                                                                                                    Detection:MAL
                                                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@9/7@3/3
                                                                                                                                                                    EGA Information:
                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                    HCA Information:
                                                                                                                                                                    • Successful, ratio: 94%
                                                                                                                                                                    • Number of executed functions: 47
                                                                                                                                                                    • Number of non-executed functions: 135
                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                    Warnings

                                                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 20.189.173.21
                                                                                                                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com
                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                    • VT rate limit hit for: Unlock_Tool_2.3.1.exe

                                                                                                                                                                    Simulations

                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                    11:59:17API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                                    11:59:31API Interceptor1x Sleep call for process: Unlock_Tool_2.3.1.exe modified

                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                    IPs

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                    • www.valvesoftware.com/legal.htm
                                                                                                                                                                    65.109.142.154aZm1EZ2IYr.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                      Unlock_Tool_2.4.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                        yAkRyU2LPe.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          149.154.167.99http://xn--r1a.website/s/ogorodruGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • telegram.org/img/favicon.ico
                                                                                                                                                                          http://cryptorabotakzz.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                          • telegram.org/
                                                                                                                                                                          http://cache.netflix.com.id1.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                                                                                                                                                          • telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
                                                                                                                                                                          http://investors.spotify.com.sg2.wuush.us.kg/Get hashmaliciousUnknownBrowse
                                                                                                                                                                          • telegram.org/
                                                                                                                                                                          http://bekaaviator.kz/Get hashmaliciousUnknownBrowse
                                                                                                                                                                          • telegram.org/
                                                                                                                                                                          http://telegramtw1.org/Get hashmaliciousUnknownBrowse
                                                                                                                                                                          • telegram.org/?setln=pl
                                                                                                                                                                          http://makkko.kz/Get hashmaliciousUnknownBrowse
                                                                                                                                                                          • telegram.org/
                                                                                                                                                                          http://telegram.dogGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • telegram.dog/
                                                                                                                                                                          LnSNtO8JIa.exeGet hashmaliciousCinoshi StealerBrowse
                                                                                                                                                                          • t.me/cinoshibot
                                                                                                                                                                          jtfCFDmLdX.exeGet hashmaliciousGurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRATBrowse
                                                                                                                                                                          • t.me/cinoshibot

                                                                                                                                                                          Domains

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          t.meaZm1EZ2IYr.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          Unlock_Tool_2.4.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          SecuriteInfo.com.Win32.DropperX-gen.7855.32539.exeGet hashmaliciousXehook StealerBrowse
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          https://njanimallaw.com/divorce-family-law/Get hashmaliciousUnknownBrowse
                                                                                                                                                                          • 162.241.217.237
                                                                                                                                                                          https://linkifly.net/TRACKINGGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 50.6.153.232
                                                                                                                                                                          https://hwu.iaa.mybluehost.me/vvvop/SEEKKK/Get hashmaliciousUnknownBrowse
                                                                                                                                                                          • 50.6.153.232
                                                                                                                                                                          nvANxkZUSC.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                          • 194.120.230.54
                                                                                                                                                                          steamcommunity.comWinFIG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          WinFIG-2024.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          SentinelOculus.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          Download.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          AxoPac.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254

                                                                                                                                                                          ASNs

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          TELEGRAMRUaZm1EZ2IYr.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          Unlock_Tool_2.4.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          PROFOMA INVOICE 90021144577.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                          routcrying.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                          mnobizx.com.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                          mnobizx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                          SecuriteInfo.com.Win32.DropperX-gen.7855.32539.exeGet hashmaliciousXehook StealerBrowse
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          rcota____oRFQNO-N__merodopedido106673.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                          SecuriteInfo.com.Win64.Malware-gen.32485.11504.exeGet hashmaliciousPython Stealer, BraodoBrowse
                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                          Wuerth_factura_4052073226..exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                          • 149.154.167.220
                                                                                                                                                                          ALABANZA-BALTUSaZm1EZ2IYr.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          Unlock_Tool_2.4.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          yAkRyU2LPe.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          y45bCpZY1I.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.241.236
                                                                                                                                                                          xy894fdlWJ.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.241.236
                                                                                                                                                                          yakuza.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 64.176.208.213
                                                                                                                                                                          file.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.241.236
                                                                                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 65.109.241.236
                                                                                                                                                                          PURCHASE_ORDER.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                                          • 64.176.178.205
                                                                                                                                                                          http://nndpdnm.3utilities.com/#bd5on/p8la73b/LoiU9/1oQd1tRDE-SUREIDANt92YuMXZpJHZuV3bmxWYi9GbnBUY5hGZhBHc15Cdp1WYGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                          • 65.108.133.178
                                                                                                                                                                          AKAMAI-ASUSWinFIG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          WinFIG-2024.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          SentinelOculus.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          Download.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          AxoPac.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                          • 104.102.49.254

                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          51c64c77e60f3980eea90869b68c58a8aZm1EZ2IYr.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          Unlock_Tool_2.4.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          yAkRyU2LPe.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          y45bCpZY1I.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          xy894fdlWJ.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          file.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          EP2E1yYJyT.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          9evHLnwull.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          tiCW7a3x1P.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          37f463bf4616ecd445d4a1937da06e193507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          aZm1EZ2IYr.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          Unlock_Tool_2.4.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          JuyR4wj8av.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          SecuriteInfo.com.FileRepMalware.4445.21502.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          yAkRyU2LPe.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          EL7ggW7AdA.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          y45bCpZY1I.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          xy894fdlWJ.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          • 149.154.167.99
                                                                                                                                                                          SecuriteInfo.com.Win32.Evo-gen.14702.4787.exeGet hashmaliciousKoiLoaderBrowse
                                                                                                                                                                          • 104.102.49.254
                                                                                                                                                                          • 149.154.167.99

                                                                                                                                                                          Dropped Files

                                                                                                                                                                          No context

                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Unlock_Tool_2.3._2aeb643dce4cdcbeeaaa9deab94801d87eb2245_2e620264_e4511507-1d45-44dd-b311-3e06606d6c77\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.6655377807856876
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:/ikFm0FsHWZAa7sNhKoI7Rn6tQXIDcQvc6QcEVcw3cE/6uD+HbHg/5hZAX/d5FM4:LcnWua7N0BU/uugjhzuiFjZ24IO8ds
                                                                                                                                                                          MD5:0D06F3450E16E76C095190FAB67570D3
                                                                                                                                                                          SHA1:3B3C9B4E89675B525770D8BE03E8927494AA1B48
                                                                                                                                                                          SHA-256:2807621C3F32F59CF46E7A13C13B21307BA2B32B315F981CB5394EA78EE2AFB6
                                                                                                                                                                          SHA-512:458D201CBC3D0C8BDA0FDA828A26F22DA9EDAA7AC5CD49C5DCB48DFEB2F17BF376853BF9BD3473BD8ABD892A28DD2213F885AE10FF15259B86CC8E5FBF30D147
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.9.1.3.5.3.9.4.7.1.6.5.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.9.1.3.5.4.0.6.4.8.4.7.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.5.1.1.5.0.7.-.1.d.4.5.-.4.4.d.d.-.b.3.1.1.-.3.e.0.6.6.0.6.d.6.c.7.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.8.c.c.a.a.0.-.d.f.d.6.-.4.a.d.0.-.b.b.1.4.-.1.5.9.b.4.7.1.a.b.0.d.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.U.n.l.o.c.k._.T.o.o.l._.2...3...1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.a.8.-.0.0.0.1.-.0.0.1.5.-.c.5.7.5.-.0.c.f.9.0.8.2.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.8.f.2.1.d.0.2.f.c.9.6.6.7.b.b.5.7.7.5.2.6.8.3.7.0.6.6.e.8.4.1.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.3.2.4.f.4.0.9.5.f.e.7.3.a.9.9.d.0.8.0.d.9.f.0.b.b.a.1.c.8.2.9.4.3.0.b.b.1.8.!.U.n.l.o.c.k._.T.o.o.l._.2...3...1...e.x.e.....

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER813B.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 14 streams, Sun Oct 20 15:58:59 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):31998
                                                                                                                                                                          Entropy (8bit):1.707530637222622
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:5Q8P3QJKBTaS59+HyjSi77vnbK2Gv5aWV+NklIt3yrKVkjS68LWx4Wqx9avYfCoD:JfQAzAFOC2GxHqko3Zz8P1VEQ
                                                                                                                                                                          MD5:DB56F8E8F3EF3BF64A4CDD6907B73E0E
                                                                                                                                                                          SHA1:2718B3A3E54C443BBAB2528C0BFCBC43F3041C1E
                                                                                                                                                                          SHA-256:5EA0C4A53CC5E7B889406299C56D1A8BD7E929CBAACBC92D58ECC38C91BEEF41
                                                                                                                                                                          SHA-512:6054A8636AE3E6DB5796EB2EDBD22395C1D2BCA951A146CB163F31DCB67F4ED0636F5E6336783CB2A4C5B423A9466B616990539E81ECA946443547A2EB37C9C3
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:MDMP..a..... ........(.g........................d...........................T.......8...........T...............Nr......................................................................................................eJ..............GenuineIntel............T............(.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER8320.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8428
                                                                                                                                                                          Entropy (8bit):3.6998131136811434
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:R6l7wVeJgL666Y2DxSUUzgmfZppr789bNdsfN7vm:R6lXJs666YMSUogmfZoNWfN6
                                                                                                                                                                          MD5:46AABF99AEAF4D5354EEC13821E4E9E2
                                                                                                                                                                          SHA1:BBA7529A21521C1F942A0F9573C3B9AA7EFBE88D
                                                                                                                                                                          SHA-256:8D508AEFA022CECA2E5D8C77CBDC0743DCA6667871D7317070A60F72FC1DCF2E
                                                                                                                                                                          SHA-512:6514263A4817488E3153E91FCBC60A3FF9DA57CD40D8CB842C5FD6A30DD99B710610E4EAD689D473397BC09E42E0C4541D6FF51DA1DC26BC81B0DB720ABCA70F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.3.6.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER83DD.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4755
                                                                                                                                                                          Entropy (8bit):4.497133012266415
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zspJg77aI9rAWpW8VYPYm8M4Jn7Ft+q8v00MfBzkSeTd:uIjf7I7F57VDJjKr4BzkSGd
                                                                                                                                                                          MD5:9F9A7808E7372704A1EC6B370D98CB53
                                                                                                                                                                          SHA1:29CA22BAEE85FE4CC032D83819AA3BB158027898
                                                                                                                                                                          SHA-256:B741A2D9CD9C6A1AFE985FB9F0801AD86F29C18C029FB5F7546282417EB69C1F
                                                                                                                                                                          SHA-512:CA766266EEFED1FEB5EAEC5CA4BF10EF7460DE87A3AFCFA12C91F9E8BE76FC8DC12D31DD304BE1FD03A8AAD5E4E212483C386926A654AC38826706139F42E97E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="551941" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199786602107[1].htm

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe
                                                                                                                                                                          File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3146), with CRLF, LF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):30851
                                                                                                                                                                          Entropy (8bit):5.426611821930421
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:J7pqLjWYmmwB5DPgqaciNGAnTBv++nIjBtPF5zfukPco1AULTBv++nIjBtPF5x2q:J78LjWYmmwB5DPgqaccnTBv++nIjBtPk
                                                                                                                                                                          MD5:F7BA6379A11814D6122AF75717FE767E
                                                                                                                                                                          SHA1:0D59A98C819F506385E2D44CE14333DCE013B59A
                                                                                                                                                                          SHA-256:EA3C76CB3566CB536B62E65F12B9FB46D50C957CC3C27AC3A8AB697784C7B822
                                                                                                                                                                          SHA-512:49314FA288E883AEE974FE669CDC86E7BBDA77DCC8C8CA63E0E9A11ED6D5F82DEAE26B6787D28F5109C7145036669DEA9A6F89AE7B994585687F2C9F8031FC63
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: g0b4c https://65.109.142.154|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=nBdvNPPzc0qI&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\delays.tmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe
                                                                                                                                                                          File Type:ISO-8859 text, with very long lines (65536), with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1048575
                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:tctl:Ql
                                                                                                                                                                          MD5:5F711BA80E4BD5BBA0B00C388AA7F2AD
                                                                                                                                                                          SHA1:869831162B0035C0684F82075F83E623A0B48883
                                                                                                                                                                          SHA-256:56F5C8C65EB28ADAD904E4284898D254993342EC3BACFC23B7C1DEA6745AD835
                                                                                                                                                                          SHA-512:E1C9EFD52E2CF0DBAB389BE90F3D8639B914F07BF9B54C8DB79DB8676EFCE793F5672B5E6024B455FC4BF7E0D9516829E2B0D963B47ED9D7D15A402E8E16E730
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1835008
                                                                                                                                                                          Entropy (8bit):4.468673433098864
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6144:nzZfpi6ceLPx9skLmb0f3ZWSP3aJG8nAgeiJRMMhA2zX4WABluuN3jDH5S:zZHt3ZWOKnMM6bFpVj4
                                                                                                                                                                          MD5:B99025DF3786446CCEADDF32356A126A
                                                                                                                                                                          SHA1:2B9924CA0D548110CBFF7EC523BF9FED22DD4CD9
                                                                                                                                                                          SHA-256:6C1C16248E648D111BFE922F91C0220F8721653C46CF715AF9A93B4127E5DAC9
                                                                                                                                                                          SHA-512:27AD1F8014765B78DBA9482FC22E5955475942E6FED0611479C3AC21B697CFBEB4D8964132F8B4FEC362671DA93FA3DE7E72D2F28D6C9321D53D39E0BB323296
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.`...#..............................................................................................................................................................................................................................................................................................................................................D)..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          Static File Info

                                                                                                                                                                          General

                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Entropy (8bit):7.068877902497512
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                          File name:Unlock_Tool_2.3.1.exe
                                                                                                                                                                          File size:617'000 bytes
                                                                                                                                                                          MD5:72162382680c702829c6ceed17d2e507
                                                                                                                                                                          SHA1:51324f4095fe73a99d080d9f0bba1c829430bb18
                                                                                                                                                                          SHA256:eaae82540ddec53797abee6d3bf507acace850f3fff7cb2a03b6a26ab0b5c46f
                                                                                                                                                                          SHA512:27787baedb4fafe7884369d9cafb762aaa540e8130c7acefd618c4fb40e1c3459bcfe94df5f1aadc1245fcb52900692f96200d021f5d3bd6087ab12c3661d397
                                                                                                                                                                          SSDEEP:12288:9/kD3wynB4WIz1hhnpF6SnU/wq0vWCfIBM+09d83nEO:SwynIPU/wqsWCfIdm6Xt
                                                                                                                                                                          TLSH:9DD412127AC1C435E6325E310590DBB04F7DF8752E108EEB239856BB5FA02D1DD26EAB
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{u.............(h......(h..v...(h......(h..............................................................Rich............PE..L..

                                                                                                                                                                          File Icon

                                                                                                                                                                          Icon Hash:00928e8e8686b000

                                                                                                                                                                          Static PE Info

                                                                                                                                                                          General

                                                                                                                                                                          Entrypoint:0x401cc4
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:true
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x6711203F [Thu Oct 17 14:33:35 2024 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:6
                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                          File Version Major:6
                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                          Subsystem Version Major:6
                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                          Import Hash:39a5f7fa9f5c10de8f3718b5b2b8bc8f

                                                                                                                                                                          Authenticode Signature

                                                                                                                                                                          Signature Valid:false
                                                                                                                                                                          Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                          Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                          Error Number:-2146869232
                                                                                                                                                                          Not Before, Not After
                                                                                                                                                                          • 12/01/2023 19:00:00 16/01/2026 18:59:59
                                                                                                                                                                          Subject Chain
                                                                                                                                                                          • CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
                                                                                                                                                                          Version:3
                                                                                                                                                                          Thumbprint MD5:5F1B6B6C408DB2B4D60BAA489E9A0E5A
                                                                                                                                                                          Thumbprint SHA-1:15F760D82C79D22446CC7D4806540BF632B1E104
                                                                                                                                                                          Thumbprint SHA-256:28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
                                                                                                                                                                          Serial:0997C56CAA59055394D9A9CDB8BEEB56

                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                          Instruction
                                                                                                                                                                          call 00007F576CC6433Eh
                                                                                                                                                                          jmp 00007F576CC63DCFh
                                                                                                                                                                          push ebp
                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                          push 00000000h
                                                                                                                                                                          call dword ptr [00414008h]
                                                                                                                                                                          push dword ptr [ebp+08h]
                                                                                                                                                                          call dword ptr [00414004h]
                                                                                                                                                                          push C0000409h
                                                                                                                                                                          call dword ptr [0041400Ch]
                                                                                                                                                                          push eax
                                                                                                                                                                          call dword ptr [00414010h]
                                                                                                                                                                          pop ebp
                                                                                                                                                                          ret
                                                                                                                                                                          push ebp
                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                          sub esp, 00000324h
                                                                                                                                                                          push 00000017h
                                                                                                                                                                          call dword ptr [00414014h]
                                                                                                                                                                          test eax, eax
                                                                                                                                                                          je 00007F576CC63F57h
                                                                                                                                                                          push 00000002h
                                                                                                                                                                          pop ecx
                                                                                                                                                                          int 29h
                                                                                                                                                                          mov dword ptr [0047BE78h], eax
                                                                                                                                                                          mov dword ptr [0047BE74h], ecx
                                                                                                                                                                          mov dword ptr [0047BE70h], edx
                                                                                                                                                                          mov dword ptr [0047BE6Ch], ebx
                                                                                                                                                                          mov dword ptr [0047BE68h], esi
                                                                                                                                                                          mov dword ptr [0047BE64h], edi
                                                                                                                                                                          mov word ptr [0047BE90h], ss
                                                                                                                                                                          mov word ptr [0047BE84h], cs
                                                                                                                                                                          mov word ptr [0047BE60h], ds
                                                                                                                                                                          mov word ptr [0047BE5Ch], es
                                                                                                                                                                          mov word ptr [0047BE58h], fs
                                                                                                                                                                          mov word ptr [0047BE54h], gs
                                                                                                                                                                          pushfd
                                                                                                                                                                          pop dword ptr [0047BE88h]
                                                                                                                                                                          mov eax, dword ptr [ebp+00h]
                                                                                                                                                                          mov dword ptr [0047BE7Ch], eax
                                                                                                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                                                                                                          mov dword ptr [0047BE80h], eax
                                                                                                                                                                          lea eax, dword ptr [ebp+08h]
                                                                                                                                                                          mov dword ptr [0047BE8Ch], eax
                                                                                                                                                                          mov eax, dword ptr [ebp-00000324h]
                                                                                                                                                                          mov dword ptr [0047BDC8h], 00010001h

                                                                                                                                                                          Data Directories

                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1a6780x28.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x7d0000x1e0.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x944000x2628.dash
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x10b0.reloc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x199580x1c.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x198980x40.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x140000x108.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                          Sections

                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x10000x125300x126001dd7d81d62409b332bb828eee3aacf2dFalse0.6117267219387755COM executable for DOS6.64221570515426IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rdata0x140000x6c640x6e00e29701e725ee3bdda6bbb667b21841c0False0.46782670454545455data5.090175375333947IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .data0x1b0000x617bc0x60e00c963fba4ac0e01ba716890477419d36cFalse0.9950630040322581data7.996108683776517IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .rsrc0x7d0000x1e00x2005fcefbf8ca00d90307acdcd0df127502False0.53125data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .reloc0x7e0000x10b00x12006b45c3a5f2b0d65c52ba686507ebff50False0.7302517361111112data6.294753789118545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .dash0x800000x186a00x18800425814aaa9d11321e37bec742e2fa273False0.0027004942602040817data0.01834679374989137IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                          Resources

                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                          RT_MANIFEST0x7d0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                                                          Imports

                                                                                                                                                                          DLLImport
                                                                                                                                                                          KERNEL32.dllTlsFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, WriteConsoleW, RaiseException, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, LCMapStringW, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetStringTypeW, GetProcessHeap, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, HeapSize, HeapReAlloc, CloseHandle, CreateFileW, DecodePointer

                                                                                                                                                                          Possible Origin

                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                          EnglishUnited States

                                                                                                                                                                          Network Behavior

                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                          2024-10-20T17:59:29.851328+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.64983965.109.142.154443TCP

                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                          TCP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Oct 20, 2024 17:59:26.463424921 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:26.463459015 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:26.467294931 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:26.503307104 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:26.503317118 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:27.578979969 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:27.579058886 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:27.622817993 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:27.622833967 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:27.623847008 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:27.623908997 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:27.626343966 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:27.671401978 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.300414085 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.300476074 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.300529957 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:28.300549984 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.300565958 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.300582886 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:28.300609112 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:28.300614119 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.300647020 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:28.300746918 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:28.311141014 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.311187983 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.311223984 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:28.311228991 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.311258078 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:28.311325073 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:28.328943968 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.329058886 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.329247952 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:28.330781937 CEST49827443192.168.2.6104.102.49.254
                                                                                                                                                                          Oct 20, 2024 17:59:28.330795050 CEST44349827104.102.49.254192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.394776106 CEST49839443192.168.2.665.109.142.154
                                                                                                                                                                          Oct 20, 2024 17:59:28.394833088 CEST4434983965.109.142.154192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:28.395008087 CEST49839443192.168.2.665.109.142.154
                                                                                                                                                                          Oct 20, 2024 17:59:28.395211935 CEST49839443192.168.2.665.109.142.154
                                                                                                                                                                          Oct 20, 2024 17:59:28.395239115 CEST4434983965.109.142.154192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:29.851219893 CEST4434983965.109.142.154192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:29.851327896 CEST49839443192.168.2.665.109.142.154
                                                                                                                                                                          Oct 20, 2024 17:59:29.855159044 CEST49839443192.168.2.665.109.142.154
                                                                                                                                                                          Oct 20, 2024 17:59:29.855174065 CEST4434983965.109.142.154192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:29.855379105 CEST4434983965.109.142.154192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:29.855787992 CEST49839443192.168.2.665.109.142.154
                                                                                                                                                                          Oct 20, 2024 17:59:29.855942011 CEST49839443192.168.2.665.109.142.154
                                                                                                                                                                          Oct 20, 2024 17:59:29.903397083 CEST4434983965.109.142.154192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:30.500529051 CEST4434983965.109.142.154192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:30.500566006 CEST4434983965.109.142.154192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:30.500602007 CEST49839443192.168.2.665.109.142.154
                                                                                                                                                                          Oct 20, 2024 17:59:30.500662088 CEST49839443192.168.2.665.109.142.154
                                                                                                                                                                          Oct 20, 2024 17:59:30.501352072 CEST49839443192.168.2.665.109.142.154
                                                                                                                                                                          Oct 20, 2024 17:59:30.501398087 CEST4434983965.109.142.154192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:30.537729025 CEST49850443192.168.2.6149.154.167.99
                                                                                                                                                                          Oct 20, 2024 17:59:30.537825108 CEST44349850149.154.167.99192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:30.537941933 CEST49850443192.168.2.6149.154.167.99
                                                                                                                                                                          Oct 20, 2024 17:59:30.538223982 CEST49850443192.168.2.6149.154.167.99
                                                                                                                                                                          Oct 20, 2024 17:59:30.538263083 CEST44349850149.154.167.99192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:32.089548111 CEST44349850149.154.167.99192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:32.089663029 CEST49850443192.168.2.6149.154.167.99
                                                                                                                                                                          Oct 20, 2024 17:59:32.093522072 CEST49850443192.168.2.6149.154.167.99
                                                                                                                                                                          Oct 20, 2024 17:59:32.093544960 CEST44349850149.154.167.99192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:32.093753099 CEST44349850149.154.167.99192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:32.093810081 CEST49850443192.168.2.6149.154.167.99
                                                                                                                                                                          Oct 20, 2024 17:59:32.094136000 CEST49850443192.168.2.6149.154.167.99
                                                                                                                                                                          Oct 20, 2024 17:59:32.139405966 CEST44349850149.154.167.99192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:32.411173105 CEST44349850149.154.167.99192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:32.411204100 CEST44349850149.154.167.99192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:32.411245108 CEST49850443192.168.2.6149.154.167.99
                                                                                                                                                                          Oct 20, 2024 17:59:32.411309958 CEST49850443192.168.2.6149.154.167.99
                                                                                                                                                                          Oct 20, 2024 17:59:32.411425114 CEST49850443192.168.2.6149.154.167.99
                                                                                                                                                                          Oct 20, 2024 17:59:32.411456108 CEST44349850149.154.167.99192.168.2.6

                                                                                                                                                                          UDP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Oct 20, 2024 17:59:26.448151112 CEST6321653192.168.2.61.1.1.1
                                                                                                                                                                          Oct 20, 2024 17:59:26.455492973 CEST53632161.1.1.1192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:30.529553890 CEST5414153192.168.2.61.1.1.1
                                                                                                                                                                          Oct 20, 2024 17:59:30.537019014 CEST53541411.1.1.1192.168.2.6
                                                                                                                                                                          Oct 20, 2024 17:59:32.793426991 CEST5103053192.168.2.61.1.1.1
                                                                                                                                                                          Oct 20, 2024 17:59:32.803896904 CEST53510301.1.1.1192.168.2.6

                                                                                                                                                                          DNS Queries

                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                          Oct 20, 2024 17:59:26.448151112 CEST192.168.2.61.1.1.10x262bStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 20, 2024 17:59:30.529553890 CEST192.168.2.61.1.1.10x3d92Standard query (0)t.meA (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 20, 2024 17:59:32.793426991 CEST192.168.2.61.1.1.10x89f9Standard query (0)cowod.hopto.orgA (IP address)IN (0x0001)false

                                                                                                                                                                          DNS Answers

                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                          Oct 20, 2024 17:59:26.455492973 CEST1.1.1.1192.168.2.60x262bNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                                                                                                                          Oct 20, 2024 17:59:30.537019014 CEST1.1.1.1192.168.2.60x3d92No error (0)t.me149.154.167.99A (IP address)IN (0x0001)false

                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                          • steamcommunity.com
                                                                                                                                                                          • 65.109.142.154
                                                                                                                                                                          • t.me

                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.649827104.102.49.2544437404C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-10-20 15:59:27 UTC119OUTGET /profiles/76561199786602107 HTTP/1.1
                                                                                                                                                                          Host: steamcommunity.com
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-10-20 15:59:28 UTC1917INHTTP/1.1 200 OK
                                                                                                                                                                          Server: nginx
                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                          Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED]
                                                                                                                                                                          Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Date: Sun, 20 Oct 2024 15:59:27 GMT
                                                                                                                                                                          Content-Length: 35803
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Set-Cookie: sessionid=12c5731a8e4f603c0364a5a5; Path=/; Secure; SameSite=None
                                                                                                                                                                          Set-Cookie: steamCountry=US%7C0e3d185a3e106e73b244decdec33a0ea; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                          2024-10-20 15:59:28 UTC14467INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                                                          2024-10-20 15:59:28 UTC16384INData Raw: 09 09 09 48 6f 6d 65 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 64 69 73 63 75 73 73 69 6f 6e 73 2f 22 3e 0d 0a 09 09 09 09 09 09 44 69 73 63 75 73 73 69 6f 6e 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 77 6f 72 6b 73 68 6f 70 2f 22 3e 0d 0a 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61
                                                                                                                                                                          Data Ascii: Home</a><a class="submenuitem" href="https://steamcommunity.com/discussions/">Discussions</a><a class="submenuitem" href="https://steamcommunity.com/workshop/">Workshop</a


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          1192.168.2.64983965.109.142.1544437404C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-10-20 15:59:29 UTC187OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                          Host: 65.109.142.154
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Cache-Control: no-cache


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          2192.168.2.649850149.154.167.994437404C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-10-20 15:59:32 UTC86OUTGET /lpnjoke HTTP/1.1
                                                                                                                                                                          Host: t.me
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Cache-Control: no-cache


                                                                                                                                                                          Statistics

                                                                                                                                                                          CPU Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Memory Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Behavior

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          System Behavior

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:11:58:58
                                                                                                                                                                          Start date:20/10/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe"
                                                                                                                                                                          Imagebase:0x790000
                                                                                                                                                                          File size:617'000 bytes
                                                                                                                                                                          MD5 hash:72162382680C702829C6CEED17D2E507
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:2
                                                                                                                                                                          Start time:11:58:58
                                                                                                                                                                          Start date:20/10/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe"
                                                                                                                                                                          Imagebase:0x790000
                                                                                                                                                                          File size:617'000 bytes
                                                                                                                                                                          MD5 hash:72162382680C702829C6CEED17D2E507
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2446832574.0000000000481000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:5
                                                                                                                                                                          Start time:11:58:59
                                                                                                                                                                          Start date:20/10/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7336 -s 272
                                                                                                                                                                          Imagebase:0x450000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:15
                                                                                                                                                                          Start time:11:59:32
                                                                                                                                                                          Start date:20/10/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe" & rd /s /q "C:\ProgramData\IDGIJEGHDAEC" & exit
                                                                                                                                                                          Imagebase:0x1c0000
                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:16
                                                                                                                                                                          Start time:11:59:32
                                                                                                                                                                          Start date:20/10/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff66e660000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:17
                                                                                                                                                                          Start time:11:59:32
                                                                                                                                                                          Start date:20/10/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:timeout /t 10
                                                                                                                                                                          Imagebase:0xc50000
                                                                                                                                                                          File size:25'088 bytes
                                                                                                                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          Disassembly

                                                                                                                                                                          Reset < >

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:0.9%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                            Signature Coverage:4.5%
                                                                                                                                                                            Total number of Nodes:220
                                                                                                                                                                            Total number of Limit Nodes:4
                                                                                                                                                                            execution_graph 32335 791b48 32336 791b54 __FrameHandler3::FrameUnwindToState 32335->32336 32363 791e89 32336->32363 32338 791cae 32385 792178 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter __FrameHandler3::FrameUnwindToState 32338->32385 32339 791b5b 32339->32338 32351 791b85 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 32339->32351 32341 791cb5 32386 79776a 23 API calls __FrameHandler3::FrameUnwindToState 32341->32386 32343 791cbb 32387 79772e 23 API calls __FrameHandler3::FrameUnwindToState 32343->32387 32345 791cc3 32346 791ba4 32347 791c25 32371 79228d GetStartupInfoW __FrameHandler3::FrameUnwindToState 32347->32371 32349 791c2b 32372 79736e 54 API calls 32349->32372 32351->32346 32351->32347 32381 797744 43 API calls 2 library calls 32351->32381 32353 791c33 32373 791659 GetPEB 32353->32373 32357 791c47 32357->32341 32358 791c4b 32357->32358 32359 791c54 32358->32359 32383 79771f 23 API calls __FrameHandler3::FrameUnwindToState 32358->32383 32384 791ffb 79 API calls ___scrt_uninitialize_crt 32359->32384 32362 791c5c 32362->32346 32364 791e92 32363->32364 32388 792415 IsProcessorFeaturePresent 32364->32388 32366 791e9e 32389 792f5e 10 API calls 2 library calls 32366->32389 32368 791ea3 32369 791ea7 32368->32369 32390 792f7d 7 API calls 2 library calls 32368->32390 32369->32339 32371->32349 32372->32353 32391 791112 32373->32391 32378 7916ae 32413 7915f4 76 API calls 32378->32413 32379 7916b3 32382 7922c3 GetModuleHandleW 32379->32382 32381->32347 32382->32357 32383->32359 32384->32362 32385->32341 32386->32343 32387->32345 32388->32366 32389->32368 32390->32369 32392 79113f 32391->32392 32396 7911e0 32392->32396 32441 7917aa 45 API calls 5 library calls 32392->32441 32395 7912fe 32434 791a14 32395->32434 32399 7912ec 32396->32399 32402 79177e 45 API calls 32396->32402 32442 7917aa 45 API calls 5 library calls 32396->32442 32443 791006 74 API calls 32396->32443 32398 791310 32403 79154b 32398->32403 32414 79177e 32399->32414 32402->32396 32408 79158b 32403->32408 32412 7915bb 32403->32412 32405 791a14 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 32406 7915ce VirtualProtect 32405->32406 32406->32378 32406->32379 32409 7915d2 32408->32409 32408->32412 32446 7916dc 45 API calls 2 library calls 32408->32446 32447 791317 76 API calls __InternalCxxFrameHandler 32408->32447 32448 7916b9 45 API calls 32408->32448 32449 7916b9 45 API calls 32409->32449 32412->32405 32413->32379 32415 791797 32414->32415 32416 791787 32414->32416 32415->32395 32416->32415 32444 796b90 43 API calls ___std_exception_copy 32416->32444 32435 791a1d IsProcessorFeaturePresent 32434->32435 32436 791a1c 32434->32436 32438 791d0b 32435->32438 32436->32398 32445 791cce SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 32438->32445 32440 791dee 32440->32398 32441->32392 32442->32396 32443->32396 32445->32440 32446->32408 32447->32408 32448->32408 32449->32412 32450 79b476 32451 79b4b1 32450->32451 32452 79b47f 32450->32452 32456 79a1d1 32452->32456 32457 79a1dc 32456->32457 32458 79a1e2 32456->32458 32507 798352 6 API calls _unexpected 32457->32507 32462 79a1e8 32458->32462 32508 798391 6 API calls _unexpected 32458->32508 32461 79a1fc 32461->32462 32463 79a200 32461->32463 32466 79a1ed 32462->32466 32516 797e8a 43 API calls __FrameHandler3::FrameUnwindToState 32462->32516 32509 798042 14 API calls 2 library calls 32463->32509 32484 79b281 32466->32484 32467 79a20c 32469 79a229 32467->32469 32470 79a214 32467->32470 32512 798391 6 API calls _unexpected 32469->32512 32510 798391 6 API calls _unexpected 32470->32510 32473 79a235 32474 79a239 32473->32474 32475 79a248 32473->32475 32513 798391 6 API calls _unexpected 32474->32513 32514 799f44 14 API calls _unexpected 32475->32514 32479 79a220 32511 79809f 14 API calls __dosmaperr 32479->32511 32480 79a253 32515 79809f 14 API calls __dosmaperr 32480->32515 32481 79a226 32481->32462 32483 79a25a 32483->32466 32517 79b3d6 32484->32517 32489 79b2c4 32489->32451 32492 79b2eb 32544 79b4d1 32492->32544 32493 79b2dd 32555 79809f 14 API calls __dosmaperr 32493->32555 32497 79b323 32556 79802f 14 API calls __dosmaperr 32497->32556 32499 79b328 32557 79809f 14 API calls __dosmaperr 32499->32557 32501 79b33e 32505 79b36a 32501->32505 32558 79809f 14 API calls __dosmaperr 32501->32558 32506 79b3b3 32505->32506 32559 79aef3 43 API calls __FrameHandler3::FrameUnwindToState 32505->32559 32560 79809f 14 API calls __dosmaperr 32506->32560 32507->32458 32508->32461 32509->32467 32510->32479 32511->32481 32512->32473 32513->32479 32514->32480 32515->32483 32518 79b3e2 __FrameHandler3::FrameUnwindToState 32517->32518 32519 79b3fc 32518->32519 32561 79a442 EnterCriticalSection 32518->32561 32521 79b2ab 32519->32521 32564 797e8a 43 API calls __FrameHandler3::FrameUnwindToState 32519->32564 32528 79b001 32521->32528 32522 79b438 32563 79b455 LeaveCriticalSection __FrameHandler3::FrameUnwindToState 32522->32563 32526 79b40c 32526->32522 32562 79809f 14 API calls __dosmaperr 32526->32562 32565 79ab01 32528->32565 32531 79b022 GetOEMCP 32534 79b04b 32531->32534 32532 79b034 32533 79b039 GetACP 32532->32533 32532->32534 32533->32534 32534->32489 32535 798a87 32534->32535 32536 798ac5 32535->32536 32537 798a95 32535->32537 32577 79802f 14 API calls __dosmaperr 32536->32577 32538 798ab0 HeapAlloc 32537->32538 32542 798a99 _unexpected 32537->32542 32540 798ac3 32538->32540 32538->32542 32541 798aca 32540->32541 32541->32492 32541->32493 32542->32536 32542->32538 32576 796bf0 EnterCriticalSection LeaveCriticalSection _unexpected 32542->32576 32545 79b001 45 API calls 32544->32545 32546 79b4f1 32545->32546 32548 79b52e IsValidCodePage 32546->32548 32553 79b56a __FrameHandler3::FrameUnwindToState 32546->32553 32547 791a14 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 32549 79b318 32547->32549 32550 79b540 32548->32550 32548->32553 32549->32497 32549->32501 32551 79b56f GetCPInfo 32550->32551 32554 79b549 __FrameHandler3::FrameUnwindToState 32550->32554 32551->32553 32551->32554 32553->32547 32578 79b0d5 32554->32578 32555->32489 32556->32499 32557->32489 32558->32505 32559->32506 32560->32489 32561->32526 32562->32522 32563->32519 32566 79ab1f 32565->32566 32567 79ab18 32565->32567 32566->32567 32573 79a116 43 API calls 3 library calls 32566->32573 32567->32531 32567->32532 32569 79ab40 32574 798da7 43 API calls ___scrt_uninitialize_crt 32569->32574 32571 79ab56 32575 798e05 43 API calls ___scrt_uninitialize_crt 32571->32575 32573->32569 32574->32571 32575->32567 32576->32542 32577->32541 32579 79b0fd GetCPInfo 32578->32579 32588 79b1c6 32578->32588 32585 79b115 32579->32585 32579->32588 32581 791a14 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 32583 79b27f 32581->32583 32583->32553 32589 79bf2e 32585->32589 32587 7a0392 48 API calls 32587->32588 32588->32581 32590 79ab01 43 API calls 32589->32590 32591 79bf4e 32590->32591 32609 79b7db 32591->32609 32593 79c00a 32612 79c037 14 API calls ___free_lconv_mon 32593->32612 32594 79bf7b 32594->32593 32597 798a87 15 API calls 32594->32597 32599 79c012 32594->32599 32600 79bfa0 __FrameHandler3::FrameUnwindToState __alloca_probe_16 32594->32600 32595 791a14 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 32598 79b17d 32595->32598 32597->32600 32604 7a0392 32598->32604 32599->32595 32600->32593 32601 79b7db ___scrt_uninitialize_crt MultiByteToWideChar 32600->32601 32602 79bfeb 32601->32602 32602->32593 32603 79bff6 GetStringTypeW 32602->32603 32603->32593 32605 79ab01 43 API calls 32604->32605 32606 7a03a5 32605->32606 32613 7a01a4 32606->32613 32610 79b7ec MultiByteToWideChar 32609->32610 32610->32594 32612->32599 32614 7a01bf 32613->32614 32615 79b7db ___scrt_uninitialize_crt MultiByteToWideChar 32614->32615 32619 7a0205 32615->32619 32616 7a037d 32617 791a14 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 32616->32617 32618 79b19e 32617->32618 32618->32587 32619->32616 32620 798a87 15 API calls 32619->32620 32622 7a022b __alloca_probe_16 32619->32622 32629 7a02b1 32619->32629 32620->32622 32623 79b7db ___scrt_uninitialize_crt MultiByteToWideChar 32622->32623 32622->32629 32624 7a0270 32623->32624 32624->32629 32641 79841e 32624->32641 32627 7a02da 32630 7a0365 32627->32630 32631 798a87 15 API calls 32627->32631 32634 7a02ec __alloca_probe_16 32627->32634 32628 7a02a2 32628->32629 32633 79841e 7 API calls 32628->32633 32653 79c037 14 API calls ___free_lconv_mon 32629->32653 32652 79c037 14 API calls ___free_lconv_mon 32630->32652 32631->32634 32633->32629 32634->32630 32635 79841e 7 API calls 32634->32635 32636 7a032f 32635->32636 32636->32630 32650 79b857 WideCharToMultiByte 32636->32650 32638 7a0349 32638->32630 32639 7a0352 32638->32639 32651 79c037 14 API calls ___free_lconv_mon 32639->32651 32654 7980f3 32641->32654 32644 79842f LCMapStringEx 32649 798476 32644->32649 32645 798456 32657 79847b LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 32645->32657 32647 79846f LCMapStringW 32647->32649 32649->32627 32649->32628 32649->32629 32650->32638 32651->32629 32652->32629 32653->32616 32658 7981f2 32654->32658 32657->32647 32659 798220 32658->32659 32663 798109 32658->32663 32659->32663 32665 798127 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary ___vcrt_FlsSetValue 32659->32665 32661 798234 32662 79823a GetProcAddress 32661->32662 32661->32663 32662->32663 32664 79824a _unexpected 32662->32664 32663->32644 32663->32645 32664->32663 32665->32661

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 00791659 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 170 791659-7916ac GetPEB call 791112 call 79154b VirtualProtect 175 7916ae call 7915f4 170->175 176 7916b3-7916b6 170->176 175->176
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualProtect.KERNELBASE(0080B730,000004E4,00000040,?), ref: 007916A6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ProtectVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 544645111-0
                                                                                                                                                                            • Opcode ID: 754a6af6a514a369db7a820e7f3948c672f304e23ff218537218279ff1eb6a0c
                                                                                                                                                                            • Instruction ID: 9623438d318aad323812db8ea3ba2c08c68bc1251a28ce15dfaa85bbb00d38ae
                                                                                                                                                                            • Opcode Fuzzy Hash: 754a6af6a514a369db7a820e7f3948c672f304e23ff218537218279ff1eb6a0c
                                                                                                                                                                            • Instruction Fuzzy Hash: DCF0E976344505EFE205DB18E806E57B394EBC8720F21801AF605977C1C778FC11C9A0
                                                                                                                                                                            Function 007A01A4 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 0 7a01a4-7a01bd 1 7a01bf-7a01cf call 7a1507 0->1 2 7a01d3-7a01d8 0->2 1->2 9 7a01d1 1->9 4 7a01da-7a01e4 2->4 5 7a01e7-7a020d call 79b7db 2->5 4->5 10 7a0213-7a021e 5->10 11 7a0380-7a0391 call 791a14 5->11 9->2 12 7a0373 10->12 13 7a0224-7a0229 10->13 18 7a0375 12->18 16 7a022b-7a0234 call 7a31b0 13->16 17 7a023e-7a0249 call 798a87 13->17 25 7a0236-7a023c 16->25 26 7a0254-7a0258 16->26 17->26 27 7a024b 17->27 21 7a0377-7a037e call 79c037 18->21 21->11 29 7a0251 25->29 26->18 30 7a025e-7a0275 call 79b7db 26->30 27->29 29->26 30->18 33 7a027b-7a028d call 79841e 30->33 35 7a0292-7a0296 33->35 36 7a0298-7a02a0 35->36 37 7a02b1-7a02b3 35->37 38 7a02da-7a02e6 36->38 39 7a02a2-7a02a7 36->39 37->18 42 7a02e8-7a02ea 38->42 43 7a0365 38->43 40 7a0359-7a035b 39->40 41 7a02ad-7a02af 39->41 40->21 41->37 45 7a02b8-7a02d2 call 79841e 41->45 46 7a02ff-7a030a call 798a87 42->46 47 7a02ec-7a02f5 call 7a31b0 42->47 44 7a0367-7a036e call 79c037 43->44 44->37 45->40 58 7a02d8 45->58 46->44 57 7a030c 46->57 47->44 56 7a02f7-7a02fd 47->56 59 7a0312-7a0317 56->59 57->59 58->37 59->44 60 7a0319-7a0331 call 79841e 59->60 60->44 63 7a0333-7a033a 60->63 64 7a033c-7a033d 63->64 65 7a035d-7a0363 63->65 66 7a033e-7a0350 call 79b857 64->66 65->66 66->44 69 7a0352-7a0358 call 79c037 66->69 69->40
                                                                                                                                                                            APIs
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 007A022B
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 007A02EC
                                                                                                                                                                            • __freea.LIBCMT ref: 007A0353
                                                                                                                                                                              • Part of subcall function 00798A87: HeapAlloc.KERNEL32(00000000,?,?,?,00792778,?,?,?,?,?,00791051,?,?,?,007910E3,?), ref: 00798AB9
                                                                                                                                                                            • __freea.LIBCMT ref: 007A0368
                                                                                                                                                                            • __freea.LIBCMT ref: 007A0378
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1096550386-0
                                                                                                                                                                            • Opcode ID: ce01f19ebcf6f1ddc3f8d3b42f69e5659209d188bd71f151fe3cc43fa7aaf0f7
                                                                                                                                                                            • Instruction ID: a2e0731688e21daf94dd6b8c13f0cfead7b8fabdafb5f8ce176c815a34133357
                                                                                                                                                                            • Opcode Fuzzy Hash: ce01f19ebcf6f1ddc3f8d3b42f69e5659209d188bd71f151fe3cc43fa7aaf0f7
                                                                                                                                                                            • Instruction Fuzzy Hash: 5451D37260020AEFEF259E64DC89EBF76A9EF86354F150629FD04D6150EB78CC1087E1
                                                                                                                                                                            Function 0079841E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 72 79841e-79842d call 7980f3 75 79842f-798454 LCMapStringEx 72->75 76 798456-798470 call 79847b LCMapStringW 72->76 80 798476-798478 75->80 76->80
                                                                                                                                                                            APIs
                                                                                                                                                                            • LCMapStringEx.KERNELBASE(?,007A0292,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00798452
                                                                                                                                                                            • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,007A0292,?,?,00000000,?,00000000), ref: 00798470
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: String
                                                                                                                                                                            • String ID: :!y
                                                                                                                                                                            • API String ID: 2568140703-1945855279
                                                                                                                                                                            • Opcode ID: 538f1ff2e246a474e6832ea30b6e7ee80bee3f43395b2173724f6ea44f21d7ac
                                                                                                                                                                            • Instruction ID: ae13bb17f98c3d059c73d3907c37f688df400828e1b4bd4d1126a116d3fd071b
                                                                                                                                                                            • Opcode Fuzzy Hash: 538f1ff2e246a474e6832ea30b6e7ee80bee3f43395b2173724f6ea44f21d7ac
                                                                                                                                                                            • Instruction Fuzzy Hash: 46F07A3240415AFBCF125FA0EC09DDE3F26EF893A0F058110FA1865130CB7AC871AB95
                                                                                                                                                                            Function 0079B4D1 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 81 79b4d1-79b4f9 call 79b001 84 79b4ff-79b505 81->84 85 79b6c1-79b6c2 call 79b072 81->85 87 79b508-79b50e 84->87 88 79b6c7-79b6c9 85->88 89 79b610-79b62f call 793190 87->89 90 79b514-79b520 87->90 92 79b6ca-79b6d8 call 791a14 88->92 98 79b632-79b637 89->98 90->87 93 79b522-79b528 90->93 96 79b608-79b60b 93->96 97 79b52e-79b53a IsValidCodePage 93->97 96->92 97->96 100 79b540-79b547 97->100 101 79b639-79b63e 98->101 102 79b674-79b67e 98->102 103 79b549-79b555 100->103 104 79b56f-79b57c GetCPInfo 100->104 107 79b671 101->107 108 79b640-79b648 101->108 102->98 109 79b680-79b6aa call 79afc3 102->109 110 79b559-79b565 call 79b0d5 103->110 105 79b5fc-79b602 104->105 106 79b57e-79b59d call 793190 104->106 105->85 105->96 106->110 120 79b59f-79b5a6 106->120 107->102 112 79b669-79b66f 108->112 113 79b64a-79b64d 108->113 122 79b6ab-79b6ba 109->122 119 79b56a 110->119 112->101 112->107 117 79b64f-79b655 113->117 117->112 121 79b657-79b667 117->121 119->88 124 79b5a8-79b5ad 120->124 125 79b5d2-79b5d5 120->125 121->112 121->117 122->122 123 79b6bc 122->123 123->85 124->125 126 79b5af-79b5b7 124->126 127 79b5da-79b5e1 125->127 128 79b5b9-79b5c0 126->128 129 79b5ca-79b5d0 126->129 127->127 130 79b5e3-79b5f7 call 79afc3 127->130 131 79b5c1-79b5c8 128->131 129->124 129->125 130->110 131->129 131->131
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0079B001: GetOEMCP.KERNEL32(00000000,?,?,?,00000000), ref: 0079B02C
                                                                                                                                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,0079B318,?,00000000,?,?,00000000), ref: 0079B532
                                                                                                                                                                            • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,0079B318,?,00000000,?,?,00000000), ref: 0079B574
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CodeInfoPageValid
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 546120528-0
                                                                                                                                                                            • Opcode ID: 8b256409ed2c27c1422e7824ed5563b47c216bf404d8f3d374a95e4773058024
                                                                                                                                                                            • Instruction ID: 82f057848aa13c7b3ef0f13a019346d02a5c5ca77fb314a3f792cf6e22f1079f
                                                                                                                                                                            • Opcode Fuzzy Hash: 8b256409ed2c27c1422e7824ed5563b47c216bf404d8f3d374a95e4773058024
                                                                                                                                                                            • Instruction Fuzzy Hash: DE513670A003059EDF20CF75F984AABBBF5EF85300F19456ED09687262E77CA945CB50
                                                                                                                                                                            Function 0079B0D5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 134 79b0d5-79b0f7 135 79b0fd-79b10f GetCPInfo 134->135 136 79b210-79b236 134->136 135->136 137 79b115-79b11c 135->137 138 79b23b-79b240 136->138 139 79b11e-79b128 137->139 140 79b24a-79b250 138->140 141 79b242-79b248 138->141 139->139 145 79b12a-79b13d 139->145 143 79b25c 140->143 144 79b252-79b255 140->144 142 79b258-79b25a 141->142 146 79b25e-79b270 142->146 143->146 144->142 147 79b15e-79b160 145->147 146->138 148 79b272-79b280 call 791a14 146->148 149 79b13f-79b146 147->149 150 79b162-79b199 call 79bf2e call 7a0392 147->150 153 79b155-79b157 149->153 160 79b19e-79b1d3 call 7a0392 150->160 156 79b159-79b15c 153->156 157 79b148-79b14a 153->157 156->147 157->156 159 79b14c-79b154 157->159 159->153 163 79b1d5-79b1df 160->163 164 79b1ed-79b1ef 163->164 165 79b1e1-79b1eb 163->165 167 79b1fd 164->167 168 79b1f1-79b1fb 164->168 166 79b1ff-79b20c 165->166 166->163 169 79b20e 166->169 167->166 168->166 169->148
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCPInfo.KERNEL32(E8458D00,?,0079B324,0079B318,00000000), ref: 0079B107
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Info
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1807457897-0
                                                                                                                                                                            • Opcode ID: 2dc9474a874b8c24d678d9c7a6fffd5bcd84f76d8ab419b51a232c6500d4ee90
                                                                                                                                                                            • Instruction ID: f7279adee41ea7ecded1e6ff941fe1a93df1c387a45e63120d8a359108ef9cbc
                                                                                                                                                                            • Opcode Fuzzy Hash: 2dc9474a874b8c24d678d9c7a6fffd5bcd84f76d8ab419b51a232c6500d4ee90
                                                                                                                                                                            • Instruction Fuzzy Hash: 6351787150425C9ACF218F28EE84BEA7BBDEB56304F2405EDE59AC7142D378AD46DF20

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 0079E0E8 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __floor_pentium4
                                                                                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                            • API String ID: 4168288129-2761157908
                                                                                                                                                                            • Opcode ID: 7cd35548898df6bc93bbcb13cba9c1e2217303bff1231b2546a27f81f112a5d0
                                                                                                                                                                            • Instruction ID: 5773257d007820dc9fd24a7dcd050839f470c1c3c0cb830824b3d57c7de6a6fb
                                                                                                                                                                            • Opcode Fuzzy Hash: 7cd35548898df6bc93bbcb13cba9c1e2217303bff1231b2546a27f81f112a5d0
                                                                                                                                                                            • Instruction Fuzzy Hash: 2ED22771E086288FDF65CE28ED447EAB7B5EB45305F1445EAD40EE7240EB78AE818F41
                                                                                                                                                                            Function 00798F68 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _strrchr
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3213747228-0
                                                                                                                                                                            • Opcode ID: e742114cad1722125c79802c132c505b8aa059e1db89f26ea849efe0e0605f33
                                                                                                                                                                            • Instruction ID: c69d5f22ebc2148a584e54009ae478c4eb38845f80c993d44d8f7e46e0a34171
                                                                                                                                                                            • Opcode Fuzzy Hash: e742114cad1722125c79802c132c505b8aa059e1db89f26ea849efe0e0605f33
                                                                                                                                                                            • Instruction Fuzzy Hash: 81B1553290425AAFEF15CF6CD8857EEBBA5FF59310F14816EEA14AB241D2399D01C7A0
                                                                                                                                                                            Function 00792178 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00792184
                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 00792250
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00792269
                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00792273
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 254469556-0
                                                                                                                                                                            • Opcode ID: 18ce0d8478a3641dabc7516400d562393c335452df318c41e04eb053d314e4e6
                                                                                                                                                                            • Instruction ID: 86d1ec4fda048e4b520296adfb851e52ce1bef1762bab5f73ed3509895f0e547
                                                                                                                                                                            • Opcode Fuzzy Hash: 18ce0d8478a3641dabc7516400d562393c335452df318c41e04eb053d314e4e6
                                                                                                                                                                            • Instruction Fuzzy Hash: 1D311675D01218DBDF20EFA4E9497CDBBB8BF48300F1041EAE50CAB250EBB59A858F45
                                                                                                                                                                            Function 007C427F Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: ``C$ov|$ov|$x`C
                                                                                                                                                                            • API String ID: 0-850246289
                                                                                                                                                                            • Opcode ID: 4639c864b91f6e9cc3f469510a2f9944f86d2f54ec5b532889058d1e4e41c286
                                                                                                                                                                            • Instruction ID: 992c5c88953d39dd89870d4229738946a6241556ab4181e03f21e361ae5e8ec7
                                                                                                                                                                            • Opcode Fuzzy Hash: 4639c864b91f6e9cc3f469510a2f9944f86d2f54ec5b532889058d1e4e41c286
                                                                                                                                                                            • Instruction Fuzzy Hash: 4851C073900156ABEB18CF58C495BE973B1FFC8304F2684BED84AAF286EB345901CB50
                                                                                                                                                                            Function 00796984 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00796A7C
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00796A86
                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00796A93
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3906539128-0
                                                                                                                                                                            • Opcode ID: c6d2fedc1b1992db25137606390a92626af260294b5d34c95f2d0cb6dddc984e
                                                                                                                                                                            • Instruction ID: 1602c2a714c3e56f8625fa9abd26d548f3ccba65404c14caf52f441a07a68881
                                                                                                                                                                            • Opcode Fuzzy Hash: c6d2fedc1b1992db25137606390a92626af260294b5d34c95f2d0cb6dddc984e
                                                                                                                                                                            • Instruction Fuzzy Hash: 1131937590121CEBCF21DF68E88978DBBB8BF48710F5081DAE51CA6261E7749B858F48
                                                                                                                                                                            Function 007C71E7 Relevance: 4.2, Strings: 3, Instructions: 440COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Rz|$UT$ov|
                                                                                                                                                                            • API String ID: 0-2482668390
                                                                                                                                                                            • Opcode ID: 0e5d514c79ef925c0a1ce41a7415018d9d52760b019abbb396943d1197465535
                                                                                                                                                                            • Instruction ID: 9d7772907336b35d655e01ec41da4cbfc126567edb5402d523113035cb2bf902
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e5d514c79ef925c0a1ce41a7415018d9d52760b019abbb396943d1197465535
                                                                                                                                                                            • Instruction Fuzzy Hash: 6502A5B1D082688FDF29CF68C884B9E7BB5AF45300F1444EDD949A7246DB389E84CF95
                                                                                                                                                                            Function 0079DC60 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 18b3df0f6a783b84a0005ec9b5b8d67f3646548f487e0ba2d8827565c9d32673
                                                                                                                                                                            • Instruction ID: 685ff296969b709ba31c1bc701bba2161f8ed7b42700769f92005d371b13b72b
                                                                                                                                                                            • Opcode Fuzzy Hash: 18b3df0f6a783b84a0005ec9b5b8d67f3646548f487e0ba2d8827565c9d32673
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EF14171E002199FDF24CFA9D9806ADF7B2FF88314F258269E915AB385D734AD41CB90
                                                                                                                                                                            Function 00795E4E Relevance: 2.8, Strings: 2, Instructions: 314COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: -\y$0
                                                                                                                                                                            • API String ID: 0-4072222311
                                                                                                                                                                            • Opcode ID: a19a32aac08044840b608dca22c57d7aef00580b635a541d20bb5af7704fefce
                                                                                                                                                                            • Instruction ID: 4cf0633da2369e6bcfe1ed1e6195de9fd4b80ccdffa479440293da46f33cbcbf
                                                                                                                                                                            • Opcode Fuzzy Hash: a19a32aac08044840b608dca22c57d7aef00580b635a541d20bb5af7704fefce
                                                                                                                                                                            • Instruction Fuzzy Hash: 0DB10370900A1ACBCF26CF68E595ABEB7B2AF05310F14061EE552EB291D73DEE05CB51
                                                                                                                                                                            Function 007A2820 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007A281B,?,?,00000008,?,?,007A2425,00000000), ref: 007A2A4D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionRaise
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3997070919-0
                                                                                                                                                                            • Opcode ID: 37b45aee1e9ddc1af2534a978e52bf4c90950e989496949becb4cacbc2cd1553
                                                                                                                                                                            • Instruction ID: bee634ad1ab5d35fc29feea4f6be1a0917a1b388f178cc0d64fbc717d4016f8f
                                                                                                                                                                            • Opcode Fuzzy Hash: 37b45aee1e9ddc1af2534a978e52bf4c90950e989496949becb4cacbc2cd1553
                                                                                                                                                                            • Instruction Fuzzy Hash: 9AB12D31610609DFD729CF2CC486B657BA0FF86364F258658E8D9CF2A2C739E952CB40
                                                                                                                                                                            Function 00792415 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0079242B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2325560087-0
                                                                                                                                                                            • Opcode ID: 064ad510ca503ce99dee032211d764675de3d06275a155918ed535aee7a310c8
                                                                                                                                                                            • Instruction ID: 7d38d4c531e26d8af53e8d55dc02283b6211069dd1b083f83ad6c72485724ad3
                                                                                                                                                                            • Opcode Fuzzy Hash: 064ad510ca503ce99dee032211d764675de3d06275a155918ed535aee7a310c8
                                                                                                                                                                            • Instruction Fuzzy Hash: BAA18AB19016459FDB18CF58E8C16AFBBF0FB89324F14C22AD525EB7A2D3389845CB54
                                                                                                                                                                            Function 0079A7CB Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: cb40d9da8776d8fbe0f50fa14bb9ba181a944e5eb99d2a5b1add28d196f20805
                                                                                                                                                                            • Instruction ID: 54f523d6573ee7153fad56ce585239aeae4fab57c6dc07a67ef75adb264c9ac7
                                                                                                                                                                            • Opcode Fuzzy Hash: cb40d9da8776d8fbe0f50fa14bb9ba181a944e5eb99d2a5b1add28d196f20805
                                                                                                                                                                            • Instruction Fuzzy Hash: 2541C2B5C0521DAFDF20DF69DC89EAABBB9EF45300F1442D9E448D3201EA399E858F50
                                                                                                                                                                            Function 00792305 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00002311,00791B3B), ref: 0079230A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                            • Opcode ID: 19679a5891a06da75c900aa0bc35f62538922ab03e4cd98348acfa5dc9fa5976
                                                                                                                                                                            • Instruction ID: 725fdaca0786f0963825bc5f1c66200f63b28f37eb4ad4551ab444642b47f4ac
                                                                                                                                                                            • Opcode Fuzzy Hash: 19679a5891a06da75c900aa0bc35f62538922ab03e4cd98348acfa5dc9fa5976
                                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                                            Function 0079C45E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 54951025-0
                                                                                                                                                                            • Opcode ID: 54814d4b6fa5830c64b486a3dd58da17bcbf9b883f7d6fb46757e08c2e39a003
                                                                                                                                                                            • Instruction ID: 223da6dbb4f8245ada40873107b7b68133763257f9c64187c93a055e7e6845a6
                                                                                                                                                                            • Opcode Fuzzy Hash: 54814d4b6fa5830c64b486a3dd58da17bcbf9b883f7d6fb46757e08c2e39a003
                                                                                                                                                                            • Instruction Fuzzy Hash: 22A002716031058B97404F355A4560A3695A58659170582555515C5160D76584546E05
                                                                                                                                                                            Function 007D7AAE Relevance: .5, Instructions: 489COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 8a0cbe5cf4f3c382501015eb38ca5360e31d3c13d09ca3a9ee6b95cccfefd4dd
                                                                                                                                                                            • Instruction ID: 003891a2227622c66538fc80fe4bf2a1c751cc2398d6220a0d4e8c3b0c1a9daf
                                                                                                                                                                            • Opcode Fuzzy Hash: 8a0cbe5cf4f3c382501015eb38ca5360e31d3c13d09ca3a9ee6b95cccfefd4dd
                                                                                                                                                                            • Instruction Fuzzy Hash: 3A02A123D5E6B24B8B794EB948902267FB15E01B4031F46DBEDC03F396D21AED06D6E0
                                                                                                                                                                            Function 007D8A9B Relevance: .4, Instructions: 355COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                                                                                            • Instruction ID: 98e05ab99b385fb128f28feb0110a21d77563f59dd9c6b70e89fb80794be040d
                                                                                                                                                                            • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                                                                                                                                                                            • Instruction Fuzzy Hash: DCC15D73D1F5B2458BB6462D481823AEE726F91B4131F8397DCD03F3C99A2AAD06D5E0
                                                                                                                                                                            Function 007D86B3 Relevance: .3, Instructions: 349COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                                                                                            • Instruction ID: 365d39c02f4e217d17368cc7e6923a4ff94f41df42572b54cdb3d157bfe2de5e
                                                                                                                                                                            • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                                                                                                                                                                            • Instruction Fuzzy Hash: 7CC16D73D1F5B20987B5462D481823AEE726E91B4131F8393DCD03F389D62A6D06D5D1
                                                                                                                                                                            Function 007D82E1 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                                                                                            • Instruction ID: ff74187824b9e9cdf629e480d50662a91f33ec03847e73211bedc3ff088c0f6b
                                                                                                                                                                            • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                                                                                                                                                                            • Instruction Fuzzy Hash: 17C15E73D1F5B2498B76462D481823EEE726F81B4031F8396DCD03F3898A2AAD16D5D0
                                                                                                                                                                            Function 007D7F43 Relevance: .3, Instructions: 326COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                                                                                                                                                                            • Instruction ID: f88f982755c29afb0a87e0f93cd9bc60fa37a3bdaedb84f4156e4eb42645c8f5
                                                                                                                                                                            • Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                                                                                                                                                                            • Instruction Fuzzy Hash: 80B15D73D1F9B2098B75462D481822BEE726E81B4031FC396DCD03F389DA2AAD06D5D0
                                                                                                                                                                            Function 00791317 Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3_catch
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3886170330-0
                                                                                                                                                                            • Opcode ID: 9bbe4cf242ec5de15e57c003a102096e452308a81f57c8e9ffe6e3bf0f70bf4a
                                                                                                                                                                            • Instruction ID: 0c65ff504f1f4b1ba70a520972eccea831e23379da51262b204c8f60e6e551fe
                                                                                                                                                                            • Opcode Fuzzy Hash: 9bbe4cf242ec5de15e57c003a102096e452308a81f57c8e9ffe6e3bf0f70bf4a
                                                                                                                                                                            • Instruction Fuzzy Hash: 6651F972D1022B9BCF08DFB9D8855EEFBB5EB49310F54423AD914E7391D2399A12CB90
                                                                                                                                                                            Function 007C6487 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f820d73acb58f4ea73768fd8ccb48802642c53090ea72760e35e0388eb771fac
                                                                                                                                                                            • Instruction ID: 37f9bf5b827b6cdb9e1e621cff4597cf93b5d47ed0184070c0604b28a39aac5b
                                                                                                                                                                            • Opcode Fuzzy Hash: f820d73acb58f4ea73768fd8ccb48802642c53090ea72760e35e0388eb771fac
                                                                                                                                                                            • Instruction Fuzzy Hash: 54210D216B0AE306CB848FF8FCC062267D1CBCD21B76EC2BDCE54C9067D06DE6228590
                                                                                                                                                                            Function 007AC1DD Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
                                                                                                                                                                            • Instruction ID: 04de3f6764e759254b6249b2df56df312f4c409687e6d7d5a53e96524bae1408
                                                                                                                                                                            • Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
                                                                                                                                                                            • Instruction Fuzzy Hash: 28F05E32900100BBCF11CF95E804BAAF7B8FB87360F257164D409B3540C334ED109A98
                                                                                                                                                                            Function 007ABE6B Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e47e57290291bf3e55fc76926b40b9455446aaecab0376499f589c11769486e1
                                                                                                                                                                            • Instruction ID: ea3e4387b39ce806ce78312b7a9645757156f0a8d6b1af2c7d6898ca67931afe
                                                                                                                                                                            • Opcode Fuzzy Hash: e47e57290291bf3e55fc76926b40b9455446aaecab0376499f589c11769486e1
                                                                                                                                                                            • Instruction Fuzzy Hash: 77F03072900A19AFD714CFADD5415DFFBF8EB48320B10856ED4AAF3260D630FA458B51
                                                                                                                                                                            Function 007915F4 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9b345e7f6422290e99a9778faa3e01c4f10bc71c1cff29f5c28bddaba4d8c40f
                                                                                                                                                                            • Instruction ID: fa4df9d9c239b1484dca8f4ba3cb12dc585d3891278da699aafe1d2bb2df5840
                                                                                                                                                                            • Opcode Fuzzy Hash: 9b345e7f6422290e99a9778faa3e01c4f10bc71c1cff29f5c28bddaba4d8c40f
                                                                                                                                                                            • Instruction Fuzzy Hash: D2E09B7060520497E3089B14E81A75776D5EBC5300F50C03DE24AC73D0DFBC98099786
                                                                                                                                                                            Function 0079B9E5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: a531db49a4f3729ab887177585f355256e3b6d79a99a6b39f015d026f8895b42
                                                                                                                                                                            • Instruction ID: 273e40af35c4e8206db51af2ef31c70bef5ef616ddf826f70bb37740d20a8505
                                                                                                                                                                            • Opcode Fuzzy Hash: a531db49a4f3729ab887177585f355256e3b6d79a99a6b39f015d026f8895b42
                                                                                                                                                                            • Instruction Fuzzy Hash: 68E04632911228EBCB14DB98AA0898AF3BCEB4AB00B114096F501E3200C674DE00D7D0
                                                                                                                                                                            Function 007C330C Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
                                                                                                                                                                            • Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
                                                                                                                                                                            • Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
                                                                                                                                                                            • Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50
                                                                                                                                                                            Function 0079765D Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c6f8aa25285df3118817bb43e8fb066e78d4562735eb8b7e63a52ee34af13324
                                                                                                                                                                            • Instruction ID: ff3b274604986dfb644b2fbce332596f7edc070f4f18603bee512522a868f02a
                                                                                                                                                                            • Opcode Fuzzy Hash: c6f8aa25285df3118817bb43e8fb066e78d4562735eb8b7e63a52ee34af13324
                                                                                                                                                                            • Instruction Fuzzy Hash: 6EC08C74024E0086CE2D891CA6723A43378A3AA7C2F80048CC5020F752C61EAC82D600
                                                                                                                                                                            Function 007AC1BA Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
                                                                                                                                                                            • Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
                                                                                                                                                                            • Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
                                                                                                                                                                            • Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58
                                                                                                                                                                            Function 007AC1D2 Relevance: .0, Instructions: 3COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
                                                                                                                                                                            • Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
                                                                                                                                                                            • Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
                                                                                                                                                                            • Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950
                                                                                                                                                                            Function 007CD2D6 Relevance: 54.3, APIs: 36, Instructions: 344COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 292 7cd2d6-7cd2e7 293 7cd2fe-7cd301 292->293 294 7cd2e9-7cd2fd call 7ca400 292->294 296 7cd308-7cd30b 293->296 297 7cd303-7cd306 293->297 299 7cd320-7cd330 296->299 300 7cd30d-7cd31f 296->300 297->296 297->299 301 7cd366-7cd368 299->301 302 7cd332-7cd336 299->302 303 7cd36f 301->303 304 7cd36a 301->304 305 7cd34e-7cd361 call 7ca400 302->305 306 7cd338-7cd347 302->306 308 7cd372-7cd375 303->308 307 7cd36d 304->307 314 7cd6b2-7cd6b4 305->314 306->303 309 7cd349-7cd34c 306->309 307->303 307->308 311 7cd38d-7cd3ad 308->311 312 7cd377-7cd388 308->312 309->307 315 7cd48b-7cd48e 311->315 316 7cd3b3-7cd3e3 call 7c9d3c call 7ca184 311->316 312->314 317 7cd53e-7cd549 315->317 318 7cd494-7cd4a3 315->318 338 7cd428-7cd447 call 7c994a call 7ca184 316->338 339 7cd3e5-7cd426 call 7cd01f call 7c9d0f call 7ca184 call 7c9f65 316->339 323 7cd54b-7cd56f call 7ca071 call 7ca184 317->323 324 7cd571-7cd57f call 7ca071 call 7c952d 317->324 320 7cd52f-7cd539 call 7cc05b call 7c952d 318->320 321 7cd4a9-7cd4e9 call 7cc05b call 7c9d0f call 7ca184 call 7c9f65 318->321 320->317 321->317 341 7cd584-7cd588 323->341 324->341 364 7cd44a-7cd456 338->364 339->364 346 7cd58a-7cd5c2 call 7c9d0f call 7ca184 call 7ca1cc 341->346 347 7cd5c5-7cd5d4 call 7c9395 341->347 346->347 365 7cd5e6 347->365 366 7cd5d6-7cd5e4 347->366 370 7cd45c-7cd45e 364->370 371 7cd512-7cd52a call 7c994a call 7ca184 364->371 367 7cd5e8-7cd640 call 7c9c06 call 7ca6c2 call 7c9d0f call 7ca184 call 7ca1cc call 7c9f65 365->367 366->367 404 7cd652-7cd662 367->404 405 7cd642-7cd644 367->405 376 7cd4fc-7cd50d 370->376 377 7cd464-7cd478 370->377 394 7cd6ad 371->394 378 7cd6b0-7cd6b1 376->378 383 7cd47a-7cd488 call 7c986f 377->383 384 7cd4eb-7cd4fa call 7c986f call 7c952d 377->384 378->314 383->315 384->315 394->378 406 7cd664-7cd673 call 7ca7a2 call 7c9f65 404->406 407 7cd675-7cd67f call 7ca7a2 call 7c952d 404->407 405->404 408 7cd646-7cd64d call 7c9f65 405->408 417 7cd684-7cd686 406->417 407->417 408->404 418 7cd688-7cd6a1 417->418 419 7cd6a3-7cd6a8 call 7c994a 417->419 418->378 419->394
                                                                                                                                                                            APIs
                                                                                                                                                                            • operator+.LIBCMT ref: 007CD2F1
                                                                                                                                                                              • Part of subcall function 007CA400: DName::DName.LIBCMT ref: 007CA413
                                                                                                                                                                              • Part of subcall function 007CA400: DName::operator+.LIBCMT ref: 007CA41A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: NameName::Name::operator+operator+
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2937105810-0
                                                                                                                                                                            • Opcode ID: 35539629968e138beffd51becdf4c8dee185b9484c6757ffb25b44c6f192daa8
                                                                                                                                                                            • Instruction ID: ea153816e62ae4e49a8815f4dbcb13f126bfb17244ff2250676f024925be7aa1
                                                                                                                                                                            • Opcode Fuzzy Hash: 35539629968e138beffd51becdf4c8dee185b9484c6757ffb25b44c6f192daa8
                                                                                                                                                                            • Instruction Fuzzy Hash: 21D1FB71900249EFCB15DFA8D899FEEBBF8AF08305F14406DE605E7291DB389A85CB51
                                                                                                                                                                            Function 007CE01E Relevance: 27.3, APIs: 18, Instructions: 274COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 421 7ce01e-7ce032 422 7ce038-7ce059 421->422 423 7ce3a4-7ce3b1 call 7ca400 421->423 425 7ce0ad-7ce0b0 422->425 426 7ce05b 422->426 432 7ce3b4 423->432 430 7ce0b6 425->430 431 7ce281-7ce289 call 7ca03c 425->431 428 7ce28e-7ce296 call 7ca21e 426->428 429 7ce061-7ce067 426->429 440 7ce29b-7ce29e 428->440 435 7ce06d 429->435 436 7ce279-7ce27c 429->436 430->436 437 7ce0bc-7ce0bf 430->437 431->428 439 7ce3b7-7ce3bb 432->439 435->425 438 7ce1b6-7ce1d0 call 7cbf01 436->438 441 7ce0c5-7ce0c8 437->441 442 7ce272-7ce277 437->442 444 7ce2a4-7ce2a9 438->444 464 7ce1d6-7ce1de 438->464 443 7ce1fb-7ce213 440->443 440->444 446 7ce0ce-7ce0d1 441->446 447 7ce263 441->447 442->440 450 7ce34d-7ce350 443->450 451 7ce219-7ce23d call 7cdd93 443->451 448 7ce2eb-7ce2f3 444->448 449 7ce2ab-7ce2b0 444->449 446->436 454 7ce0d7-7ce0ed 446->454 452 7ce268-7ce270 call 7ca03c 447->452 459 7ce2f8-7ce310 call 7c9d3c call 7ca184 448->459 460 7ce2dc-7ce2e9 449->460 461 7ce2b2-7ce2b4 449->461 457 7ce38a-7ce3a2 call 7cdd93 450->457 458 7ce352-7ce355 450->458 482 7ce24c-7ce257 451->482 483 7ce23f-7ce247 call 7ca21e 451->483 452->444 455 7ce193-7ce196 454->455 456 7ce0f3-7ce0f6 454->456 471 7ce25c-7ce261 455->471 472 7ce19c-7ce19f 455->472 466 7ce0fc-7ce0ff 456->466 467 7ce189-7ce18e 456->467 457->432 468 7ce378-7ce37b 458->468 469 7ce357-7ce367 call 7ca03c 458->469 505 7ce313-7ce319 459->505 460->459 461->460 470 7ce2b6-7ce2b8 461->470 464->439 476 7ce166-7ce169 466->476 477 7ce101-7ce104 466->477 467->452 468->457 484 7ce37d-7ce385 call 7ca03c 468->484 469->457 504 7ce369-7ce376 call 7ca21e 469->504 470->460 479 7ce2ba-7ce2bc 470->479 471->452 480 7ce1f8-7ce1fa 472->480 481 7ce1a1-7ce1a4 472->481 488 7ce16b-7ce16e 476->488 489 7ce1e3-7ce1e8 476->489 490 7ce15c-7ce161 477->490 491 7ce106-7ce108 477->491 479->460 493 7ce2be-7ce2c1 479->493 480->443 494 7ce1a6-7ce1a9 481->494 495 7ce1f1-7ce1f6 481->495 497 7ce348-7ce34b 482->497 483->482 484->457 500 7ce17f-7ce184 488->500 501 7ce170-7ce173 488->501 489->452 490->452 502 7ce10a-7ce10d 491->502 503 7ce147-7ce157 call 7c9a83 491->503 493->505 506 7ce2c3-7ce2ca 493->506 507 7ce1ea-7ce1ef 494->507 508 7ce1ab-7ce1b1 494->508 495->452 497->439 500->452 501->489 509 7ce175-7ce17a 501->509 512 7ce10f-7ce115 502->512 513 7ce125-7ce142 call 7ce01e call 7ca424 502->513 503->444 504->457 510 7ce33d-7ce345 505->510 511 7ce31b-7ce338 call 7c9d0f call 7ca184 call 7c9f65 505->511 506->460 515 7ce2cc-7ce2ce 506->515 507->452 508->489 516 7ce1b3 508->516 509->452 510->497 511->510 512->489 519 7ce11b-7ce120 512->519 513->432 515->460 522 7ce2d0-7ce2d2 515->522 516->438 519->452 522->460 526 7ce2d4-7ce2d6 522->526 526->460 529 7ce2d8-7ce2da 526->529 529->460 529->505
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Name::operator+=$Decorator::getNameName::Name::operator+Name::operator=Type$Dataoperator+
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1129569759-0
                                                                                                                                                                            • Opcode ID: 6dbec500bb396f51e2aa04729c82308d503cf4e8d877ee9f6af5757cd44cb17a
                                                                                                                                                                            • Instruction ID: 5d95936add3db1381e0d9703f350d229149edd9d4d9fd0e4fe5549918036e6f0
                                                                                                                                                                            • Opcode Fuzzy Hash: 6dbec500bb396f51e2aa04729c82308d503cf4e8d877ee9f6af5757cd44cb17a
                                                                                                                                                                            • Instruction Fuzzy Hash: FB918F71A04249EFCB28DE98C88AFAD7778BF15352F24426EF911E7291D73C9A40CB51
                                                                                                                                                                            Function 007D3894 Relevance: 24.1, APIs: 16, Instructions: 95COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 533 7d3894-7d389f 534 7d38c5 533->534 535 7d38a1-7d38a5 533->535 537 7d38c7-7d38ca 534->537 535->534 536 7d38a7-7d38b8 call 7cedf2 535->536 540 7d38cb-7d38dc call 7cedf2 536->540 541 7d38ba-7d38bf call 7ce874 536->541 546 7d38de-7d38df call 7c86bb 540->546 547 7d38e7-7d38f9 call 7cedf2 540->547 541->534 550 7d38e4-7d38e5 546->550 552 7d390b-7d3927 call 7d2bbc call 7d3678 547->552 553 7d38fb-7d3909 call 7c86bb * 2 547->553 550->541 562 7d3929-7d3940 call 7d1268 call 7d1301 call 7c86bb 552->562 563 7d3942-7d3953 call 7d1855 552->563 553->550 578 7d3974-7d3976 562->578 569 7d3978-7d3980 563->569 570 7d3955-7d3971 call 7c86bb call 7d1268 call 7d1301 call 7c86bb 563->570 572 7d3982-7d3984 569->572 570->578 572->537 578->572
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2193103758-0
                                                                                                                                                                            • Opcode ID: 784abcef5afcd593a1ca4234ae08e44cf487d9407e5e4ef41eebf28f0038ada9
                                                                                                                                                                            • Instruction ID: 1a2a701ae00cb2bc5b9e02f9ebcd1257b20d2e0ca7344a16077e0f899fb72ce1
                                                                                                                                                                            • Opcode Fuzzy Hash: 784abcef5afcd593a1ca4234ae08e44cf487d9407e5e4ef41eebf28f0038ada9
                                                                                                                                                                            • Instruction Fuzzy Hash: B021E731104611FBD7217F29D80AE1ABBF4EF41754B20442FF88966392DF7ED900E666
                                                                                                                                                                            Function 00792E00 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 584 792e00-792e51 call 7a33e0 call 792dc0 call 793457 591 792ead-792eb0 584->591 592 792e53-792e65 584->592 593 792ed0-792ed9 591->593 594 792eb2-792ebf call 793440 591->594 592->593 595 792e67-792e7e 592->595 599 792ec4-792ecd call 792dc0 594->599 597 792e80-792e8e call 7933e0 595->597 598 792e94 595->598 607 792e90 597->607 608 792ea4-792eab 597->608 601 792e97-792e9c 598->601 599->593 601->595 604 792e9e-792ea0 601->604 604->593 605 792ea2 604->605 605->599 609 792eda-792ee3 607->609 610 792e92 607->610 608->599 611 792f1d-792f2d call 793420 609->611 612 792ee5-792eec 609->612 610->601 617 792f2f-792f3e call 793440 611->617 618 792f41-792f5d call 792dc0 call 793400 611->618 612->611 614 792eee-792efd call 7a2e40 612->614 622 792f1a 614->622 623 792eff-792f17 614->623 617->618 622->611 623->622
                                                                                                                                                                            APIs
                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00792E37
                                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00792E3F
                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00792EC8
                                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00792EF3
                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00792F48
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                            • String ID: :!y$csm
                                                                                                                                                                            • API String ID: 1170836740-206657981
                                                                                                                                                                            • Opcode ID: f3929d1580c5b35bb30d6753870dedd4da4b53140c537cce089d9b4ec98e7d0c
                                                                                                                                                                            • Instruction ID: ac010d7a9795bdb0a809db07407ab0fc13e51544090991ed0156d94a36262be2
                                                                                                                                                                            • Opcode Fuzzy Hash: f3929d1580c5b35bb30d6753870dedd4da4b53140c537cce089d9b4ec98e7d0c
                                                                                                                                                                            • Instruction Fuzzy Hash: FF41B734A00208EBCF10EF68D888AAEBBF5EF45314F148155E8155B3A3D779DE56CB91
                                                                                                                                                                            Function 007CA6C2 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 630 7ca6c2-7ca6d5 631 7ca78a-7ca790 630->631 632 7ca6db-7ca6dd 630->632 635 7ca795-7ca7a1 call 7c9d3c 631->635 633 7ca769-7ca780 632->633 634 7ca6e3-7ca6f2 call 7ca282 632->634 636 7ca787-7ca788 633->636 637 7ca782 633->637 642 7ca75c-7ca768 634->642 643 7ca6f4-7ca6fd 634->643 636->635 637->636 643->642 644 7ca6ff-7ca701 643->644 645 7ca756 644->645 646 7ca703-7ca705 644->646 645->642 647 7ca71a-7ca731 646->647 648 7ca707-7ca719 646->648 649 7ca738-7ca755 call 7ca46c 647->649 650 7ca733 647->650 650->649
                                                                                                                                                                            APIs
                                                                                                                                                                            • UnDecorator::getArgumentList.LIBCMT ref: 007CA6E7
                                                                                                                                                                              • Part of subcall function 007CA282: Replicator::operator[].LIBCMT ref: 007CA305
                                                                                                                                                                              • Part of subcall function 007CA282: DName::operator+=.LIBCMT ref: 007CA30D
                                                                                                                                                                            • DName::operator+.LIBCMT ref: 007CA740
                                                                                                                                                                            • DName::DName.LIBCMT ref: 007CA798
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
                                                                                                                                                                            • String ID: (;C$4;C$8;C$D;C
                                                                                                                                                                            • API String ID: 834187326-2621726175
                                                                                                                                                                            • Opcode ID: 00b4ba88f2529d6448c9a8a500a00b8311539c59f106ea20ca9a2e191a690bfb
                                                                                                                                                                            • Instruction ID: daafdee3cc9d74c08289786d0c2af3db16b348e032d6948318fe874893d0179f
                                                                                                                                                                            • Opcode Fuzzy Hash: 00b4ba88f2529d6448c9a8a500a00b8311539c59f106ea20ca9a2e191a690bfb
                                                                                                                                                                            • Instruction Fuzzy Hash: 99213C35600248AFCB15DF1CD444EA97BB4FF4574BB4480ADE845DB266C738EA46CB4A
                                                                                                                                                                            Function 00793E5D Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 00793F7C
                                                                                                                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 0079408A
                                                                                                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 007941F7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CallMatchTypeUnexpectedtype_info::operator==
                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                            • API String ID: 1206542248-393685449
                                                                                                                                                                            • Opcode ID: 7aa1a579ac44d4ddba5092aee05d689c806eae71af2be5ec04bd42dc4187fb16
                                                                                                                                                                            • Instruction ID: e1b76d12e159546060f332272ad9a7f56492cae227f2564b2f5aa72f4a51a1fb
                                                                                                                                                                            • Opcode Fuzzy Hash: 7aa1a579ac44d4ddba5092aee05d689c806eae71af2be5ec04bd42dc4187fb16
                                                                                                                                                                            • Instruction Fuzzy Hash: BDB14771C00209EFCF29DFA4E885DAEBBB5FF14310B15419AE8156B212D739DA92CF91
                                                                                                                                                                            Function 00798127 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,00798234,?,007910E3,?,00000000,?,?,007983AD,00000021,FlsSetValue,007A55B8,007A55C0,?), ref: 007981E8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                            • API String ID: 3664257935-537541572
                                                                                                                                                                            • Opcode ID: 31c6d971be12372c3c8f2b09a38b5b906ee44d9ac08f4154ad2c54c2733de9e4
                                                                                                                                                                            • Instruction ID: cddfeedc32f6ba1034acded78b5c575c4daf3e603eb49e56fb6b9362e04c7993
                                                                                                                                                                            • Opcode Fuzzy Hash: 31c6d971be12372c3c8f2b09a38b5b906ee44d9ac08f4154ad2c54c2733de9e4
                                                                                                                                                                            • Instruction Fuzzy Hash: 5821A871A41218E7CF619B64FC44B5B3759AB83760F250219ED05A7291DF78EE03C6E1
                                                                                                                                                                            Function 007CC05B Relevance: 10.6, APIs: 7, Instructions: 55COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • UnDecorator::UScore.LIBCMT ref: 007CC065
                                                                                                                                                                            • DName::DName.LIBCMT ref: 007CC071
                                                                                                                                                                              • Part of subcall function 007C9D3C: DName::doPchar.LIBCMT ref: 007C9D6D
                                                                                                                                                                            • UnDecorator::getScopedName.LIBCMT ref: 007CC0B0
                                                                                                                                                                            • DName::operator+=.LIBCMT ref: 007CC0BA
                                                                                                                                                                            • DName::operator+=.LIBCMT ref: 007CC0C9
                                                                                                                                                                            • DName::operator+=.LIBCMT ref: 007CC0D5
                                                                                                                                                                            • DName::operator+=.LIBCMT ref: 007CC0E2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1480779885-0
                                                                                                                                                                            • Opcode ID: 7491704a406c1c578bfc7b1f4575f9842b7a48a94faccf0b99b655ecd725c168
                                                                                                                                                                            • Instruction ID: e17117f79ce3a7db41c5857434b39530a235df8f1260274b6044be796bb808c1
                                                                                                                                                                            • Opcode Fuzzy Hash: 7491704a406c1c578bfc7b1f4575f9842b7a48a94faccf0b99b655ecd725c168
                                                                                                                                                                            • Instruction Fuzzy Hash: EB11C671940248EFC715EB64CC5EFA97BB0AF10701F04409DE5069B2E6CB78DA81C751
                                                                                                                                                                            Function 0079767F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,642DFF77,?,?,00000000,007A34CC,000000FF,?,0079760F,?,?,007975E3,00000000), ref: 007976B4
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007976C6
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,007A34CC,000000FF,?,0079760F,?,?,007975E3,00000000), ref: 007976E8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                            • String ID: :!y$CorExitProcess$mscoree.dll
                                                                                                                                                                            • API String ID: 4061214504-380778296
                                                                                                                                                                            • Opcode ID: cac3f18e10c0a319ff1f6282eaad7072fa86d7a57a1c567f185efe1163682473
                                                                                                                                                                            • Instruction ID: d2a34771e3ec4a98566971b4d722f15c0ed257fac9223db2358e68dac535f573
                                                                                                                                                                            • Opcode Fuzzy Hash: cac3f18e10c0a319ff1f6282eaad7072fa86d7a57a1c567f185efe1163682473
                                                                                                                                                                            • Instruction Fuzzy Hash: FF01A771518619EBDB018F54DC05BAFB7B8FBC5B10F004625F821A2690DBBD9D00CA54
                                                                                                                                                                            Function 007CE07B Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Name::operator=$NameName::Name::operator+Name::operator+=$Decorator::getName::doPcharTypeoperator+
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4267394785-0
                                                                                                                                                                            • Opcode ID: c5ff01363cc5be2414fde705ddc2477139869efe325205967f2b79d65d07f3e5
                                                                                                                                                                            • Instruction ID: d5f168979395f0da1b6397cfe65973bb30d2f1f47253cafc197db538ed263023
                                                                                                                                                                            • Opcode Fuzzy Hash: c5ff01363cc5be2414fde705ddc2477139869efe325205967f2b79d65d07f3e5
                                                                                                                                                                            • Instruction Fuzzy Hash: B321FE76A0054EAFCF58EEB8C94AFADBB78AB04301F14416DA515E7684DA3CDF05CA10
                                                                                                                                                                            Function 007CE099 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Name::operator=$NameName::Name::operator+Name::operator+=$Decorator::getName::doPcharTypeoperator+
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4267394785-0
                                                                                                                                                                            • Opcode ID: 04bf772949b8752548d84cbfff0da56238cecf44966dde39219307ebaddb036f
                                                                                                                                                                            • Instruction ID: de8582493bae4a3439c84459bb11c5c802aacb38eec96ddf834360d6ab8f076a
                                                                                                                                                                            • Opcode Fuzzy Hash: 04bf772949b8752548d84cbfff0da56238cecf44966dde39219307ebaddb036f
                                                                                                                                                                            • Instruction Fuzzy Hash: 3321FE76A0054EAFCF58EEB8C94AFADBB78BB04301F14416DA515E7684DA3CDB05C610
                                                                                                                                                                            Function 007CE08F Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Name::operator=$NameName::Name::operator+Name::operator+=$Decorator::getName::doPcharTypeoperator+
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4267394785-0
                                                                                                                                                                            • Opcode ID: fd9685c0f8e99762da6b47b8c6f7231e6a09b9523451af01b9522ecad555d412
                                                                                                                                                                            • Instruction ID: 211e350866af3071c463e949772efd37517675d248e019d8ffad31abf125fc09
                                                                                                                                                                            • Opcode Fuzzy Hash: fd9685c0f8e99762da6b47b8c6f7231e6a09b9523451af01b9522ecad555d412
                                                                                                                                                                            • Instruction Fuzzy Hash: 1421FE76A0054EAFCF58EEB8C94AFADBB78AF04301F14416DA515E7684DA3CDB05C611
                                                                                                                                                                            Function 007CE085 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Name::operator=$NameName::Name::operator+Name::operator+=$Decorator::getName::doPcharTypeoperator+
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4267394785-0
                                                                                                                                                                            • Opcode ID: 41adee5c73aa1e88243f3158e2c40ed16f52e1afc6b9bf2c17e63ec85b627ffa
                                                                                                                                                                            • Instruction ID: 20226086a6f12c6a37a00aeb302c0f47db50cb121b5514eea6848d72b0746e31
                                                                                                                                                                            • Opcode Fuzzy Hash: 41adee5c73aa1e88243f3158e2c40ed16f52e1afc6b9bf2c17e63ec85b627ffa
                                                                                                                                                                            • Instruction Fuzzy Hash: 9F21FE76A0054EAFCF58EEB8C94AFADBB78AB04301F14416DA515E7684DA3CDB05C610
                                                                                                                                                                            Function 007934B1 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,007934A8,0079317C,00792355), ref: 007934BF
                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007934CD
                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007934E6
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,007934A8,0079317C,00792355), ref: 00793538
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                            • Opcode ID: 434ec5fc7bfe9f8d51bb49c8df4d8ee759e63d417db387d158c24cebfbc93884
                                                                                                                                                                            • Instruction ID: 42ccced08e80a557b941015c66c281664548b97dc82bf47a8eedfc1eae9b488c
                                                                                                                                                                            • Opcode Fuzzy Hash: 434ec5fc7bfe9f8d51bb49c8df4d8ee759e63d417db387d158c24cebfbc93884
                                                                                                                                                                            • Instruction Fuzzy Hash: 610126722083159EEE2527B4BCDAA3B2B84DB8AB747310339F520811F2FF9D4E119244
                                                                                                                                                                            Function 007D2D2B Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __lock_free$___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1181530324-0
                                                                                                                                                                            • Opcode ID: f576442123b04c527e99995057e5f798a06d57a0fbdba5833e7da996cdf46145
                                                                                                                                                                            • Instruction ID: f8a1e069d7d85fd775b4b96f757a6cbac439786f33eebf7f4bc68a66168f4d5b
                                                                                                                                                                            • Opcode Fuzzy Hash: f576442123b04c527e99995057e5f798a06d57a0fbdba5833e7da996cdf46145
                                                                                                                                                                            • Instruction Fuzzy Hash: AE114C31611300EADB60AF799649B2D73B4AF10B10F20451FF85897396CF7D9D829669
                                                                                                                                                                            Function 00793C06 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AdjustPointer
                                                                                                                                                                            • String ID: :!y
                                                                                                                                                                            • API String ID: 1740715915-1945855279
                                                                                                                                                                            • Opcode ID: 00475935ba923abceb80427172e49fe16bf747cb67710bbf8d1a72a0bac9147a
                                                                                                                                                                            • Instruction ID: 63ccf33ead27559d736c41752db9dd1da79c6ec1ce487d3c93ed6a1689e945a1
                                                                                                                                                                            • Opcode Fuzzy Hash: 00475935ba923abceb80427172e49fe16bf747cb67710bbf8d1a72a0bac9147a
                                                                                                                                                                            • Instruction Fuzzy Hash: E151EE76601606EFDF289F54E856BBA73A5EF01710F24452DE802972A1E73DEE80CB90
                                                                                                                                                                            Function 0079AD55 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe, xrefs: 0079AD71
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: C:\Users\user\Desktop\Unlock_Tool_2.3.1.exe
                                                                                                                                                                            • API String ID: 0-189565579
                                                                                                                                                                            • Opcode ID: f73eb59541dd7fbdc73a9865acd79ddb990945ede0c9254fb5bdcb0e7f831b81
                                                                                                                                                                            • Instruction ID: 4c94ab2f104c0d9c726760c54ba469163133f292b666ce2de4b6f75f3446b779
                                                                                                                                                                            • Opcode Fuzzy Hash: f73eb59541dd7fbdc73a9865acd79ddb990945ede0c9254fb5bdcb0e7f831b81
                                                                                                                                                                            • Instruction Fuzzy Hash: 4A21FD31206215BFCF20EF70FC8692B77ADAF813647208568F91597551DB39EC108BE2
                                                                                                                                                                            Function 007BFA38 Relevance: 7.8, APIs: 5, Instructions: 297COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset$Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2583058844-0
                                                                                                                                                                            • Opcode ID: e34bf048b61c1259719f24b5a9ebcdb7e29330d4219f1e2d480e2a365f4dc5d7
                                                                                                                                                                            • Instruction ID: 275d877e5f19c54cae59b85fdb24d921d04216e5c613dcbed662eaf12250e0e7
                                                                                                                                                                            • Opcode Fuzzy Hash: e34bf048b61c1259719f24b5a9ebcdb7e29330d4219f1e2d480e2a365f4dc5d7
                                                                                                                                                                            • Instruction Fuzzy Hash: 64C106B2D0021AABCF21EF64DC49AEE777DAF08704F0141A5FA09A3151DB79AF858F51
                                                                                                                                                                            Function 007CF897 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __calloc_crt__init_pointers__initptd__mtterm
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3132042578-0
                                                                                                                                                                            • Opcode ID: 0a94c54a7945867de6cfe35b03e58e96b0a908eff489fa3a921db52f6821de8f
                                                                                                                                                                            • Instruction ID: 3291b42fb148f3f89ad2adad8f6116d3014e2834c1c9869d3797319a770567d6
                                                                                                                                                                            • Opcode Fuzzy Hash: 0a94c54a7945867de6cfe35b03e58e96b0a908eff489fa3a921db52f6821de8f
                                                                                                                                                                            • Instruction Fuzzy Hash: 8F315831D08390DADB20AF79BC08B1A3BA5AF49722B10563EE415D36B2DB78D840CF5C
                                                                                                                                                                            Function 007CA7A2 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Name::operator+$NameName::
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 168861036-0
                                                                                                                                                                            • Opcode ID: 07d7777d52dff5e113e7891794bf6f50c10d3f38d43dc9179de300c9a186e5fe
                                                                                                                                                                            • Instruction ID: 03972e1c7bd8109c0d7c1f9be67e9eeb09b029ecc63a697c28271c9afc9d85b6
                                                                                                                                                                            • Opcode Fuzzy Hash: 07d7777d52dff5e113e7891794bf6f50c10d3f38d43dc9179de300c9a186e5fe
                                                                                                                                                                            • Instruction Fuzzy Hash: 1101213060020DBFCF04EB64D85AFAD77B5AF44709F54405DF902AB291DA78EA458795
                                                                                                                                                                            Function 007D2D36 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __getptd.LIBCMT ref: 007D2D42
                                                                                                                                                                              • Part of subcall function 007CF6D4: __getptd_noexit.LIBCMT ref: 007CF6D7
                                                                                                                                                                              • Part of subcall function 007CF6D4: __amsg_exit.LIBCMT ref: 007CF6E4
                                                                                                                                                                            • __calloc_crt.LIBCMT ref: 007D2D4D
                                                                                                                                                                            • __lock.LIBCMT ref: 007D2D83
                                                                                                                                                                            • ___addlocaleref.LIBCMT ref: 007D2D8F
                                                                                                                                                                            • __lock.LIBCMT ref: 007D2DA3
                                                                                                                                                                              • Part of subcall function 007CE874: __getptd_noexit.LIBCMT ref: 007CE874
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__getptd
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2820776222-0
                                                                                                                                                                            • Opcode ID: e1a2eccef77534c4c96ea4b3847fe8be0ad550a98ee4993f5fc2996ea686c99a
                                                                                                                                                                            • Instruction ID: 0a74d23141526060ca902cc9b5c75840e417778c02bf668e9d6f2e77037d4f1e
                                                                                                                                                                            • Opcode Fuzzy Hash: e1a2eccef77534c4c96ea4b3847fe8be0ad550a98ee4993f5fc2996ea686c99a
                                                                                                                                                                            • Instruction Fuzzy Hash: 27017171600704EAE720BFB4980BF1C77B1AF04720F20821EF4559A3D2CF7C99429B6A
                                                                                                                                                                            Function 007D1499 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __getptd.LIBCMT ref: 007D14A5
                                                                                                                                                                              • Part of subcall function 007CF6D4: __getptd_noexit.LIBCMT ref: 007CF6D7
                                                                                                                                                                              • Part of subcall function 007CF6D4: __amsg_exit.LIBCMT ref: 007CF6E4
                                                                                                                                                                            • __getptd.LIBCMT ref: 007D14BC
                                                                                                                                                                            • __amsg_exit.LIBCMT ref: 007D14CA
                                                                                                                                                                            • __lock.LIBCMT ref: 007D14DA
                                                                                                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 007D14EE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 938513278-0
                                                                                                                                                                            • Opcode ID: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
                                                                                                                                                                            • Instruction ID: 94637c43b85410be927fc97973491a3b43a47a0d871ed9f608fc2581f35845c4
                                                                                                                                                                            • Opcode Fuzzy Hash: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
                                                                                                                                                                            • Instruction Fuzzy Hash: 0DF09072A04750EBDBA1FBA9A80BB5D33A06F00720F59415FF406AB3D2DF6C5910DB5A
                                                                                                                                                                            Function 0079177E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_catch.LIBCMT ref: 007917B1
                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0079189D
                                                                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 007918AD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Concurrency::cancel_current_taskH_prolog3_catchXinvalid_argumentstd::_
                                                                                                                                                                            • String ID: vector too long
                                                                                                                                                                            • API String ID: 4133478652-2873823879
                                                                                                                                                                            • Opcode ID: 31c75d20f71711cacb37c20bdfb18ef7f56ab3d50e2ed96d7b803c75e24fab53
                                                                                                                                                                            • Instruction ID: 552c1e367318577d139b55b054ba694586eff6db9332239d5ee01d1c729eda68
                                                                                                                                                                            • Opcode Fuzzy Hash: 31c75d20f71711cacb37c20bdfb18ef7f56ab3d50e2ed96d7b803c75e24fab53
                                                                                                                                                                            • Instruction Fuzzy Hash: 6C419F71A00107DFCF14DFACE8958AEBBA5FF45320B20861DE915D7681DB35AA60CB90
                                                                                                                                                                            Function 007936D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00793684,00000000,?,0080C104,?,?,?,00793827,00000004,InitializeCriticalSectionEx,007A4C68,InitializeCriticalSectionEx), ref: 007936E0
                                                                                                                                                                            • GetLastError.KERNEL32(?,00793684,00000000,?,0080C104,?,?,?,00793827,00000004,InitializeCriticalSectionEx,007A4C68,InitializeCriticalSectionEx,00000000,?,007935A7), ref: 007936EA
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00793712
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                            • API String ID: 3177248105-2084034818
                                                                                                                                                                            • Opcode ID: 66ac5e5708df7c4b4f78faa023fea48b3c7cd055130c8866bd1496c58284c7ba
                                                                                                                                                                            • Instruction ID: f4c5134d55b8b770ec43bc1522ce0c43fdcefb75282e4ca3953ab257cfec23ac
                                                                                                                                                                            • Opcode Fuzzy Hash: 66ac5e5708df7c4b4f78faa023fea48b3c7cd055130c8866bd1496c58284c7ba
                                                                                                                                                                            • Instruction Fuzzy Hash: F4E04FB1280204F7EF101FF0FC8AB2A3F55BB91B51F108060FA0DA80E1D7ABDA119959
                                                                                                                                                                            Function 0079D02C Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetConsoleOutputCP.KERNEL32(642DFF77,00000000,00000000,?), ref: 0079D08F
                                                                                                                                                                              • Part of subcall function 0079B857: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,007A0349,?,00000000,-00000008), ref: 0079B903
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0079D2EA
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0079D332
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0079D3D5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2112829910-0
                                                                                                                                                                            • Opcode ID: 6d63ecfc7bc5dc46a584d39f64c6fb3a453526c0d20ec0f1e290247ed9f1f557
                                                                                                                                                                            • Instruction ID: dad3f00663d26c0893ea8aaa80c9939939f2515ffd477bc85bc071d21699539f
                                                                                                                                                                            • Opcode Fuzzy Hash: 6d63ecfc7bc5dc46a584d39f64c6fb3a453526c0d20ec0f1e290247ed9f1f557
                                                                                                                                                                            • Instruction Fuzzy Hash: 1ED137B5D00258DFCF25CFA8E884AADBBB5FF49300F18816AE956EB351D734A941CB50
                                                                                                                                                                            Function 007B8E8B Relevance: 6.3, APIs: 4, Instructions: 325COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2102423945-0
                                                                                                                                                                            • Opcode ID: 2b25e849923064d9b5a55e65d4fb1bd14e0dfe3207bfc449d4cf15b6a91fd711
                                                                                                                                                                            • Instruction ID: 4f9b0bbc45eaec6a9e4611ce4d3437a3b545e2a0ebe1988162cb9f131916f3a7
                                                                                                                                                                            • Opcode Fuzzy Hash: 2b25e849923064d9b5a55e65d4fb1bd14e0dfe3207bfc449d4cf15b6a91fd711
                                                                                                                                                                            • Instruction Fuzzy Hash: C6D1D3B191012DEADB20EBA4DC86BD9B778AF04304F5054E7AA08B7051DB74BF85CFA1
                                                                                                                                                                            Function 007C2FE3 Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2102423945-0
                                                                                                                                                                            • Opcode ID: 2a3a95c2239512ea1048ea6c83c2bce4995b7bd70dd19da3d1f381d2d0d0e092
                                                                                                                                                                            • Instruction ID: dddac3f0972a6913659ab196d94fe3ef12d562c9426bf838191daaf727156770
                                                                                                                                                                            • Opcode Fuzzy Hash: 2a3a95c2239512ea1048ea6c83c2bce4995b7bd70dd19da3d1f381d2d0d0e092
                                                                                                                                                                            • Instruction Fuzzy Hash: 3551C7B1D0022ADBCB25EF64CC86BDDB37CAB44704F4151E5AA08B3152DB74AF868F54
                                                                                                                                                                            Function 007C122F Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2102423945-0
                                                                                                                                                                            • Opcode ID: 4606f376861381f818f80eaab977bb148334af8bbf25d557b91848da5220f5e8
                                                                                                                                                                            • Instruction ID: cb3ccf708f2d6ee9cf371edbb84207fb1b60280d6dc2f21aea8e0cafa7e6bc7c
                                                                                                                                                                            • Opcode Fuzzy Hash: 4606f376861381f818f80eaab977bb148334af8bbf25d557b91848da5220f5e8
                                                                                                                                                                            • Instruction Fuzzy Hash: DB41B671D4021CFACB24EB60EC4BFDD777CAB09300F148499B619E7191EAB8AB448F95
                                                                                                                                                                            Function 0079A56B Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0079B857: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,007A0349,?,00000000,-00000008), ref: 0079B903
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0079A5CF
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0079A5D6
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0079A610
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0079A617
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1913693674-0
                                                                                                                                                                            • Opcode ID: 5faf71816b8eb0a1f78993b591137b503fa7b36af30c81d81a25f3edafb63c8d
                                                                                                                                                                            • Instruction ID: 56a195e59a300ec6c579c361c747b75165ff4df36a1fa2b55da61b5a4a794d8d
                                                                                                                                                                            • Opcode Fuzzy Hash: 5faf71816b8eb0a1f78993b591137b503fa7b36af30c81d81a25f3edafb63c8d
                                                                                                                                                                            • Instruction Fuzzy Hash: A121CFB1601206FFCF20AF65A88482BB7ADFF45360B118528FD16D7211DB79EC518BE2
                                                                                                                                                                            Function 0079B945 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0079B94D
                                                                                                                                                                              • Part of subcall function 0079B857: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,007A0349,?,00000000,-00000008), ref: 0079B903
                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0079B985
                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0079B9A5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 158306478-0
                                                                                                                                                                            • Opcode ID: 6cf7745908fe1abae1c7753e84ea38cdb19b212e7467eec7c831e6f151afc9cd
                                                                                                                                                                            • Instruction ID: 2816697b1f1f367c207334f88a2a64cce30229983955224d2108005da2d6e933
                                                                                                                                                                            • Opcode Fuzzy Hash: 6cf7745908fe1abae1c7753e84ea38cdb19b212e7467eec7c831e6f151afc9cd
                                                                                                                                                                            • Instruction Fuzzy Hash: CA11EDB2915619FFAF2127B6BDCEC6F6A6CCF863A43214124F60192101EF6DAD0081B5
                                                                                                                                                                            Function 007D1735 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __getptd.LIBCMT ref: 007D1741
                                                                                                                                                                              • Part of subcall function 007CF6D4: __getptd_noexit.LIBCMT ref: 007CF6D7
                                                                                                                                                                              • Part of subcall function 007CF6D4: __amsg_exit.LIBCMT ref: 007CF6E4
                                                                                                                                                                            • __amsg_exit.LIBCMT ref: 007D1761
                                                                                                                                                                            • __lock.LIBCMT ref: 007D1771
                                                                                                                                                                            • _free.LIBCMT ref: 007D17A1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3170801528-0
                                                                                                                                                                            • Opcode ID: ede986ab11c6e57392b10305871a61c507c4d0a5f4112cf5c4421020098d088a
                                                                                                                                                                            • Instruction ID: 8e45af3c1798e726c5c4d4a86f5006c4589f6b293ce17efa83f3fcc06e01823b
                                                                                                                                                                            • Opcode Fuzzy Hash: ede986ab11c6e57392b10305871a61c507c4d0a5f4112cf5c4421020098d088a
                                                                                                                                                                            • Instruction Fuzzy Hash: 7301A972D01710FBCB21AB25A949B6D7370AF04B20F54012BE804A73A1CB3CA941CBCA
                                                                                                                                                                            Function 007A1578 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,007A0A2D,00000000,00000001,00000000,?,?,0079D429,?,00000000,00000000), ref: 007A158F
                                                                                                                                                                            • GetLastError.KERNEL32(?,007A0A2D,00000000,00000001,00000000,?,?,0079D429,?,00000000,00000000,?,?,?,0079D9B0,?), ref: 007A159B
                                                                                                                                                                              • Part of subcall function 007A1561: CloseHandle.KERNEL32(FFFFFFFE,007A15AB,?,007A0A2D,00000000,00000001,00000000,?,?,0079D429,?,00000000,00000000,?,?), ref: 007A1571
                                                                                                                                                                            • ___initconout.LIBCMT ref: 007A15AB
                                                                                                                                                                              • Part of subcall function 007A1523: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,007A1552,007A0A1A,?,?,0079D429,?,00000000,00000000,?), ref: 007A1536
                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,007A0A2D,00000000,00000001,00000000,?,?,0079D429,?,00000000,00000000,?), ref: 007A15C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2744216297-0
                                                                                                                                                                            • Opcode ID: b081bce9885d9654ae913919ee989db31fe256d556df98cea49efb93a16e9389
                                                                                                                                                                            • Instruction ID: cf2972be63c6a8b79083ec1f3294d7de6e4616233386e0275975172fe4d8e75f
                                                                                                                                                                            • Opcode Fuzzy Hash: b081bce9885d9654ae913919ee989db31fe256d556df98cea49efb93a16e9389
                                                                                                                                                                            • Instruction Fuzzy Hash: 56F01C37800128BBCF222FD5DC0999A3FA6EBCA3A0F458150FA1985121C63A8920EBD5
                                                                                                                                                                            Function 00794202 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • EncodePointer.KERNEL32(00000000,?), ref: 00794227
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EncodePointer
                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                            • API String ID: 2118026453-2084237596
                                                                                                                                                                            • Opcode ID: 25ef3ef6db8584a69b31dff201e5d79d727998065986241c31299e46a0d23d0b
                                                                                                                                                                            • Instruction ID: 94e9503364b36f0ca013b483a7f3eaeacde0ddf7aa49313762f663cccfb3d961
                                                                                                                                                                            • Opcode Fuzzy Hash: 25ef3ef6db8584a69b31dff201e5d79d727998065986241c31299e46a0d23d0b
                                                                                                                                                                            • Instruction Fuzzy Hash: 74415771900209EFCF16DFA4E981EEEBBB5FF48304F158199F914A7221D3399A51DB90
                                                                                                                                                                            Function 0079894B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00798997
                                                                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 007989A9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileHandleType
                                                                                                                                                                            • String ID: B
                                                                                                                                                                            • API String ID: 3000768030-778116840
                                                                                                                                                                            • Opcode ID: 2aa867db0bdc5b5245e03bc51c3e9527fea03c3c7be0aa82f700ae08ea08b205
                                                                                                                                                                            • Instruction ID: 7ca6c09a03733f48c394fa7d0ffb4f8af8381cdb80d8ddf6c86b54dfb13cc58e
                                                                                                                                                                            • Opcode Fuzzy Hash: 2aa867db0bdc5b5245e03bc51c3e9527fea03c3c7be0aa82f700ae08ea08b205
                                                                                                                                                                            • Instruction Fuzzy Hash: 1211B9721087514ACF704E3EAC88636BE94A797330B38071AD1BA965F2CB79F885D643
                                                                                                                                                                            Function 007983D3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 00798413
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                                                            • String ID: :!y$InitializeCriticalSectionEx
                                                                                                                                                                            • API String ID: 2593887523-1094532196
                                                                                                                                                                            • Opcode ID: a58efc6c67c84928a3d2a3dc6b8002a2f87b318b7f0d656486a1c34be2c5f705
                                                                                                                                                                            • Instruction ID: 9b3992deb32c2bcaf64feaf8547ba1dffca28372ecf0f7499c8caf640c6f5f94
                                                                                                                                                                            • Opcode Fuzzy Hash: a58efc6c67c84928a3d2a3dc6b8002a2f87b318b7f0d656486a1c34be2c5f705
                                                                                                                                                                            • Instruction Fuzzy Hash: AEE06D36581258B7CF111F51EC09E9A3F22EBD2760B108110F91815160CBBA89619AD5
                                                                                                                                                                            Function 007982D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.2300140019.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.2300105330.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300198038.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300223851.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300334108.000000000080B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300390718.000000000080C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300427095.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.2300457247.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Alloc
                                                                                                                                                                            • String ID: :!y$FlsAlloc
                                                                                                                                                                            • API String ID: 2773662609-1522199544
                                                                                                                                                                            • Opcode ID: 3b11d54e125d365b1f617d2544feaab8d8b4990e26cadf6cf60a6c942917ef68
                                                                                                                                                                            • Instruction ID: b19d515d601bd7b9cc50be6c4e065945c10684fda98ea1284fee560b9df38869
                                                                                                                                                                            • Opcode Fuzzy Hash: 3b11d54e125d365b1f617d2544feaab8d8b4990e26cadf6cf60a6c942917ef68
                                                                                                                                                                            • Instruction Fuzzy Hash: E3E0C232AC1228B78A1027A0EC0E99EBA56DBD3F62B414121FA1452150DEEE495192EA

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:8.6%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:2.2%
                                                                                                                                                                            Total number of Nodes:1293
                                                                                                                                                                            Total number of Limit Nodes:38
                                                                                                                                                                            execution_graph 30861 4184f0 30862 4184f2 30861->30862 30913 402b68 30862->30913 30871 401284 25 API calls 30872 418521 30871->30872 30873 401284 25 API calls 30872->30873 30874 41852b 30873->30874 31017 40148a GetPEB 30874->31017 30876 418535 30877 401284 25 API calls 30876->30877 30878 41853f 30877->30878 30879 401284 25 API calls 30878->30879 30880 418549 30879->30880 30881 401284 25 API calls 30880->30881 30882 418553 30881->30882 31018 4014a2 GetPEB 30882->31018 30884 41855d 30885 401284 25 API calls 30884->30885 30886 418567 30885->30886 30887 401284 25 API calls 30886->30887 30888 418571 30887->30888 30889 401284 25 API calls 30888->30889 30890 41857b 30889->30890 31019 4014f9 30890->31019 30893 401284 25 API calls 30894 41858f 30893->30894 30895 401284 25 API calls 30894->30895 30896 418599 30895->30896 30897 401284 25 API calls 30896->30897 30898 4185a3 30897->30898 31042 401666 GetTempPathW 30898->31042 30901 401284 25 API calls 30902 4185b2 30901->30902 30903 401284 25 API calls 30902->30903 30904 4185bc 30903->30904 30905 401284 25 API calls 30904->30905 30906 4185c6 30905->30906 31054 417083 30906->31054 30909 4185d1 30911 417083 303 API calls 30911->30909 31160 4047e8 GetProcessHeap HeapAlloc 30913->31160 30916 4047e8 3 API calls 30917 402b93 30916->30917 30918 4047e8 3 API calls 30917->30918 30919 402bac 30918->30919 30920 4047e8 3 API calls 30919->30920 30921 402bc3 30920->30921 30922 4047e8 3 API calls 30921->30922 30923 402bda 30922->30923 30924 4047e8 3 API calls 30923->30924 30925 402bf0 30924->30925 30926 4047e8 3 API calls 30925->30926 30927 402c07 30926->30927 30928 4047e8 3 API calls 30927->30928 30929 402c1e 30928->30929 30930 4047e8 3 API calls 30929->30930 30931 402c38 30930->30931 30932 4047e8 3 API calls 30931->30932 30933 402c4f 30932->30933 30934 4047e8 3 API calls 30933->30934 30935 402c66 30934->30935 30936 4047e8 3 API calls 30935->30936 30937 402c7d 30936->30937 30938 4047e8 3 API calls 30937->30938 30939 402c93 30938->30939 30940 4047e8 3 API calls 30939->30940 30941 402caa 30940->30941 30942 4047e8 3 API calls 30941->30942 30943 402cc1 30942->30943 30944 4047e8 3 API calls 30943->30944 30945 402cd8 30944->30945 30946 4047e8 3 API calls 30945->30946 30947 402cf2 30946->30947 30948 4047e8 3 API calls 30947->30948 30949 402d09 30948->30949 30950 4047e8 3 API calls 30949->30950 30951 402d20 30950->30951 30952 4047e8 3 API calls 30951->30952 30953 402d37 30952->30953 30954 4047e8 3 API calls 30953->30954 30955 402d4e 30954->30955 30956 4047e8 3 API calls 30955->30956 30957 402d65 30956->30957 30958 4047e8 3 API calls 30957->30958 30959 402d7c 30958->30959 30960 4047e8 3 API calls 30959->30960 30961 402d92 30960->30961 30962 4047e8 3 API calls 30961->30962 30963 402dac 30962->30963 30964 4047e8 3 API calls 30963->30964 30965 402dc3 30964->30965 30966 4047e8 3 API calls 30965->30966 30967 402dda 30966->30967 30968 4047e8 3 API calls 30967->30968 30969 402df1 30968->30969 30970 4047e8 3 API calls 30969->30970 30971 402e07 30970->30971 30972 4047e8 3 API calls 30971->30972 30973 402e1e 30972->30973 30974 4047e8 3 API calls 30973->30974 30975 402e35 30974->30975 30976 4047e8 3 API calls 30975->30976 30977 402e4c 30976->30977 30978 4047e8 3 API calls 30977->30978 30979 402e66 30978->30979 30980 4047e8 3 API calls 30979->30980 30981 402e7d 30980->30981 30982 4047e8 3 API calls 30981->30982 30983 402e94 30982->30983 30984 4047e8 3 API calls 30983->30984 30985 402eaa 30984->30985 30986 4047e8 3 API calls 30985->30986 30987 402ec1 30986->30987 30988 4047e8 3 API calls 30987->30988 30989 402ed8 30988->30989 30990 4047e8 3 API calls 30989->30990 30991 402eec 30990->30991 30992 4047e8 3 API calls 30991->30992 30993 402f03 30992->30993 30994 418685 30993->30994 31164 4185dc GetPEB 30994->31164 30996 41868b 30997 4188b4 LoadLibraryA 30996->30997 30998 418503 30997->30998 30999 4010f0 GetCurrentProcess VirtualAllocExNuma 30998->30999 31000 401111 ExitProcess 30999->31000 31001 401098 VirtualAlloc 30999->31001 31003 4010b8 _memset 31001->31003 31004 4010ec 31003->31004 31005 4010d5 VirtualFree 31003->31005 31006 401284 31004->31006 31005->31004 31007 4012ac _memset 31006->31007 31008 4012bb 13 API calls 31007->31008 31165 410c5a GetProcessHeap HeapAlloc GetComputerNameA 31008->31165 31010 4013e9 31167 41d05a 31010->31167 31014 4013f4 31014->30871 31015 4013b9 31015->31010 31016 4013e2 ExitProcess 31015->31016 31017->30876 31018->30884 31177 4014ad GetPEB 31019->31177 31022 4014ad 2 API calls 31023 401516 31022->31023 31024 4014ad 2 API calls 31023->31024 31041 4015a1 31023->31041 31025 401529 31024->31025 31026 4014ad 2 API calls 31025->31026 31025->31041 31027 401538 31026->31027 31028 4014ad 2 API calls 31027->31028 31027->31041 31029 401547 31028->31029 31030 4014ad 2 API calls 31029->31030 31029->31041 31031 401556 31030->31031 31032 4014ad 2 API calls 31031->31032 31031->31041 31033 401565 31032->31033 31034 4014ad 2 API calls 31033->31034 31033->31041 31035 401574 31034->31035 31036 4014ad 2 API calls 31035->31036 31035->31041 31037 401583 31036->31037 31038 4014ad 2 API calls 31037->31038 31037->31041 31039 401592 31038->31039 31040 4014ad 2 API calls 31039->31040 31039->31041 31040->31041 31041->30893 31043 4016a4 wsprintfW 31042->31043 31044 4017f7 31042->31044 31045 4016d0 CreateFileW 31043->31045 31047 41d05a ___getlocaleinfo 5 API calls 31044->31047 31045->31044 31046 4016fb GetProcessHeap RtlAllocateHeap _time64 srand rand 31045->31046 31052 401754 _memset 31046->31052 31048 401807 31047->31048 31048->30901 31049 401733 WriteFile 31049->31044 31049->31052 31050 401768 CloseHandle CreateFileW 31050->31044 31051 40179e ReadFile 31050->31051 31051->31044 31051->31052 31052->31044 31052->31049 31052->31050 31053 4017c3 GetProcessHeap RtlFreeHeap CloseHandle 31052->31053 31053->31044 31053->31045 31055 417093 31054->31055 31181 410c28 GetProcessHeap HeapAlloc GetUserNameA 31055->31181 31057 4170c2 31182 402f12 31057->31182 31060 418995 6 API calls 31100 41730c 31060->31100 31062 4175e5 31063 417646 CreateDirectoryA 31062->31063 31064 417663 31063->31064 31749 4169f8 31064->31749 31066 417670 31754 410977 31066->31754 31068 417762 31765 404b2e 31068->31765 31072 417786 31779 405f39 31072->31779 31076 4177e4 31077 405f39 9 API calls 31076->31077 31078 41780e 31077->31078 31791 413299 strtok_s 31078->31791 31080 417821 31081 405f39 9 API calls 31080->31081 31082 417851 31081->31082 31795 4133d0 strtok_s 31082->31795 31084 417864 31799 413bc6 31084->31799 31086 41787a 31845 405237 31086->31845 31088 41789e 31854 40ea91 31088->31854 31090 4178d2 31091 41794a 31090->31091 31093 405f39 9 API calls 31090->31093 31092 4179cb 31091->31092 31094 405f39 9 API calls 31091->31094 31096 405f39 9 API calls 31092->31096 31095 41790e 31093->31095 31098 41798d 31094->31098 31902 413518 strtok_s strtok_s 31095->31902 31097 417a04 31096->31097 31869 4135e8 strtok_s 31097->31869 31904 4131d8 strtok_s strtok_s 31098->31904 31112 4175c1 31100->31112 31737 412554 31100->31737 31103 417921 31903 40274e 58 API calls 31103->31903 31104 417a17 31876 4153d2 31104->31876 31105 4179a0 31905 41314c 18 API calls 31105->31905 31111 41ccb1 10 API calls 31111->31112 31745 411c1f 31112->31745 31113 417a40 31114 417a6c 31113->31114 31906 4156af 58 API calls 2 library calls 31113->31906 31117 417a8e 31114->31117 31908 415e39 60 API calls ___getlocaleinfo 31114->31908 31120 417ab0 31117->31120 31909 416372 58 API calls ___getlocaleinfo 31117->31909 31118 417a60 31907 416ff9 138 API calls 31118->31907 31122 417ad2 31120->31122 31910 4164ff 58 API calls 2 library calls 31120->31910 31125 417b09 31122->31125 31911 411f2a 10 API calls ___getlocaleinfo 31122->31911 31126 417b86 31125->31126 31127 405f39 9 API calls 31125->31127 31128 405f39 9 API calls 31126->31128 31129 417b48 31127->31129 31140 417bb8 31128->31140 31912 4131d8 strtok_s strtok_s 31129->31912 31131 417b5b 31913 41314c 18 API calls 31131->31913 31132 418003 31893 412516 SHFileOperationA 31132->31893 31135 41803b 31894 4182b3 31135->31894 31137 41805e 31138 41d05a ___getlocaleinfo 5 API calls 31137->31138 31139 41814f 31138->31139 31139->30911 31150 41ccb1 31139->31150 31153 418995 31139->31153 31140->31132 31141 412554 8 API calls 31140->31141 31142 417e73 31141->31142 31142->31132 31880 41cd66 31142->31880 31144 417e8b 31884 405482 31144->31884 31148 417fd8 31915 41314c 18 API calls 31148->31915 32321 41cbfd malloc 31150->32321 31152 41ccc1 31152->30909 31154 418e14 LoadLibraryA 31153->31154 31157 4189a2 31153->31157 31155 418e31 LoadLibraryA LoadLibraryA 31154->31155 31156 418e64 LoadLibraryA LoadLibraryA LoadLibraryA 31155->31156 31159 418eb5 31156->31159 31157->31154 31159->30909 31161 402b7c 31160->31161 31162 40480f 31160->31162 31161->30916 31163 404818 lstrlenA 31162->31163 31163->31161 31163->31163 31164->30996 31166 401385 31165->31166 31166->31010 31175 410c28 GetProcessHeap HeapAlloc GetUserNameA 31166->31175 31168 41d062 31167->31168 31169 41d064 IsDebuggerPresent 31167->31169 31168->31014 31176 41d9c5 31169->31176 31172 41d4a4 SetUnhandledExceptionFilter UnhandledExceptionFilter 31173 41d4c1 __call_reportfault 31172->31173 31174 41d4c9 GetCurrentProcess TerminateProcess 31172->31174 31173->31174 31174->31014 31175->31015 31176->31172 31178 4014e9 31177->31178 31179 4014d9 lstrcmpiW 31178->31179 31180 4014ef 31178->31180 31179->31178 31179->31180 31180->31022 31180->31041 31181->31057 31183 4047e8 3 API calls 31182->31183 31184 402f27 31183->31184 31185 4047e8 3 API calls 31184->31185 31186 402f3e 31185->31186 31187 4047e8 3 API calls 31186->31187 31188 402f55 31187->31188 31189 4047e8 3 API calls 31188->31189 31190 402f6c 31189->31190 31191 4047e8 3 API calls 31190->31191 31192 402f85 31191->31192 31193 4047e8 3 API calls 31192->31193 31194 402f9c 31193->31194 31195 4047e8 3 API calls 31194->31195 31196 402fb3 31195->31196 31197 4047e8 3 API calls 31196->31197 31198 402fca 31197->31198 31199 4047e8 3 API calls 31198->31199 31200 402fe4 31199->31200 31201 4047e8 3 API calls 31200->31201 31202 402ffb 31201->31202 31203 4047e8 3 API calls 31202->31203 31204 403011 31203->31204 31205 4047e8 3 API calls 31204->31205 31206 403028 31205->31206 31207 4047e8 3 API calls 31206->31207 31208 40303f 31207->31208 31209 4047e8 3 API calls 31208->31209 31210 403056 31209->31210 31211 4047e8 3 API calls 31210->31211 31212 40306d 31211->31212 31213 4047e8 3 API calls 31212->31213 31214 403084 31213->31214 31215 4047e8 3 API calls 31214->31215 31216 40309b 31215->31216 31217 4047e8 3 API calls 31216->31217 31218 4030b2 31217->31218 31219 4047e8 3 API calls 31218->31219 31220 4030c9 31219->31220 31221 4047e8 3 API calls 31220->31221 31222 4030df 31221->31222 31223 4047e8 3 API calls 31222->31223 31224 4030f6 31223->31224 31225 4047e8 3 API calls 31224->31225 31226 40310f 31225->31226 31227 4047e8 3 API calls 31226->31227 31228 403123 31227->31228 31229 4047e8 3 API calls 31228->31229 31230 40313a 31229->31230 31231 4047e8 3 API calls 31230->31231 31232 403154 31231->31232 31233 4047e8 3 API calls 31232->31233 31234 40316b 31233->31234 31235 4047e8 3 API calls 31234->31235 31236 403182 31235->31236 31237 4047e8 3 API calls 31236->31237 31238 403199 31237->31238 31239 4047e8 3 API calls 31238->31239 31240 4031af 31239->31240 31241 4047e8 3 API calls 31240->31241 31242 4031c5 31241->31242 31243 4047e8 3 API calls 31242->31243 31244 4031dc 31243->31244 31245 4047e8 3 API calls 31244->31245 31246 4031f2 31245->31246 31247 4047e8 3 API calls 31246->31247 31248 40320c 31247->31248 31249 4047e8 3 API calls 31248->31249 31250 403223 31249->31250 31251 4047e8 3 API calls 31250->31251 31252 40323a 31251->31252 31253 4047e8 3 API calls 31252->31253 31254 403250 31253->31254 31255 4047e8 3 API calls 31254->31255 31256 403267 31255->31256 31257 4047e8 3 API calls 31256->31257 31258 40327e 31257->31258 31259 4047e8 3 API calls 31258->31259 31260 403295 31259->31260 31261 4047e8 3 API calls 31260->31261 31262 4032ab 31261->31262 31263 4047e8 3 API calls 31262->31263 31264 4032c2 31263->31264 31265 4047e8 3 API calls 31264->31265 31266 4032d9 31265->31266 31267 4047e8 3 API calls 31266->31267 31268 4032f0 31267->31268 31269 4047e8 3 API calls 31268->31269 31270 403306 31269->31270 31271 4047e8 3 API calls 31270->31271 31272 40331c 31271->31272 31273 4047e8 3 API calls 31272->31273 31274 403333 31273->31274 31275 4047e8 3 API calls 31274->31275 31276 403349 31275->31276 31277 4047e8 3 API calls 31276->31277 31278 40335d 31277->31278 31279 4047e8 3 API calls 31278->31279 31280 403374 31279->31280 31281 4047e8 3 API calls 31280->31281 31282 40338a 31281->31282 31283 4047e8 3 API calls 31282->31283 31284 4033a1 31283->31284 31285 4047e8 3 API calls 31284->31285 31286 4033b8 31285->31286 31287 4047e8 3 API calls 31286->31287 31288 4033cf 31287->31288 31289 4047e8 3 API calls 31288->31289 31290 4033e6 31289->31290 31291 4047e8 3 API calls 31290->31291 31292 4033fd 31291->31292 31293 4047e8 3 API calls 31292->31293 31294 403414 31293->31294 31295 4047e8 3 API calls 31294->31295 31296 40342e 31295->31296 31297 4047e8 3 API calls 31296->31297 31298 403445 31297->31298 31299 4047e8 3 API calls 31298->31299 31300 40345c 31299->31300 31301 4047e8 3 API calls 31300->31301 31302 403473 31301->31302 31303 4047e8 3 API calls 31302->31303 31304 40348a 31303->31304 31305 4047e8 3 API calls 31304->31305 31306 4034a1 31305->31306 31307 4047e8 3 API calls 31306->31307 31308 4034b8 31307->31308 31309 4047e8 3 API calls 31308->31309 31310 4034cf 31309->31310 31311 4047e8 3 API calls 31310->31311 31312 4034e9 31311->31312 31313 4047e8 3 API calls 31312->31313 31314 403500 31313->31314 31315 4047e8 3 API calls 31314->31315 31316 403517 31315->31316 31317 4047e8 3 API calls 31316->31317 31318 40352e 31317->31318 31319 4047e8 3 API calls 31318->31319 31320 403545 31319->31320 31321 4047e8 3 API calls 31320->31321 31322 40355c 31321->31322 31323 4047e8 3 API calls 31322->31323 31324 403573 31323->31324 31325 4047e8 3 API calls 31324->31325 31326 40358a 31325->31326 31327 4047e8 3 API calls 31326->31327 31328 4035a4 31327->31328 31329 4047e8 3 API calls 31328->31329 31330 4035bb 31329->31330 31331 4047e8 3 API calls 31330->31331 31332 4035d2 31331->31332 31333 4047e8 3 API calls 31332->31333 31334 4035e9 31333->31334 31335 4047e8 3 API calls 31334->31335 31336 403600 31335->31336 31337 4047e8 3 API calls 31336->31337 31338 403617 31337->31338 31339 4047e8 3 API calls 31338->31339 31340 40362d 31339->31340 31341 4047e8 3 API calls 31340->31341 31342 403643 31341->31342 31343 4047e8 3 API calls 31342->31343 31344 40365d 31343->31344 31345 4047e8 3 API calls 31344->31345 31346 403674 31345->31346 31347 4047e8 3 API calls 31346->31347 31348 40368b 31347->31348 31349 4047e8 3 API calls 31348->31349 31350 4036a1 31349->31350 31351 4047e8 3 API calls 31350->31351 31352 4036b8 31351->31352 31353 4047e8 3 API calls 31352->31353 31354 4036cf 31353->31354 31355 4047e8 3 API calls 31354->31355 31356 4036e3 31355->31356 31357 4047e8 3 API calls 31356->31357 31358 4036f9 31357->31358 31359 4047e8 3 API calls 31358->31359 31360 403713 31359->31360 31361 4047e8 3 API calls 31360->31361 31362 40372a 31361->31362 31363 4047e8 3 API calls 31362->31363 31364 403741 31363->31364 31365 4047e8 3 API calls 31364->31365 31366 403758 31365->31366 31367 4047e8 3 API calls 31366->31367 31368 40376f 31367->31368 31369 4047e8 3 API calls 31368->31369 31370 403786 31369->31370 31371 4047e8 3 API calls 31370->31371 31372 40379a 31371->31372 31373 4047e8 3 API calls 31372->31373 31374 4037b1 31373->31374 31375 4047e8 3 API calls 31374->31375 31376 4037cb 31375->31376 31377 4047e8 3 API calls 31376->31377 31378 4037e2 31377->31378 31379 4047e8 3 API calls 31378->31379 31380 4037f6 31379->31380 31381 4047e8 3 API calls 31380->31381 31382 40380a 31381->31382 31383 4047e8 3 API calls 31382->31383 31384 403821 31383->31384 31385 4047e8 3 API calls 31384->31385 31386 403838 31385->31386 31387 4047e8 3 API calls 31386->31387 31388 40384f 31387->31388 31389 4047e8 3 API calls 31388->31389 31390 403866 31389->31390 31391 4047e8 3 API calls 31390->31391 31392 403880 31391->31392 31393 4047e8 3 API calls 31392->31393 31394 403897 31393->31394 31395 4047e8 3 API calls 31394->31395 31396 4038ae 31395->31396 31397 4047e8 3 API calls 31396->31397 31398 4038c5 31397->31398 31399 4047e8 3 API calls 31398->31399 31400 4038db 31399->31400 31401 4047e8 3 API calls 31400->31401 31402 4038f2 31401->31402 31403 4047e8 3 API calls 31402->31403 31404 403906 31403->31404 31405 4047e8 3 API calls 31404->31405 31406 40391d 31405->31406 31407 4047e8 3 API calls 31406->31407 31408 403937 31407->31408 31409 4047e8 3 API calls 31408->31409 31410 40394e 31409->31410 31411 4047e8 3 API calls 31410->31411 31412 403965 31411->31412 31413 4047e8 3 API calls 31412->31413 31414 40397c 31413->31414 31415 4047e8 3 API calls 31414->31415 31416 403993 31415->31416 31417 4047e8 3 API calls 31416->31417 31418 4039aa 31417->31418 31419 4047e8 3 API calls 31418->31419 31420 4039c1 31419->31420 31421 4047e8 3 API calls 31420->31421 31422 4039d8 31421->31422 31423 4047e8 3 API calls 31422->31423 31424 4039f2 31423->31424 31425 4047e8 3 API calls 31424->31425 31426 403a09 31425->31426 31427 4047e8 3 API calls 31426->31427 31428 403a20 31427->31428 31429 4047e8 3 API calls 31428->31429 31430 403a37 31429->31430 31431 4047e8 3 API calls 31430->31431 31432 403a4e 31431->31432 31433 4047e8 3 API calls 31432->31433 31434 403a65 31433->31434 31435 4047e8 3 API calls 31434->31435 31436 403a7c 31435->31436 31437 4047e8 3 API calls 31436->31437 31438 403a90 31437->31438 31439 4047e8 3 API calls 31438->31439 31440 403aaa 31439->31440 31441 4047e8 3 API calls 31440->31441 31442 403ac1 31441->31442 31443 4047e8 3 API calls 31442->31443 31444 403ad7 31443->31444 31445 4047e8 3 API calls 31444->31445 31446 403aee 31445->31446 31447 4047e8 3 API calls 31446->31447 31448 403b05 31447->31448 31449 4047e8 3 API calls 31448->31449 31450 403b1c 31449->31450 31451 4047e8 3 API calls 31450->31451 31452 403b33 31451->31452 31453 4047e8 3 API calls 31452->31453 31454 403b4a 31453->31454 31455 4047e8 3 API calls 31454->31455 31456 403b61 31455->31456 31457 4047e8 3 API calls 31456->31457 31458 403b75 31457->31458 31459 4047e8 3 API calls 31458->31459 31460 403b8c 31459->31460 31461 4047e8 3 API calls 31460->31461 31462 403ba3 31461->31462 31463 4047e8 3 API calls 31462->31463 31464 403bba 31463->31464 31465 4047e8 3 API calls 31464->31465 31466 403bd1 31465->31466 31467 4047e8 3 API calls 31466->31467 31468 403be8 31467->31468 31469 4047e8 3 API calls 31468->31469 31470 403bff 31469->31470 31471 4047e8 3 API calls 31470->31471 31472 403c19 31471->31472 31473 4047e8 3 API calls 31472->31473 31474 403c30 31473->31474 31475 4047e8 3 API calls 31474->31475 31476 403c47 31475->31476 31477 4047e8 3 API calls 31476->31477 31478 403c5e 31477->31478 31479 4047e8 3 API calls 31478->31479 31480 403c75 31479->31480 31481 4047e8 3 API calls 31480->31481 31482 403c8c 31481->31482 31483 4047e8 3 API calls 31482->31483 31484 403ca3 31483->31484 31485 4047e8 3 API calls 31484->31485 31486 403cb7 31485->31486 31487 4047e8 3 API calls 31486->31487 31488 403cd1 31487->31488 31489 4047e8 3 API calls 31488->31489 31490 403ce8 31489->31490 31491 4047e8 3 API calls 31490->31491 31492 403cff 31491->31492 31493 4047e8 3 API calls 31492->31493 31494 403d16 31493->31494 31495 4047e8 3 API calls 31494->31495 31496 403d2c 31495->31496 31497 4047e8 3 API calls 31496->31497 31498 403d43 31497->31498 31499 4047e8 3 API calls 31498->31499 31500 403d57 31499->31500 31501 4047e8 3 API calls 31500->31501 31502 403d6e 31501->31502 31503 4047e8 3 API calls 31502->31503 31504 403d85 31503->31504 31505 4047e8 3 API calls 31504->31505 31506 403d9c 31505->31506 31507 4047e8 3 API calls 31506->31507 31508 403db3 31507->31508 31509 4047e8 3 API calls 31508->31509 31510 403dca 31509->31510 31511 4047e8 3 API calls 31510->31511 31512 403de1 31511->31512 31513 4047e8 3 API calls 31512->31513 31514 403df8 31513->31514 31515 4047e8 3 API calls 31514->31515 31516 403e0f 31515->31516 31517 4047e8 3 API calls 31516->31517 31518 403e26 31517->31518 31519 4047e8 3 API calls 31518->31519 31520 403e40 31519->31520 31521 4047e8 3 API calls 31520->31521 31522 403e57 31521->31522 31523 4047e8 3 API calls 31522->31523 31524 403e6e 31523->31524 31525 4047e8 3 API calls 31524->31525 31526 403e84 31525->31526 31527 4047e8 3 API calls 31526->31527 31528 403e9b 31527->31528 31529 4047e8 3 API calls 31528->31529 31530 403eb2 31529->31530 31531 4047e8 3 API calls 31530->31531 31532 403ec9 31531->31532 31533 4047e8 3 API calls 31532->31533 31534 403ee0 31533->31534 31535 4047e8 3 API calls 31534->31535 31536 403efa 31535->31536 31537 4047e8 3 API calls 31536->31537 31538 403f10 31537->31538 31539 4047e8 3 API calls 31538->31539 31540 403f27 31539->31540 31541 4047e8 3 API calls 31540->31541 31542 403f3e 31541->31542 31543 4047e8 3 API calls 31542->31543 31544 403f55 31543->31544 31545 4047e8 3 API calls 31544->31545 31546 403f6c 31545->31546 31547 4047e8 3 API calls 31546->31547 31548 403f80 31547->31548 31549 4047e8 3 API calls 31548->31549 31550 403f97 31549->31550 31551 4047e8 3 API calls 31550->31551 31552 403fb1 31551->31552 31553 4047e8 3 API calls 31552->31553 31554 403fc7 31553->31554 31555 4047e8 3 API calls 31554->31555 31556 403fde 31555->31556 31557 4047e8 3 API calls 31556->31557 31558 403ff2 31557->31558 31559 4047e8 3 API calls 31558->31559 31560 404009 31559->31560 31561 4047e8 3 API calls 31560->31561 31562 404020 31561->31562 31563 4047e8 3 API calls 31562->31563 31564 404037 31563->31564 31565 4047e8 3 API calls 31564->31565 31566 40404e 31565->31566 31567 4047e8 3 API calls 31566->31567 31568 404067 31567->31568 31569 4047e8 3 API calls 31568->31569 31570 40407e 31569->31570 31571 4047e8 3 API calls 31570->31571 31572 404094 31571->31572 31573 4047e8 3 API calls 31572->31573 31574 4040a8 31573->31574 31575 4047e8 3 API calls 31574->31575 31576 4040bf 31575->31576 31577 4047e8 3 API calls 31576->31577 31578 4040d6 31577->31578 31579 4047e8 3 API calls 31578->31579 31580 4040ed 31579->31580 31581 4047e8 3 API calls 31580->31581 31582 404104 31581->31582 31583 4047e8 3 API calls 31582->31583 31584 40411e 31583->31584 31585 4047e8 3 API calls 31584->31585 31586 404135 31585->31586 31587 4047e8 3 API calls 31586->31587 31588 40414c 31587->31588 31589 4047e8 3 API calls 31588->31589 31590 404163 31589->31590 31591 4047e8 3 API calls 31590->31591 31592 404179 31591->31592 31593 4047e8 3 API calls 31592->31593 31594 40418d 31593->31594 31595 4047e8 3 API calls 31594->31595 31596 4041a1 31595->31596 31597 4047e8 3 API calls 31596->31597 31598 4041b8 31597->31598 31599 4047e8 3 API calls 31598->31599 31600 4041d2 31599->31600 31601 4047e8 3 API calls 31600->31601 31602 4041e8 31601->31602 31603 4047e8 3 API calls 31602->31603 31604 4041ff 31603->31604 31605 4047e8 3 API calls 31604->31605 31606 404216 31605->31606 31607 4047e8 3 API calls 31606->31607 31608 40422d 31607->31608 31609 4047e8 3 API calls 31608->31609 31610 404244 31609->31610 31611 4047e8 3 API calls 31610->31611 31612 404258 31611->31612 31613 4047e8 3 API calls 31612->31613 31614 40426e 31613->31614 31615 4047e8 3 API calls 31614->31615 31616 404288 31615->31616 31617 4047e8 3 API calls 31616->31617 31618 40429f 31617->31618 31619 4047e8 3 API calls 31618->31619 31620 4042b6 31619->31620 31621 4047e8 3 API calls 31620->31621 31622 4042cc 31621->31622 31623 4047e8 3 API calls 31622->31623 31624 4042e3 31623->31624 31625 4047e8 3 API calls 31624->31625 31626 4042fa 31625->31626 31627 4047e8 3 API calls 31626->31627 31628 404311 31627->31628 31629 4047e8 3 API calls 31628->31629 31630 404325 31629->31630 31631 4047e8 3 API calls 31630->31631 31632 40433c 31631->31632 31633 4047e8 3 API calls 31632->31633 31634 404353 31633->31634 31635 4047e8 3 API calls 31634->31635 31636 40436a 31635->31636 31637 4047e8 3 API calls 31636->31637 31638 404381 31637->31638 31639 4047e8 3 API calls 31638->31639 31640 404395 31639->31640 31641 4047e8 3 API calls 31640->31641 31642 4043ac 31641->31642 31643 4047e8 3 API calls 31642->31643 31644 4043c3 31643->31644 31645 4047e8 3 API calls 31644->31645 31646 4043da 31645->31646 31647 4047e8 3 API calls 31646->31647 31648 4043f1 31647->31648 31649 4047e8 3 API calls 31648->31649 31650 404408 31649->31650 31651 4047e8 3 API calls 31650->31651 31652 40441c 31651->31652 31653 4047e8 3 API calls 31652->31653 31654 404433 31653->31654 31655 4047e8 3 API calls 31654->31655 31656 40444a 31655->31656 31657 4047e8 3 API calls 31656->31657 31658 40445e 31657->31658 31659 4047e8 3 API calls 31658->31659 31660 404472 31659->31660 31661 4047e8 3 API calls 31660->31661 31662 404486 31661->31662 31663 4047e8 3 API calls 31662->31663 31664 4044a0 31663->31664 31665 4047e8 3 API calls 31664->31665 31666 4044b7 31665->31666 31667 4047e8 3 API calls 31666->31667 31668 4044cd 31667->31668 31669 4047e8 3 API calls 31668->31669 31670 4044e4 31669->31670 31671 4047e8 3 API calls 31670->31671 31672 4044fa 31671->31672 31673 4047e8 3 API calls 31672->31673 31674 404511 31673->31674 31675 4047e8 3 API calls 31674->31675 31676 404528 31675->31676 31677 4047e8 3 API calls 31676->31677 31678 40453e 31677->31678 31679 4047e8 3 API calls 31678->31679 31680 404558 31679->31680 31681 4047e8 3 API calls 31680->31681 31682 40456f 31681->31682 31683 4047e8 3 API calls 31682->31683 31684 404586 31683->31684 31685 4047e8 3 API calls 31684->31685 31686 40459d 31685->31686 31687 4047e8 3 API calls 31686->31687 31688 4045b4 31687->31688 31689 4047e8 3 API calls 31688->31689 31690 4045cb 31689->31690 31691 4047e8 3 API calls 31690->31691 31692 4045e2 31691->31692 31693 4047e8 3 API calls 31692->31693 31694 4045f9 31693->31694 31695 4047e8 3 API calls 31694->31695 31696 404612 31695->31696 31697 4047e8 3 API calls 31696->31697 31698 404629 31697->31698 31699 4047e8 3 API calls 31698->31699 31700 404642 31699->31700 31701 4047e8 3 API calls 31700->31701 31702 404656 31701->31702 31703 4047e8 3 API calls 31702->31703 31704 40466d 31703->31704 31705 4047e8 3 API calls 31704->31705 31706 404684 31705->31706 31707 4047e8 3 API calls 31706->31707 31708 40469b 31707->31708 31709 4047e8 3 API calls 31708->31709 31710 4046b2 31709->31710 31711 4047e8 3 API calls 31710->31711 31712 4046cc 31711->31712 31713 4047e8 3 API calls 31712->31713 31714 4046e3 31713->31714 31715 4047e8 3 API calls 31714->31715 31716 4046f9 31715->31716 31717 4047e8 3 API calls 31716->31717 31718 404710 31717->31718 31719 4047e8 3 API calls 31718->31719 31720 404727 31719->31720 31721 4047e8 3 API calls 31720->31721 31722 40473d 31721->31722 31723 4047e8 3 API calls 31722->31723 31724 404754 31723->31724 31725 4047e8 3 API calls 31724->31725 31726 404768 31725->31726 31727 4047e8 3 API calls 31726->31727 31728 404781 31727->31728 31729 4047e8 3 API calls 31728->31729 31730 404797 31729->31730 31731 4047e8 3 API calls 31730->31731 31732 4047ae 31731->31732 31733 4047e8 3 API calls 31732->31733 31734 4047c5 31733->31734 31735 4047e8 3 API calls 31734->31735 31736 4047dc 31735->31736 31736->31060 31916 42f159 31737->31916 31739 412563 CreateToolhelp32Snapshot Process32First 31740 4125c4 31739->31740 31741 412597 Process32Next 31739->31741 31917 42f1b5 31740->31917 31741->31740 31742 4125a9 31741->31742 31742->31741 31746 411c3c 31745->31746 31747 41d05a ___getlocaleinfo 5 API calls 31746->31747 31748 411c9d 31747->31748 31748->31062 31752 416a2e 31749->31752 31750 416908 15 API calls 31750->31752 31751 416880 14 API calls 31751->31752 31752->31750 31752->31751 31753 416c4c 31752->31753 31753->31066 31755 4109b0 GetVolumeInformationA 31754->31755 31758 410a22 31755->31758 31757 410a52 31759 41d05a ___getlocaleinfo 5 API calls 31757->31759 31758->31757 31920 411659 GetCurrentHwProfileA 31758->31920 31761 410b03 31759->31761 31761->31068 31762 410a9c 31927 4123aa malloc strncpy 31762->31927 31764 410abf 31764->31757 31766 404b59 31765->31766 31929 404ab6 31766->31929 31768 404b65 31769 411c1f 5 API calls 31768->31769 31772 404c15 31768->31772 31769->31772 31770 41d05a ___getlocaleinfo 5 API calls 31771 405235 31770->31771 31773 413a02 31771->31773 31772->31770 31774 413a1d strtok_s 31773->31774 31776 413b88 31774->31776 31778 413a44 31774->31778 31776->31072 31777 413b6a strtok_s 31777->31776 31777->31778 31778->31777 31780 405f64 31779->31780 31781 404ab6 4 API calls 31780->31781 31782 405f70 31781->31782 31783 411c1f 5 API calls 31782->31783 31786 406020 _memmove 31782->31786 31783->31786 31784 41d05a ___getlocaleinfo 5 API calls 31785 4067eb 31784->31785 31787 41347f strtok_s 31785->31787 31786->31784 31789 4134ae 31787->31789 31790 41350c 31787->31790 31788 4134f6 strtok_s 31788->31789 31788->31790 31789->31788 31790->31076 31793 4132c6 31791->31793 31792 4133c5 31792->31080 31793->31792 31794 4133a7 strtok_s 31793->31794 31794->31793 31796 413474 31795->31796 31798 4133fc 31795->31798 31796->31084 31797 41345a strtok_s 31797->31796 31797->31798 31798->31797 31800 413bdf 31799->31800 31934 410c95 31800->31934 31802 413c84 31938 4115a9 31802->31938 31804 413ce5 31805 411659 8 API calls 31804->31805 31806 413d49 31805->31806 31807 410977 9 API calls 31806->31807 31808 413db6 31807->31808 31946 41221f 31808->31946 31810 413e2a 31952 410b05 31810->31952 31812 413ed5 31959 4117dc 31812->31959 31814 413f39 31974 41196c 31814->31974 31816 413fa7 31817 410c5a 3 API calls 31816->31817 31818 414012 31817->31818 31984 410c28 GetProcessHeap HeapAlloc GetUserNameA 31818->31984 31820 414073 31985 410db0 31820->31985 31822 414146 31823 410c95 5 API calls 31822->31823 31824 4141b0 31823->31824 31991 410d03 31824->31991 31826 414211 31997 410f26 31826->31997 31828 414292 32002 410fdc 31828->32002 31830 4142f3 32006 410f8f GetSystemInfo 31830->32006 31832 414354 32010 4110ee 31832->32010 31834 4143b5 32016 411167 31834->32016 31836 414422 32020 41147a 31836->32020 31838 414495 32028 4111d8 31838->32028 31840 414511 31841 4111d8 10 API calls 31840->31841 31842 414549 31841->31842 32039 416ed9 31842->32039 31844 4145c6 31844->31086 31846 40525a 31845->31846 31847 404ab6 4 API calls 31846->31847 31848 405266 RtlAllocateHeap 31847->31848 31851 4052ad 31848->31851 31850 4052d9 31851->31850 31852 41d05a ___getlocaleinfo 5 API calls 31851->31852 31853 405480 31852->31853 31853->31088 32262 407eee 31854->32262 31856 40ec73 32265 40e15b 31856->32265 31858 40ec85 32284 40e6a4 31858->32284 31860 40ee5d 31860->31090 31865 40eaa8 31865->31856 32300 40c74f 67 API calls 31865->32300 32301 40c931 68 API calls 31865->32301 32302 40d97f 64 API calls 31865->32302 31867 40ec91 31867->31860 32303 40c74f 67 API calls 31867->32303 32304 40c931 68 API calls 31867->32304 32305 40d97f 64 API calls 31867->32305 31870 4139ec 31869->31870 31873 413680 31869->31873 31871 41d05a ___getlocaleinfo 5 API calls 31870->31871 31872 413a00 31871->31872 31872->31104 31874 4139bf strtok_s 31873->31874 31875 411d91 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 31873->31875 31874->31870 31874->31873 31875->31873 31877 415429 31876->31877 31878 4153e8 31876->31878 31877->31113 31878->31877 32319 415182 63 API calls 2 library calls 31878->32319 31881 41cd89 31880->31881 31882 41cd75 31880->31882 31881->31882 32320 41bef0 malloc WriteFile 31881->32320 31882->31144 31885 4054bc 31884->31885 31886 404ab6 4 API calls 31885->31886 31888 4054d5 31886->31888 31887 411c1f 5 API calls 31891 4055cc _memmove 31887->31891 31888->31887 31888->31891 31889 41d05a ___getlocaleinfo 5 API calls 31890 405f2d 31889->31890 31914 4131d8 strtok_s strtok_s 31890->31914 31891->31889 31892 405f2f 31891->31892 31893->31135 31895 4182dd _memset 31894->31895 31896 418448 ShellExecuteEx 31895->31896 31897 4184ac _memset 31896->31897 31898 4184c8 ExitProcess 31897->31898 31899 4184d6 31898->31899 31900 41d05a ___getlocaleinfo 5 API calls 31899->31900 31901 4184eb 31900->31901 31901->31137 31902->31103 31903->31091 31904->31105 31905->31092 31906->31118 31907->31114 31908->31117 31909->31120 31910->31122 31911->31125 31912->31131 31913->31126 31914->31148 31915->31132 31916->31739 31918 41d05a ___getlocaleinfo 5 API calls 31917->31918 31919 4125d6 31918->31919 31919->31111 31919->31112 31921 411711 31920->31921 31922 411682 _memset 31920->31922 31923 41d05a ___getlocaleinfo 5 API calls 31921->31923 31928 4123aa malloc strncpy 31922->31928 31924 41172a 31923->31924 31924->31762 31926 4116bf 31926->31921 31927->31764 31928->31926 31930 404ac4 31929->31930 31930->31930 31931 404acb ??_U@YAPAXI ??_U@YAPAXI ??_U@YAPAXI 31930->31931 31932 404b0c InternetCrackUrlA 31931->31932 31933 404b27 31932->31933 31933->31768 31935 410cb3 31934->31935 31936 41d05a ___getlocaleinfo 5 API calls 31935->31936 31937 410d01 31936->31937 31937->31802 32045 423c60 31938->32045 31940 4115e1 RegOpenKeyExA 31941 411605 RegQueryValueExA 31940->31941 31942 411626 CharToOemA 31940->31942 31941->31942 31944 41d05a ___getlocaleinfo 5 API calls 31942->31944 31945 411657 31944->31945 31945->31804 31947 412247 31946->31947 31948 412269 31947->31948 31949 41224d K32GetModuleFileNameExA 31947->31949 31950 41d05a ___getlocaleinfo 5 API calls 31948->31950 31949->31948 31951 412283 31950->31951 31951->31810 31953 410b1f 31952->31953 32047 410beb 31953->32047 31956 410b38 RegOpenKeyExA 31957 410b31 31956->31957 31958 410b58 RegQueryValueExA 31956->31958 31957->31812 31958->31957 32055 42f159 31959->32055 31961 4117e8 CoInitializeEx CoInitializeSecurity CoCreateInstance 31962 411840 31961->31962 31963 411848 CoSetProxyBlanket 31962->31963 31965 411939 31962->31965 31967 411878 31963->31967 31964 42f1b5 5 API calls 31966 41196b 31964->31966 31965->31964 31966->31814 31967->31965 31968 4118ac VariantInit 31967->31968 31969 4118cb 31968->31969 32056 41172c 31969->32056 31971 4118d6 FileTimeToSystemTime 31972 4118f1 31971->31972 31973 41192d VariantClear 31972->31973 31973->31965 32065 42f0ed 31974->32065 31976 411978 CoInitializeEx CoInitializeSecurity CoCreateInstance 31977 4119ce 31976->31977 31978 4119d6 CoSetProxyBlanket 31977->31978 31979 411a68 31977->31979 31980 411a06 31978->31980 31979->31816 31980->31979 31981 411a2e VariantInit 31980->31981 31982 411a4d 31981->31982 31983 411a5c VariantClear 31982->31983 31983->31979 31984->31820 31986 410dd7 31985->31986 31987 410e17 GetLocaleInfoA 31986->31987 31990 410ec2 31986->31990 31987->31986 31988 41d05a ___getlocaleinfo 5 API calls 31989 410eea 31988->31989 31989->31822 31990->31988 31992 410d24 GetTimeZoneInformation 31991->31992 31994 410d3f 31992->31994 31995 41d05a ___getlocaleinfo 5 API calls 31994->31995 31996 410d68 31995->31996 31996->31826 31998 410f40 RegOpenKeyExA 31997->31998 32000 410f69 RegQueryValueExA 31998->32000 32001 410f81 31998->32001 32000->32001 32001->31828 32003 41101d 32002->32003 32004 41d05a ___getlocaleinfo 5 API calls 32003->32004 32005 4110ec 32004->32005 32005->31830 32007 410fc7 32006->32007 32008 41d05a ___getlocaleinfo 5 API calls 32007->32008 32009 410fda 32008->32009 32009->31832 32011 41110c 32010->32011 32012 411122 GlobalMemoryStatusEx 32011->32012 32013 411134 32012->32013 32014 41d05a ___getlocaleinfo 5 API calls 32013->32014 32015 411165 32014->32015 32015->31834 32018 411188 32016->32018 32017 41d05a ___getlocaleinfo 5 API calls 32019 4111d6 32017->32019 32018->32017 32019->31836 32066 4104bc 32020->32066 32022 41149b CreateToolhelp32Snapshot Process32First 32023 411521 32022->32023 32027 4114c3 32022->32027 32025 41d05a ___getlocaleinfo 5 API calls 32023->32025 32024 41150f Process32Next 32024->32023 32024->32027 32026 411536 32025->32026 32026->31838 32027->32024 32029 4104bc 32028->32029 32030 411210 RegOpenKeyExA 32029->32030 32032 411433 32030->32032 32038 411256 32030->32038 32031 41125c RegEnumKeyExA 32031->32038 32034 41d05a ___getlocaleinfo 5 API calls 32032->32034 32033 4112b8 RegOpenKeyExA 32033->32032 32035 4112df RegQueryValueExA 32033->32035 32036 411478 32034->32036 32035->32038 32036->31840 32037 411385 RegQueryValueExA 32037->32038 32038->32031 32038->32032 32038->32033 32038->32037 32040 416ee9 32039->32040 32041 416f6b CreateThread WaitForSingleObject 32040->32041 32068 41cd0d 32040->32068 32044 416f93 32041->32044 32258 416e08 32041->32258 32044->31844 32046 423c6c 32045->32046 32046->31940 32046->32046 32050 410b7e 32047->32050 32049 410b2d 32049->31956 32049->31957 32051 410b98 RegOpenKeyExA 32050->32051 32053 410bc1 RegQueryValueExA 32051->32053 32054 410bd8 32051->32054 32053->32054 32054->32049 32055->31961 32064 42f0ed 32056->32064 32058 411738 CoCreateInstance 32059 411760 SysAllocString 32058->32059 32061 4117bc 32058->32061 32060 41176f 32059->32060 32059->32061 32062 4117b5 SysFreeString 32060->32062 32063 411793 _wtoi64 SysFreeString 32060->32063 32061->31971 32062->32061 32063->32062 32064->32058 32065->31976 32067 4104c7 32066->32067 32067->32022 32071 41ccc5 32068->32071 32072 41ccd4 32071->32072 32073 416f69 32071->32073 32072->32073 32075 41c4b7 32072->32075 32073->32041 32079 41c4e9 32075->32079 32106 41c4df 32075->32106 32076 41d05a ___getlocaleinfo 5 API calls 32078 41caf0 32076->32078 32077 41c513 lstrcpyA 32080 41c530 32077->32080 32077->32106 32078->32073 32079->32077 32079->32106 32081 41c5a0 32080->32081 32210 41b8b5 9 API calls 32080->32210 32083 41c5c1 32081->32083 32084 41c5b2 32081->32084 32085 41c5d6 32083->32085 32086 41c5c6 32083->32086 32211 41bf8c 20 API calls 32084->32211 32089 41c5eb 32085->32089 32090 41c5db 32085->32090 32212 41c00b 18 API calls ___getlocaleinfo 32086->32212 32093 41c5f4 32089->32093 32089->32106 32213 41c12e 8 API calls ___getlocaleinfo 32090->32213 32091 41c5f9 32096 41c603 lstrcpyA lstrcpyA lstrlenA 32091->32096 32091->32106 32214 41c1f1 8 API calls ___getlocaleinfo 32093->32214 32094 41c5bf 32094->32091 32097 41c643 lstrcatA 32096->32097 32098 41c65b lstrcpyA 32096->32098 32097->32098 32099 41c6c4 32098->32099 32138 41ae98 32099->32138 32101 41c81a 32102 41c82f 32101->32102 32103 41c81e 32101->32103 32105 41c849 32102->32105 32110 41c858 32102->32110 32215 41c331 CloseHandle 32103->32215 32216 41c331 CloseHandle 32105->32216 32106->32076 32108 41c8a4 32111 41c8a6 rand 32108->32111 32109 41c88c GetDesktopWindow GetTickCount srand 32109->32108 32110->32108 32110->32109 32111->32111 32112 41c8b9 32111->32112 32113 41c8ef 32112->32113 32116 41c900 32112->32116 32217 41bdc5 malloc WriteFile _memmove 32113->32217 32115 41c8fc 32115->32116 32117 41c941 32116->32117 32118 41c931 32116->32118 32122 41c93f 32116->32122 32121 41c945 32117->32121 32117->32122 32203 41c372 32118->32203 32218 41c45f malloc WriteFile ReadFile 32121->32218 32219 41c331 CloseHandle 32122->32219 32124 41c965 32124->32106 32125 41ca2f 32124->32125 32126 41c9c2 32124->32126 32137 41c850 32125->32137 32222 41b0fa malloc WriteFile 32125->32222 32220 41bea5 SetFilePointer 32126->32220 32129 41c9fc 32130 41ae98 2 API calls 32129->32130 32129->32137 32132 41ca17 32130->32132 32131 41ca78 malloc 32223 4270a0 32131->32223 32132->32106 32221 41bea5 SetFilePointer 32132->32221 32135 41ca9b malloc 32135->32137 32136 41ca29 32136->32106 32136->32131 32136->32137 32137->32106 32224 41bdc5 malloc WriteFile _memmove 32138->32224 32140 41aeb0 32225 41bdc5 malloc WriteFile _memmove 32140->32225 32142 41aec0 32226 41bdc5 malloc WriteFile _memmove 32142->32226 32144 41aed0 32227 41bdc5 malloc WriteFile _memmove 32144->32227 32146 41aee0 32228 41bdc5 malloc WriteFile _memmove 32146->32228 32148 41aef2 32229 41bdc5 malloc WriteFile _memmove 32148->32229 32150 41af04 32230 41bdc5 malloc WriteFile _memmove 32150->32230 32152 41af16 32231 41bdc5 malloc WriteFile _memmove 32152->32231 32154 41af28 32232 41bdc5 malloc WriteFile _memmove 32154->32232 32156 41af3a 32233 41bdc5 malloc WriteFile _memmove 32156->32233 32158 41af4c 32234 41bdc5 malloc WriteFile _memmove 32158->32234 32160 41af5e 32235 41bdc5 malloc WriteFile _memmove 32160->32235 32162 41af70 32236 41bdc5 malloc WriteFile _memmove 32162->32236 32164 41af82 32237 41bdc5 malloc WriteFile _memmove 32164->32237 32166 41af94 32238 41bdc5 malloc WriteFile _memmove 32166->32238 32168 41afa6 32239 41bdc5 malloc WriteFile _memmove 32168->32239 32170 41afb8 32240 41bdc5 malloc WriteFile _memmove 32170->32240 32172 41afca 32241 41bdc5 malloc WriteFile _memmove 32172->32241 32174 41afdc 32242 41bdc5 malloc WriteFile _memmove 32174->32242 32176 41afee 32243 41bdc5 malloc WriteFile _memmove 32176->32243 32178 41b000 32244 41bdc5 malloc WriteFile _memmove 32178->32244 32180 41b012 32245 41bdc5 malloc WriteFile _memmove 32180->32245 32182 41b024 32246 41bdc5 malloc WriteFile _memmove 32182->32246 32184 41b036 32247 41bdc5 malloc WriteFile _memmove 32184->32247 32186 41b048 32248 41bdc5 malloc WriteFile _memmove 32186->32248 32188 41b05a 32249 41bdc5 malloc WriteFile _memmove 32188->32249 32190 41b06c 32250 41bdc5 malloc WriteFile _memmove 32190->32250 32192 41b07e 32251 41bdc5 malloc WriteFile _memmove 32192->32251 32194 41b093 32252 41bdc5 malloc WriteFile _memmove 32194->32252 32196 41b0a5 32253 41bdc5 malloc WriteFile _memmove 32196->32253 32198 41b0ba 32199 41b0d1 32198->32199 32254 41bdc5 malloc WriteFile _memmove 32198->32254 32201 41b0d6 32199->32201 32255 41bdc5 malloc WriteFile _memmove 32199->32255 32201->32101 32204 41c37e malloc 32203->32204 32205 41c390 32203->32205 32204->32205 32256 41954f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 32205->32256 32207 41c414 32257 41abc7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 32207->32257 32209 41c42f 32209->32122 32210->32081 32211->32094 32212->32094 32213->32094 32214->32091 32215->32106 32216->32137 32217->32115 32218->32122 32219->32124 32220->32129 32221->32136 32222->32136 32223->32135 32224->32140 32225->32142 32226->32144 32227->32146 32228->32148 32229->32150 32230->32152 32231->32154 32232->32156 32233->32158 32234->32160 32235->32162 32236->32164 32237->32166 32238->32168 32239->32170 32240->32172 32241->32174 32242->32176 32243->32178 32244->32180 32245->32182 32246->32184 32247->32186 32248->32188 32249->32190 32250->32192 32251->32194 32252->32196 32253->32198 32254->32199 32255->32201 32256->32207 32257->32209 32261 416e14 __EH_prolog3_catch 32258->32261 32259 416e25 32260 405482 9 API calls 32260->32261 32261->32259 32261->32260 32306 407eae malloc 32262->32306 32264 407efc 32264->31865 32266 40e191 _memset 32265->32266 32267 40e1d3 RegOpenKeyExA 32266->32267 32268 40e20c RegGetValueA 32267->32268 32270 40e68d 32267->32270 32269 40e25c 32268->32269 32283 40e239 32268->32283 32271 40e27e RegOpenKeyExA 32269->32271 32269->32283 32272 41d05a ___getlocaleinfo 5 API calls 32270->32272 32271->32270 32280 40e29c 32271->32280 32273 40e6a2 32272->32273 32273->31858 32274 40e32b RegGetValueA 32274->32280 32275 40e37e RegGetValueA 32275->32280 32277 40e45a RegGetValueA 32277->32280 32278 40e4d9 RegGetValueA 32278->32280 32280->32274 32280->32275 32280->32277 32280->32278 32281 40e611 32280->32281 32280->32283 32307 4123db 5 API calls ___getlocaleinfo 32280->32307 32308 40dc75 106 API calls ___getlocaleinfo 32280->32308 32282 416ed9 57 API calls 32281->32282 32282->32283 32283->32270 32285 40e6bd 32284->32285 32309 411d91 32285->32309 32287 40e6ce 32313 407fac CreateFileA 32287->32313 32289 40e72b 32292 40ea35 32289->32292 32315 411df4 32289->32315 32292->31867 32293 40e74a strtok_s 32299 40e76b 32293->32299 32294 40ea02 32295 416ed9 57 API calls 32294->32295 32295->32292 32296 4123aa malloc strncpy 32298 40e7be 32296->32298 32297 40e9e5 strtok_s 32297->32299 32298->32296 32298->32299 32299->32294 32299->32297 32299->32298 32300->31865 32301->31865 32302->31865 32303->31867 32304->31867 32305->31867 32306->32264 32307->32280 32308->32280 32310 411dd8 32309->32310 32311 41d05a ___getlocaleinfo 5 API calls 32310->32311 32312 411df2 32311->32312 32312->32287 32314 407fd4 32313->32314 32314->32289 32316 411e02 32315->32316 32317 40e741 32315->32317 32316->32317 32318 411e06 LocalAlloc 32316->32318 32317->32292 32317->32293 32318->32317 32319->31878 32320->31882 32322 41cc23 32321->32322 32323 41cc15 32321->32323 32330 41bc66 32322->32330 32341 41bbb1 lstrlenA malloc lstrcpyA 32323->32341 32325 41cc1f 32325->32322 32328 41cc49 malloc 32329 41cc3c 32328->32329 32329->31152 32331 41bc75 32330->32331 32337 41bcce 32330->32337 32332 41bcd5 32331->32332 32333 41bca8 SetFilePointer 32331->32333 32331->32337 32334 41bd10 32332->32334 32335 41bcdb CreateFileA 32332->32335 32333->32337 32334->32337 32338 41bd34 CreateFileMappingA 32334->32338 32336 41bcf9 32335->32336 32336->32337 32337->32328 32337->32329 32338->32337 32339 41bd50 MapViewOfFile 32338->32339 32339->32337 32340 41bd66 CloseHandle 32339->32340 32340->32337 32341->32325

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 0041C4B7 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1147 41c4b7-41c4dd 1148 41c4e9-41c4ed 1147->1148 1149 41c4df-41c4e4 1147->1149 1151 41c4f9-41c501 1148->1151 1152 41c4ef-41c4f4 1148->1152 1150 41cae3-41caf1 call 41d05a 1149->1150 1154 41c513-41c52a lstrcpyA 1151->1154 1155 41c503-41c507 1151->1155 1152->1150 1158 41c530 1154->1158 1159 41cade 1154->1159 1155->1154 1157 41c509 1155->1157 1157->1154 1160 41c536-41c539 1158->1160 1159->1150 1161 41c53b 1160->1161 1162 41c53e-41c542 1160->1162 1161->1162 1162->1160 1163 41c544-41c556 1162->1163 1164 41c558-41c55e 1163->1164 1165 41c57b 1163->1165 1166 41c561-41c566 1164->1166 1167 41c582-41c593 1165->1167 1166->1166 1168 41c568-41c579 1166->1168 1169 41c595-41c5a2 call 41b8b5 1167->1169 1170 41c5a4 1167->1170 1168->1165 1168->1167 1169->1170 1172 41c5aa-41c5b0 1169->1172 1170->1172 1174 41c5c1-41c5c4 1172->1174 1175 41c5b2-41c5bf call 41bf8c 1172->1175 1176 41c5d6-41c5d9 1174->1176 1177 41c5c6-41c5d4 call 41c00b 1174->1177 1183 41c5f9-41c5fd 1175->1183 1180 41c5eb-41c5ee 1176->1180 1181 41c5db-41c5e9 call 41c12e 1176->1181 1177->1183 1180->1159 1186 41c5f4 call 41c1f1 1180->1186 1181->1183 1183->1150 1189 41c603-41c641 lstrcpyA * 2 lstrlenA 1183->1189 1186->1183 1190 41c643-41c655 lstrcatA 1189->1190 1191 41c65b-41c6c2 lstrcpyA 1189->1191 1190->1191 1192 41c6c4-41c6cb 1191->1192 1193 41c6d6-41c6f3 1191->1193 1192->1193 1194 41c6cd-41c6cf 1192->1194 1195 41c6f5-41c6fa 1193->1195 1196 41c70a 1193->1196 1194->1193 1195->1196 1197 41c6fc-41c708 1195->1197 1198 41c710-41c81c call 41ae98 1196->1198 1197->1198 1201 41c82f-41c847 1198->1201 1202 41c81e-41c820 call 41c331 1198->1202 1204 41c849-41c853 call 41c331 1201->1204 1205 41c858-41c873 1201->1205 1208 41c825-41c82a 1202->1208 1204->1150 1206 41c883-41c88a 1205->1206 1207 41c875-41c879 1205->1207 1211 41c8a4 1206->1211 1212 41c88c-41c8a3 GetDesktopWindow GetTickCount srand 1206->1212 1207->1206 1210 41c87b-41c881 call 41b834 1207->1210 1208->1150 1210->1206 1210->1207 1215 41c8a6-41c8b7 rand 1211->1215 1212->1211 1215->1215 1217 41c8b9-41c8c2 1215->1217 1218 41c8c5-41c8de call 41b892 1217->1218 1221 41c8e0-41c8e4 1218->1221 1222 41c900-41c908 1221->1222 1223 41c8e6-41c8ed 1221->1223 1224 41c918 1222->1224 1225 41c90a-41c911 1222->1225 1223->1222 1226 41c8ef-41c8fc call 41bdc5 1223->1226 1228 41c91a-41c92a 1224->1228 1225->1224 1227 41c913-41c916 1225->1227 1226->1222 1227->1228 1231 41c954 1228->1231 1232 41c92c-41c92f 1228->1232 1235 41c95a-41c973 call 41c331 1231->1235 1233 41c941-41c943 1232->1233 1234 41c931-41c93a call 41c372 1232->1234 1233->1235 1238 41c945-41c947 call 41c45f 1233->1238 1240 41c93f 1234->1240 1235->1150 1242 41c979-41c97f 1235->1242 1243 41c94c-41c952 1238->1243 1240->1243 1242->1208 1244 41c985-41c9b2 1242->1244 1243->1235 1245 41c9b4-41c9b7 1244->1245 1246 41ca2f-41ca36 1244->1246 1249 41c9c2-41c9d0 1245->1249 1250 41c9b9-41c9c0 1245->1250 1247 41ca42-41ca44 1246->1247 1248 41ca38-41ca3d 1246->1248 1251 41ca46-41ca48 1247->1251 1252 41ca4a-41ca59 call 41b0fa 1247->1252 1248->1150 1253 41c9d2-41c9d7 1249->1253 1254 41c9de-41c9fe call 41bea5 1249->1254 1250->1246 1250->1249 1251->1248 1251->1252 1252->1208 1259 41ca5f-41ca6a 1252->1259 1253->1254 1260 41ca00-41ca05 1254->1260 1261 41ca0a-41ca19 call 41ae98 1254->1261 1262 41ca71-41ca76 1259->1262 1260->1150 1261->1208 1267 41ca1f-41ca2b call 41bea5 1261->1267 1262->1150 1264 41ca78-41cac0 malloc call 4270a0 malloc 1262->1264 1271 41cac2-41cac5 1264->1271 1272 41cac9-41cad2 1264->1272 1267->1262 1274 41ca2d 1267->1274 1273 41cada-41cadc 1271->1273 1275 41cad4 1272->1275 1276 41cac7 1272->1276 1273->1150 1274->1260 1275->1273 1276->1272
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: /$UT
                                                                                                                                                                            • API String ID: 0-1626504983
                                                                                                                                                                            • Opcode ID: 375b76cf62abd5f7dd4df4683fbf8252338f38d1a5fa21a65283e4b32dc89bc6
                                                                                                                                                                            • Instruction ID: 9787a365ec18c0bf1930f8717519833fdc736eeb0207a270142cd3a14faf4db2
                                                                                                                                                                            • Opcode Fuzzy Hash: 375b76cf62abd5f7dd4df4683fbf8252338f38d1a5fa21a65283e4b32dc89bc6
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C026DB19442688BDF21DF64CC807EEBBB5AF45304F1440EAD949A7242D7389EC5CF99
                                                                                                                                                                            Function 0041196C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1277 41196c-4119d0 call 42f0ed CoInitializeEx CoInitializeSecurity CoCreateInstance 1281 411a75-411a7a 1277->1281 1282 4119d6-411a02 CoSetProxyBlanket 1277->1282 1283 411a8e call 4104bc 1281->1283 1284 411a06-411a08 1282->1284 1288 411a93-411a9a call 42f192 1283->1288 1286 411a0a-411a15 1284->1286 1287 411a6e-411a73 1284->1287 1289 411a17-411a2c 1286->1289 1290 411a68-411a89 1286->1290 1287->1283 1289->1290 1295 411a2e-411a66 VariantInit call 411d17 call 4104bc VariantClear 1289->1295 1290->1283 1295->1288
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_catch.LIBCMT ref: 00411973
                                                                                                                                                                            • CoInitializeEx.OLE32(00000000,00000000,00000030,00413FA7,?,AV: ,004368CC,Install Date: ,004368B8,00000000,Windows: ,004368A8,Work Dir: In memory,00436890), ref: 00411982
                                                                                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411993
                                                                                                                                                                            • CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119AD
                                                                                                                                                                            • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004119E3
                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 00411A32
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00411A60
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeVariant$BlanketClearCreateH_prolog3_catchInitInstanceProxySecurity
                                                                                                                                                                            • String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
                                                                                                                                                                            • API String ID: 3060130021-315474579
                                                                                                                                                                            • Opcode ID: 7f379c790eb099f24fc055ea34a0325628612ab894480d039f292940774d93bd
                                                                                                                                                                            • Instruction ID: 3fda5078456e7a0d609a00957094a3acbddb435200cc30907b6e8efe348fab49
                                                                                                                                                                            • Opcode Fuzzy Hash: 7f379c790eb099f24fc055ea34a0325628612ab894480d039f292940774d93bd
                                                                                                                                                                            • Instruction Fuzzy Hash: E2315471A40209BBCB20DB91DC49EEFBF7DEFC9B10F20425EF211A61A0C6795941CB68
                                                                                                                                                                            Function 00406963 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 161networkfileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 2552 406963-4069e7 call 4104ee call 404ab6 call 4104bc InternetOpenA 2560 4069e9 2552->2560 2561 4069ea-4069f0 2552->2561 2560->2561 2562 4069f6-406a1c InternetConnectA 2561->2562 2563 406b6e-406b7a call 4104ee 2561->2563 2564 406b62 2562->2564 2565 406a22-406a5d 2562->2565 2567 406b7f-406baa call 402920 * 3 call 41d05a 2563->2567 2564->2563 2570 406a63-406a65 2565->2570 2571 406b56 2565->2571 2573 406a83-406ab4 HttpSendRequestA 2570->2573 2574 406a67-406a7c 2570->2574 2571->2564 2580 406ab6 2573->2580 2581 406acb-406adb call 411ad2 2573->2581 2574->2573 2583 406abb-406ac6 call 4104bc 2580->2583 2589 406ae1-406ae3 2581->2589 2590 406bab-406bb0 2581->2590 2583->2567 2591 406ae5-406aea 2589->2591 2592 406b4a-406b50 InternetCloseHandle 2589->2592 2590->2583 2593 406b2b-406b48 InternetReadFile 2591->2593 2592->2571 2593->2592 2594 406aec-406af4 2593->2594 2594->2592 2595 406af6-406b26 call 4105de call 410562 call 402920 2594->2595 2595->2593
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                                                                                              • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                                                                                              • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                                                                                              • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                                                                                            • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000,00436993), ref: 004069C5
                                                                                                                                                                            • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
                                                                                                                                                                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
                                                                                                                                                                            • InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
                                                                                                                                                                            • InternetCloseHandle.WININET(?), ref: 00406B50
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Internet$CloseConnectCrackFileHandleHttpOpenReadRequestSend
                                                                                                                                                                            • String ID: @iA$ERROR$ERROR$GET
                                                                                                                                                                            • API String ID: 1796428842-3546687611
                                                                                                                                                                            • Opcode ID: 0c02ab2dcbf62ab04cd99dd3ba698df3d28e16d0d46a3e4f9a19e9731555a9fe
                                                                                                                                                                            • Instruction ID: d8bde7e051fe936688ae94f634ee4e08a5faa0caa340d4fa3fbcfbce63435b0b
                                                                                                                                                                            • Opcode Fuzzy Hash: 0c02ab2dcbf62ab04cd99dd3ba698df3d28e16d0d46a3e4f9a19e9731555a9fe
                                                                                                                                                                            • Instruction Fuzzy Hash: 1251A0B1A00229AFDF20AF20DC85AEEB7B9FB04344F0181F6F549B2191CA755EC59F84
                                                                                                                                                                            Function 0041147A Relevance: 4.6, APIs: 3, Instructions: 56processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0043670F,?,?), ref: 004114A9
                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 004114B9
                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00411517
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process32$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1238713047-0
                                                                                                                                                                            • Opcode ID: 804b59de0022c0a22ffba1be1da70e1bd92732a17a177211fa0686da41351996
                                                                                                                                                                            • Instruction ID: 4ea20aa850d654643913a215028a8477d38f7f0d75996d48367efc27095c6f7e
                                                                                                                                                                            • Opcode Fuzzy Hash: 804b59de0022c0a22ffba1be1da70e1bd92732a17a177211fa0686da41351996
                                                                                                                                                                            • Instruction Fuzzy Hash: 3411A371A00218A7DB11FB219C85AEE73A9AF44704F00109AF90AB7291CB789FC58F59
                                                                                                                                                                            Function 00410C28 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C34
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C3B
                                                                                                                                                                            • GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C4F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Heap$AllocNameProcessUser
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1206570057-0
                                                                                                                                                                            • Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
                                                                                                                                                                            • Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
                                                                                                                                                                            • Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
                                                                                                                                                                            • Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34
                                                                                                                                                                            Function 00410DB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E2C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                            • String ID: /
                                                                                                                                                                            • API String ID: 2299586839-4001269591
                                                                                                                                                                            • Opcode ID: ce6f2f2ca10474b0a97e541b6f36cad0183382322380a2636a05f6b3ca651ab3
                                                                                                                                                                            • Instruction ID: cb4dd5b7474b79c5993221afdf8c45715871f25fde254037933c8c8e47344f7b
                                                                                                                                                                            • Opcode Fuzzy Hash: ce6f2f2ca10474b0a97e541b6f36cad0183382322380a2636a05f6b3ca651ab3
                                                                                                                                                                            • Instruction Fuzzy Hash: 0D31FA71900328ABDB20EB65DD89ADEB3B8BB04305F1045EAF519B7152CBB86EC58F54
                                                                                                                                                                            Function 00410D03 Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 00410D34
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InformationTimeZone
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 565725191-0
                                                                                                                                                                            • Opcode ID: e053bf9d0ea2a25b27af1172a1bfc3f5b5eb9bf6fc4c3b7a4649e4a77b228e05
                                                                                                                                                                            • Instruction ID: feaee98c82f226e65d9751a1a55654853175a6affee0276e42e7902f2bb5e1d1
                                                                                                                                                                            • Opcode Fuzzy Hash: e053bf9d0ea2a25b27af1172a1bfc3f5b5eb9bf6fc4c3b7a4649e4a77b228e05
                                                                                                                                                                            • Instruction Fuzzy Hash: 19F0E971A00324ABEB04DBB4EC49BAB37B9AB04729F100295F515D72D0DB74AF858B95
                                                                                                                                                                            Function 00410F8F Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00410FA9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoSystem
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 31276548-0
                                                                                                                                                                            • Opcode ID: f6cc537a8d259f33440bfcf2a59015abf239682aa6aea29871f9168d6b10e10c
                                                                                                                                                                            • Instruction ID: 3fe8b6109728b161727a24735e2f8503b38c563086272a1cf22f2bb380138bbb
                                                                                                                                                                            • Opcode Fuzzy Hash: f6cc537a8d259f33440bfcf2a59015abf239682aa6aea29871f9168d6b10e10c
                                                                                                                                                                            • Instruction Fuzzy Hash: 0EE092B0D1020D9BCF10DFA0EC45ADE77FCAB08308F0054B5A505D3180DA74ABC98F88
                                                                                                                                                                            Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418586), ref: 004014DF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrcmpi
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1586166983-0
                                                                                                                                                                            • Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
                                                                                                                                                                            • Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
                                                                                                                                                                            • Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
                                                                                                                                                                            • Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C
                                                                                                                                                                            Function 0040E15B Relevance: 44.1, APIs: 11, Strings: 14, Instructions: 325registryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 0040E18C
                                                                                                                                                                            • _memset.LIBCMT ref: 0040E1AC
                                                                                                                                                                            • _memset.LIBCMT ref: 0040E1BD
                                                                                                                                                                            • _memset.LIBCMT ref: 0040E1CE
                                                                                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E202
                                                                                                                                                                            • RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E233
                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E292
                                                                                                                                                                            • RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368D7), ref: 0040E34E
                                                                                                                                                                            • RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3AE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset$Value$Open
                                                                                                                                                                            • String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
                                                                                                                                                                            • API String ID: 2191171593-2798830873
                                                                                                                                                                            • Opcode ID: 1b23a7cec8ce1a068f0904835dff8764a5d3e31adcc74daa50b1addd64c79da9
                                                                                                                                                                            • Instruction ID: 3de73c6830c2fad38347e0384e5faadb251f520f0b3c27047f30c6be6412ffb3
                                                                                                                                                                            • Opcode Fuzzy Hash: 1b23a7cec8ce1a068f0904835dff8764a5d3e31adcc74daa50b1addd64c79da9
                                                                                                                                                                            • Instruction Fuzzy Hash: D3D1F6B191012DABDB20EB91DC82BD9B779AF04348F1054EBA508B3091DAB47FC9CF65
                                                                                                                                                                            Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129memoryfileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00401696
                                                                                                                                                                            • wsprintfW.USER32 ref: 004016BC
                                                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00401705
                                                                                                                                                                            • _time64.MSVCRT ref: 0040170E
                                                                                                                                                                            • srand.MSVCRT ref: 00401715
                                                                                                                                                                            • rand.MSVCRT ref: 0040171E
                                                                                                                                                                            • _memset.LIBCMT ref: 0040172E
                                                                                                                                                                            • WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
                                                                                                                                                                            • _memset.LIBCMT ref: 00401763
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00401771
                                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
                                                                                                                                                                            • _memset.LIBCMT ref: 004017BE
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 004017CF
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004017DB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
                                                                                                                                                                            • String ID: %s%s$delays.tmp
                                                                                                                                                                            • API String ID: 1620473967-1413376734
                                                                                                                                                                            • Opcode ID: f76aab6d78298610a3b7e28b579f52f37c4603c13cc720c1ac32be6eed9832ba
                                                                                                                                                                            • Instruction ID: 05fc87705062c45bfe73a5c894f0b3df5a3edf33da4a3e3f9b5da5ca26733804
                                                                                                                                                                            • Opcode Fuzzy Hash: f76aab6d78298610a3b7e28b579f52f37c4603c13cc720c1ac32be6eed9832ba
                                                                                                                                                                            • Instruction Fuzzy Hash: 2741D9B1D00218ABD7205F71AC4CF9F7B7DEB85715F1002BAF10AE10A1DA354A54CF28
                                                                                                                                                                            Function 00405482 Relevance: 33.8, APIs: 3, Strings: 16, Instructions: 573COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 144 405482-4054d0 call 4104bc call 4104ee call 404ab6 150 4054d5-405593 call 411e32 * 2 call 4104bc * 4 144->150 165 405595 150->165 166 40559b-4055a1 150->166 165->166 167 4055a3-4055b8 166->167 168 4055be-4056ce call 411c1f call 41059c call 410562 call 402920 * 2 call 4105de call 41059c call 4105de call 410562 call 402920 * 3 call 4105de call 41059c call 410562 call 402920 * 2 166->168 167->168 172 405e64-405eec call 402920 * 4 call 4104ee call 402920 * 3 167->172 168->172 237 4056d4-405712 168->237 207 405eee-405f2e call 402920 * 6 call 41d05a 172->207 239 405e58 237->239 240 405718-40571e 237->240 239->172 241 405720-405735 240->241 242 40573c-405d77 call 4105de call 410562 call 402920 call 41059c call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 41059c call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 41059c call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 41059c call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 41059c call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4270a0 * 3 240->242 241->242 440 405db5-405dc5 call 411ad2 242->440 441 405d79-405db0 call 4104bc call 402920 * 3 242->441 446 405dcb-405dd0 440->446 447 405f2f 440->447 441->207 449 405e11-405e2e 446->449 454 405e30-405e43 449->454 455 405dd2-405dda 449->455 461 405e45 454->461 462 405e4c 454->462 455->454 458 405ddc-405e0c call 4105de call 410562 call 402920 455->458 458->449 461->462 462->239
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                                                                                              • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                                                                                              • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                                                                                              • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                                                                                            • _memmove.LIBCMT ref: 00405CB4
                                                                                                                                                                            • _memmove.LIBCMT ref: 00405CD6
                                                                                                                                                                            • _memmove.LIBCMT ref: 00405D05
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove$CrackInternet
                                                                                                                                                                            • String ID: ------$"$"$"$"$--$------$------$------$------$23a142269e47ce1692ccc9fb68473bc2$ERROR$ERROR$block$build_id$file_data
                                                                                                                                                                            • API String ID: 1366773753-1636173138
                                                                                                                                                                            • Opcode ID: 28771bb067b9c7fcd20c90bf186157bfb71e693ef21f2fa98bc3936b1868d248
                                                                                                                                                                            • Instruction ID: cffeca1b0dfeb35b510a7fd6e08703f5ef04152c4c5254e8e8f843b90d2d8adf
                                                                                                                                                                            • Opcode Fuzzy Hash: 28771bb067b9c7fcd20c90bf186157bfb71e693ef21f2fa98bc3936b1868d248
                                                                                                                                                                            • Instruction Fuzzy Hash: FC42B5719001699BDF21FB21DC45ADDB7B9BF04348F0085E6A589B3162CEB46FC69F88
                                                                                                                                                                            Function 00418995 Relevance: 30.3, APIs: 6, Strings: 11, Instructions: 518libraryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 976 418995-41899c 977 4189a2-418e0f 976->977 978 418e14-418eb3 LoadLibraryA * 6 976->978 977->978 985 418f23-418f2a 978->985 986 418eb5-418f1e 978->986 988 418f30-418fde 985->988 989 418fe3-418fea 985->989 986->985 988->989 990 41905a-419061 989->990 991 418fec-419055 989->991 993 419067-4190e7 990->993 994 4190ec-4190f3 990->994 991->990 993->994 997 4191c3-4191ca 994->997 998 4190f9-4191be 994->998 1001 41923a-419241 997->1001 1002 4191cc-419235 997->1002 998->997 1007 419243-419267 1001->1007 1008 41926c-419273 1001->1008 1002->1001 1007->1008 1011 419275-419299 1008->1011 1012 41929e-4192a5 1008->1012 1011->1012 1020 4192ab-419385 1012->1020 1021 41938a-419391 1012->1021 1020->1021 1023 419393-4193e5 1021->1023 1024 4193ea-4193f1 1021->1024 1023->1024 1035 4193f3-419400 1024->1035 1036 419405-41940c 1024->1036 1035->1036 1038 419465-41946c 1036->1038 1039 41940e-419460 1036->1039 1049 41947f 1038->1049 1050 41946e-41947a 1038->1050 1039->1038 1050->1049
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LibraryLoad
                                                                                                                                                                            • String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
                                                                                                                                                                            • API String ID: 1029625771-2740034357
                                                                                                                                                                            • Opcode ID: bc716f2625a0e41b2ed4bb766179c27d34b4bc4e0803ef392b74f70fe9059fed
                                                                                                                                                                            • Instruction ID: 21a79a8d855260e2828667f180bc927f9092200f68422498ddf411ab147124d7
                                                                                                                                                                            • Opcode Fuzzy Hash: bc716f2625a0e41b2ed4bb766179c27d34b4bc4e0803ef392b74f70fe9059fed
                                                                                                                                                                            • Instruction Fuzzy Hash: C852F975911312AFDF1ADFA0FD0A8243AABFB08203F11B565E91982274D7774B60EF15
                                                                                                                                                                            Function 004117DC Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 143comtimeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1120 4117dc-411842 call 42f159 CoInitializeEx CoInitializeSecurity CoCreateInstance 1124 411946-41194b 1120->1124 1125 411848-41187a CoSetProxyBlanket 1120->1125 1126 41195f call 4104bc 1124->1126 1130 411880-41188b 1125->1130 1131 41193f-411944 1125->1131 1129 411964-41196b call 42f1b5 1126->1129 1133 411891-4118a6 1130->1133 1134 411939-41195a 1130->1134 1131->1126 1133->1134 1138 4118ac-4118d1 VariantInit call 41172c 1133->1138 1134->1126 1141 4118d6-411937 FileTimeToSystemTime call 4104bc VariantClear 1138->1141 1141->1129
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_catch_GS.LIBCMT ref: 004117E3
                                                                                                                                                                            • CoInitializeEx.OLE32(00000000,00000000,0000004C,00413F39,Install Date: ,004368B8,00000000,Windows: ,004368A8,Work Dir: In memory,00436890), ref: 004117F4
                                                                                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411805
                                                                                                                                                                            • CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041181F
                                                                                                                                                                            • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411855
                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 004118B0
                                                                                                                                                                              • Part of subcall function 0041172C: __EH_prolog3_catch.LIBCMT ref: 00411733
                                                                                                                                                                              • Part of subcall function 0041172C: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,004118D6,?), ref: 00411756
                                                                                                                                                                              • Part of subcall function 0041172C: SysAllocString.OLEAUT32(?), ref: 00411763
                                                                                                                                                                              • Part of subcall function 0041172C: _wtoi64.MSVCRT ref: 00411796
                                                                                                                                                                              • Part of subcall function 0041172C: SysFreeString.OLEAUT32(?), ref: 004117AF
                                                                                                                                                                              • Part of subcall function 0041172C: SysFreeString.OLEAUT32(00000000), ref: 004117B6
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 004118DF
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00411931
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: String$CreateFreeInitializeInstanceTimeVariant$AllocBlanketClearFileH_prolog3_catchH_prolog3_catch_InitProxySecuritySystem_wtoi64
                                                                                                                                                                            • String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
                                                                                                                                                                            • API String ID: 2027821108-461178377
                                                                                                                                                                            • Opcode ID: 1ef878a160ac1b41e8f62bbabcbd42ce57b377d218792d6474371592b041e7d9
                                                                                                                                                                            • Instruction ID: 53c85eede228d83e8f8b7915dab758499af21cc48905de34fd7a3047e6c0012c
                                                                                                                                                                            • Opcode Fuzzy Hash: 1ef878a160ac1b41e8f62bbabcbd42ce57b377d218792d6474371592b041e7d9
                                                                                                                                                                            • Instruction Fuzzy Hash: 63415F71900209BBCB10DBD5DC89EEFBBBDEFC9B11F20411AF611A61A4D6789941CB38
                                                                                                                                                                            Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1301 401284-401380 call 423c60 * 2 lstrcatA * 13 call 410c5a 1307 401385-401389 1301->1307 1308 4013a5-4013a7 1307->1308 1309 40138b-40138d 1307->1309 1312 4013aa-4013ac 1308->1312 1310 4013a1-4013a3 1309->1310 1311 40138f-401395 1309->1311 1310->1312 1311->1308 1313 401397-40139f 1311->1313 1314 4013e9-4013f5 call 41d05a 1312->1314 1315 4013ae-4013b4 call 410c28 1312->1315 1313->1307 1313->1310 1319 4013b9-4013bd 1315->1319 1320 4013d9-4013db 1319->1320 1321 4013bf-4013c1 1319->1321 1324 4013de-4013e0 1320->1324 1322 4013c3-4013c9 1321->1322 1323 4013d5-4013d7 1321->1323 1322->1320 1325 4013cb-4013d3 1322->1325 1323->1324 1324->1314 1326 4013e2-4013e3 ExitProcess 1324->1326 1325->1319 1325->1323
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004012A7
                                                                                                                                                                            • _memset.LIBCMT ref: 004012B6
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043A9EC), ref: 004012D0
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043A9F0), ref: 004012DE
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043A9F4), ref: 004012EC
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043A9F8), ref: 004012FA
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043A9FC), ref: 00401308
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043AA00), ref: 00401316
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043AA04), ref: 00401324
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043AA08), ref: 00401332
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043AA0C), ref: 00401340
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043AA10), ref: 0040134E
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043AA14), ref: 0040135C
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043AA18), ref: 0040136A
                                                                                                                                                                            • lstrcatA.KERNEL32(?,0043AA1C), ref: 00401378
                                                                                                                                                                              • Part of subcall function 00410C5A: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C66
                                                                                                                                                                              • Part of subcall function 00410C5A: HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C6D
                                                                                                                                                                              • Part of subcall function 00410C5A: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410C81
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 004013E3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrcat$HeapProcess_memset$AllocComputerExitName
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1553874529-0
                                                                                                                                                                            • Opcode ID: 927124d3e7746fc297e5f2fe29e5e0df559b15ca6c40b02dbd458cf132794fcb
                                                                                                                                                                            • Instruction ID: 4641dc2a71a7f36ffdc22951e019d2d4c0538419c1ec9b6f3a97985c37de70f2
                                                                                                                                                                            • Opcode Fuzzy Hash: 927124d3e7746fc297e5f2fe29e5e0df559b15ca6c40b02dbd458cf132794fcb
                                                                                                                                                                            • Instruction Fuzzy Hash: EB4185B2E4422C66DB20DB719C59FDB7BAC9F14710F5005A3A8D8F3181D67C9A88CB98
                                                                                                                                                                            Function 00405F39 Relevance: 21.5, APIs: 2, Strings: 10, Instructions: 466COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1327 405f39-405ffe call 4104ee call 404ab6 call 4104bc * 5 1344 406000 1327->1344 1345 406006-40600c 1327->1345 1344->1345 1346 406012-40619c call 411c1f call 41059c call 410562 call 402920 * 2 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 41059c call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 41059c call 410562 call 402920 * 2 1345->1346 1347 4066ff-406727 call 408048 1345->1347 1346->1347 1425 4061a2-4061dc 1346->1425 1355 406766-4067ec call 402920 * 4 call 401cde call 402920 call 41d05a 1347->1355 1356 406729-406761 call 41051e call 4105de call 410562 call 402920 1347->1356 1356->1355 1427 4061e2-4061e8 1425->1427 1428 4066f3 1425->1428 1429 406206-406690 call 4105de call 410562 call 402920 call 41059c call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 41059c call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 41059c call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 41059c call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 41059c call 410562 call 402920 call 4270a0 * 2 1427->1429 1430 4061ea-4061ff 1427->1430 1428->1347 1582 4066d2-4066ea 1429->1582 1430->1429 1584 406692-40669a 1582->1584 1585 4066ec 1582->1585 1584->1585 1586 40669c-4066cd call 4105de call 410562 call 402920 1584->1586 1585->1428 1586->1582
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                                                                                              • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                                                                                              • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                                                                                              • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                                                                                            • _memmove.LIBCMT ref: 00406639
                                                                                                                                                                            • _memmove.LIBCMT ref: 00406662
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove$CrackInternet
                                                                                                                                                                            • String ID: "$"$"$------$------$------$------$23a142269e47ce1692ccc9fb68473bc2$build_id$mode
                                                                                                                                                                            • API String ID: 1366773753-876234878
                                                                                                                                                                            • Opcode ID: 4440cca1a600d73118678efb8d12b9bcabc9c4373609f69306b83fe032a973dc
                                                                                                                                                                            • Instruction ID: 8eebda12c3b5d708eb83a5d718eaa1b7ac2e3c0f0341b99d1b213d601621e23a
                                                                                                                                                                            • Opcode Fuzzy Hash: 4440cca1a600d73118678efb8d12b9bcabc9c4373609f69306b83fe032a973dc
                                                                                                                                                                            • Instruction Fuzzy Hash: 4522A5719001699BCF21EB61CD46BCDB775AF08748F0184E7A64D73162CAB86FCA8F58
                                                                                                                                                                            Function 0040E6A4 Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 289stringCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E72B,?,?,?), ref: 00407FC7
                                                                                                                                                                              • Part of subcall function 00411DF4: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416973,?), ref: 00411E0C
                                                                                                                                                                            • strtok_s.MSVCRT ref: 0040E753
                                                                                                                                                                              • Part of subcall function 00416ED9: CreateThread.KERNEL32(00000000,00000000,00416E08,?,00000000,00000000), ref: 00416F78
                                                                                                                                                                              • Part of subcall function 00416ED9: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F80
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create$AllocFileLocalObjectSingleThreadWaitstrtok_s
                                                                                                                                                                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
                                                                                                                                                                            • API String ID: 3608619850-935134978
                                                                                                                                                                            • Opcode ID: f5ebac40250988c8c527cc0ca342ace3a6a1faf6896128eed6d4f2dd9cfd2673
                                                                                                                                                                            • Instruction ID: 47ce7727287e9f9e0db6c8b5a9533b4c3b5eb338c4ff8911e2f23da32c202c50
                                                                                                                                                                            • Opcode Fuzzy Hash: f5ebac40250988c8c527cc0ca342ace3a6a1faf6896128eed6d4f2dd9cfd2673
                                                                                                                                                                            • Instruction Fuzzy Hash: C4A16372A00219BBCF01FBA1DD4AACD7779AF08705F105426F601F31A1DB79AF858B99
                                                                                                                                                                            Function 004182B3 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 132COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004182D8
                                                                                                                                                                            • _memset.LIBCMT ref: 004182E7
                                                                                                                                                                            • ShellExecuteEx.SHELL32(?," & exit,/c timeout /t 10 & rd /s /q "C:\ProgramData\,004366DF,?,?,?,?,?,?), ref: 00418498
                                                                                                                                                                            • _memset.LIBCMT ref: 004184A7
                                                                                                                                                                            • _memset.LIBCMT ref: 004184B9
                                                                                                                                                                            • ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004184C9
                                                                                                                                                                            Strings
                                                                                                                                                                            • " & exit, xrefs: 0041841C
                                                                                                                                                                            • " & exit, xrefs: 004183CB
                                                                                                                                                                            • " & rd /s /q "C:\ProgramData\, xrefs: 00418375
                                                                                                                                                                            • /c timeout /t 10 & del /f /q ", xrefs: 00418327
                                                                                                                                                                            • /c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 004183D2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset$ExecuteExitProcessShell
                                                                                                                                                                            • String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
                                                                                                                                                                            • API String ID: 1705808515-1079830800
                                                                                                                                                                            • Opcode ID: 67862d2b9e0b9edf4d7bf7f7c9ffa5c11ab5342b88edd4b5672b512d9d8ae981
                                                                                                                                                                            • Instruction ID: f74f7938643bacf520262fce9bfc50d90f5039b285da77bfecd7a623ca8a8e1d
                                                                                                                                                                            • Opcode Fuzzy Hash: 67862d2b9e0b9edf4d7bf7f7c9ffa5c11ab5342b88edd4b5672b512d9d8ae981
                                                                                                                                                                            • Instruction Fuzzy Hash: 1251BBB1E402299BCB11EF25DD856DDB37CAB44748F4140EAA608B3152CA786FC68F58
                                                                                                                                                                            Function 00417083 Relevance: 16.8, APIs: 1, Strings: 8, Instructions: 1029COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1954 417083-41711c call 42e3e0 call 4104bc call 410c28 call 4105de * 3 call 410562 call 402920 * 3 1975 417125-417136 1954->1975 1977 417138-41722e call 4104bc call 418153 call 41051e * 2 1975->1977 1978 41711e 1975->1978 1988 417235-41724a 1977->1988 1978->1975 1988->1988 1989 41724c 1988->1989 1990 417253-417268 1989->1990 1990->1990 1991 41726a-41726f 1990->1991 1992 417276-417294 1991->1992 1992->1992 1993 417296-417298 1992->1993 1994 41729f-4172bd 1993->1994 1994->1994 1995 4172bf 1994->1995 1996 4172c6-4172d1 call 41823f 1995->1996 1999 4172d3-4172dc 1996->1999 2000 4172dd-4172e8 call 418267 1999->2000 2003 4172ea-417313 call 402f12 call 418995 call 40113b 2000->2003 2010 4175d9-417790 call 411c1f call 410562 call 402920 call 4104bc call 4105de call 41059c call 410562 call 402920 * 2 CreateDirectoryA call 401cfd call 4169f8 call 41828f call 416dcd call 410562 * 2 call 4104ee call 4105de call 410562 call 402920 call 41059c call 410562 call 402920 call 4104ee call 4104bc call 410977 call 4104ee call 404b2e call 413a02 2003->2010 2011 417319-4175b3 call 4104bc call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 412554 2003->2011 2131 417792 2010->2131 2132 41779d-4178e0 call 4104bc call 401cfd call 405f39 call 41347f call 4104bc call 401cfd call 405f39 call 413299 call 4104bc call 401cfd call 405f39 call 4133d0 call 401cfd call 413bc6 call 4104ee call 4104bc call 405237 call 401cfd call 40ea91 2010->2132 2256 4175b8-4175ba 2011->2256 2131->2132 2210 417950-417958 2132->2210 2211 4178e2-41794a call 4104bc call 401cfd call 405f39 call 413518 call 401cfd call 40274e 2132->2211 2214 4179d1-417a4f call 4104bc call 401cfd call 405f39 call 4135e8 call 401cfd call 4153d2 2210->2214 2215 41795a-4179cb call 4104bc call 401cfd call 405f39 call 4131d8 call 401cfd call 41314c 2210->2215 2211->2210 2265 417a51-417a6c call 401cfd call 4156af call 401cfd call 416ff9 2214->2265 2266 417a6f-417a76 2214->2266 2215->2214 2260 4175d0-4175d4 call 402920 2256->2260 2261 4175bc-4175c6 call 41ccb1 2256->2261 2260->2010 2261->2260 2265->2266 2268 417a91-417a98 2266->2268 2269 417a78-417a8e call 401cfd call 415e39 2266->2269 2273 417ab3-417aba 2268->2273 2274 417a9a-417ab0 call 401cfd call 416372 2268->2274 2269->2268 2279 417ae2-417ae8 2273->2279 2280 417abc-417ad5 call 401cfd call 4164ff 2273->2280 2274->2273 2282 417ad7 2279->2282 2283 417aea-417af1 2279->2283 2280->2279 2282->2279 2288 417af3-417b09 call 401cfd call 411f2a 2283->2288 2289 417b0c-417b13 2283->2289 2288->2289 2296 417b15-417b86 call 4104bc call 401cfd call 405f39 call 4131d8 call 401cfd call 41314c 2289->2296 2297 417b8c-417bce call 4104bc call 401cfd call 405f39 call 402920 call 40113b 2289->2297 2296->2297 2325 418032-41807f call 412516 call 401cfd call 4182b3 call 402920 * 2 2297->2325 2326 417bd4-417e75 call 4104bc call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 412554 2297->2326 2352 418080-41808b call 413129 2325->2352 2490 418029-41802d call 402920 2326->2490 2491 417e7b-417f56 call 41cd66 call 4104bc call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 call 4105de call 410562 call 402920 2326->2491 2358 41808d-418096 2352->2358 2360 418097-4180a2 call 4153af 2358->2360 2366 4180a4-4180ad 2360->2366 2368 4180ae-4180b9 call 418224 2366->2368 2374 4180bb-4180c4 2368->2374 2376 4180c5-4180d0 call 4181ea 2374->2376 2383 4180d2-4180de 2376->2383 2384 4180e0-4180f3 call 402920 * 2 2383->2384 2394 4180f5 2384->2394 2396 4180fc-41810f call 402920 * 2 2394->2396 2406 418111-418152 call 416dcd call 401cde call 402920 * 2 call 41d05a 2396->2406 2490->2325 2527 417f57-417f62 call 418267 2491->2527 2530 417f64-417fc0 call 4104bc call 4104ee * 3 call 405482 2527->2530 2540 417fc5-418012 call 4131d8 call 401cfd call 41314c 2530->2540 2547 418013-41801e call 413129 2540->2547 2550 418020-418024 call 402920 2547->2550 2550->2490
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00410C28: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C34
                                                                                                                                                                              • Part of subcall function 00410C28: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C3B
                                                                                                                                                                              • Part of subcall function 00410C28: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C4F
                                                                                                                                                                              • Part of subcall function 00412554: __EH_prolog3_catch_GS.LIBCMT ref: 0041255E
                                                                                                                                                                              • Part of subcall function 00412554: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E73,.exe,00436CD4,00436CD0,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC), ref: 0041257D
                                                                                                                                                                              • Part of subcall function 00412554: Process32First.KERNEL32(00000000,00000128), ref: 0041258D
                                                                                                                                                                              • Part of subcall function 00412554: Process32Next.KERNEL32(00000000,00000128), ref: 0041259F
                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,004366D6), ref: 0041764C
                                                                                                                                                                              • Part of subcall function 00413A02: strtok_s.MSVCRT ref: 00413A33
                                                                                                                                                                              • Part of subcall function 004131D8: strtok_s.MSVCRT ref: 004131F7
                                                                                                                                                                              • Part of subcall function 004131D8: strtok_s.MSVCRT ref: 0041327A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: strtok_s$CreateHeapProcess32$AllocDirectoryFirstH_prolog3_catch_NameNextProcessSnapshotToolhelp32User
                                                                                                                                                                            • String ID: .exe$.exe$23a142269e47ce1692ccc9fb68473bc2$_DEBUG.zip$cowod.$hopto$http://$org
                                                                                                                                                                            • API String ID: 3631202960-3669155049
                                                                                                                                                                            • Opcode ID: 22e0d92267f419021a3e3f91358bcc69aeab730ecbe9545673ff5c84f2e79e03
                                                                                                                                                                            • Instruction ID: 8df2a6c4b46c73ca4ddf54cc8c0bb9bb361c8bd8d3ae006cdaff17597551342b
                                                                                                                                                                            • Opcode Fuzzy Hash: 22e0d92267f419021a3e3f91358bcc69aeab730ecbe9545673ff5c84f2e79e03
                                                                                                                                                                            • Instruction Fuzzy Hash: F3923E715083459BC620FF25D94268EB7E1FF84708F51482FF58477191DBB8AA8E8B8B
                                                                                                                                                                            Function 004111D8 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 155registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,0043670E,00000000,?,?), ref: 00411248
                                                                                                                                                                            • RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00411285
                                                                                                                                                                            • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112D1
                                                                                                                                                                            • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00411307
                                                                                                                                                                            • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,00436E94), ref: 004113B1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: OpenQueryValue$Enum
                                                                                                                                                                            • String ID: - $%s\%s$?
                                                                                                                                                                            • API String ID: 2712010499-3278919252
                                                                                                                                                                            • Opcode ID: 137f9a5c3c5069f07d9af57b08a0430e085017ea7b5abc5e6f1b491645986798
                                                                                                                                                                            • Instruction ID: 1a7e4b7b75ff4232c8cdaa0c3999b5666d708685d756b362eb3ad491a7b64724
                                                                                                                                                                            • Opcode Fuzzy Hash: 137f9a5c3c5069f07d9af57b08a0430e085017ea7b5abc5e6f1b491645986798
                                                                                                                                                                            • Instruction Fuzzy Hash: A561077590022CABEF21DF15DD84ECAB7B9AB04704F1082E6A608B2161DF756FC9CF54
                                                                                                                                                                            Function 004115A9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 004115DC
                                                                                                                                                                            • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 004115FB
                                                                                                                                                                            • RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 00411620
                                                                                                                                                                            • CharToOemA.USER32(?,?), ref: 00411640
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharOpenQueryValue_memset
                                                                                                                                                                            • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                                                                                                                                                            • API String ID: 2355623204-1211650757
                                                                                                                                                                            • Opcode ID: 68cd65d66c8ef3e8d798de7d8bc93d3c2eb6c97baab99793a2fa708540bc2a72
                                                                                                                                                                            • Instruction ID: 0c83f0933e3d79f190a56af7a1f9b34225ce39da16332cf8d5c5010bc6302d27
                                                                                                                                                                            • Opcode Fuzzy Hash: 68cd65d66c8ef3e8d798de7d8bc93d3c2eb6c97baab99793a2fa708540bc2a72
                                                                                                                                                                            • Instruction Fuzzy Hash: FC111EB590031DAFDB10DF50DD89EEBB7BCEB14305F0041E6A659A2052D6759F888F14
                                                                                                                                                                            Function 0041172C Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_catch.LIBCMT ref: 00411733
                                                                                                                                                                            • CoCreateInstance.OLE32(004331B0,00000000,00000001,0043AF60,?,00000018,004118D6,?), ref: 00411756
                                                                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 00411763
                                                                                                                                                                            • _wtoi64.MSVCRT ref: 00411796
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 004117AF
                                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 004117B6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 181426013-0
                                                                                                                                                                            • Opcode ID: 94a9f91ccacc7efa5da4f735102b9eaf6ebfce10aa4b3815ebcfd38f894d266d
                                                                                                                                                                            • Instruction ID: f8cdbbbe70d397e706f906296cdeba407d3bbd7863d046f8457389d6b98cb90c
                                                                                                                                                                            • Opcode Fuzzy Hash: 94a9f91ccacc7efa5da4f735102b9eaf6ebfce10aa4b3815ebcfd38f894d266d
                                                                                                                                                                            • Instruction Fuzzy Hash: 90114C74A0424ADFCF009FA4D8989EEBBB5AF49310F64417EF215E73A0DB394945CB68
                                                                                                                                                                            Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
                                                                                                                                                                            • _memset.LIBCMT ref: 004010D0
                                                                                                                                                                            • VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,0041850E), ref: 00401100
                                                                                                                                                                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00401112
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1859398019-0
                                                                                                                                                                            • Opcode ID: 45a9583896774015c5220384c9ed5eb294c525cf6862c07f2340da09953674c4
                                                                                                                                                                            • Instruction ID: 25c570db86decb207e4e4dfc09e078fb1bce2ee661320ecb4d87a6b80f7b96d5
                                                                                                                                                                            • Opcode Fuzzy Hash: 45a9583896774015c5220384c9ed5eb294c525cf6862c07f2340da09953674c4
                                                                                                                                                                            • Instruction Fuzzy Hash: 60F0C87238122477F22412763C6EF6B1A6C9B41F56F205035F309FB2D0D6699804967C
                                                                                                                                                                            Function 00410977 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004109EA
                                                                                                                                                                              • Part of subcall function 00411659: GetCurrentHwProfileA.ADVAPI32(?), ref: 00411674
                                                                                                                                                                              • Part of subcall function 00411659: _memset.LIBCMT ref: 004116A3
                                                                                                                                                                              • Part of subcall function 004123AA: malloc.MSVCRT ref: 004123AF
                                                                                                                                                                              • Part of subcall function 004123AA: strncpy.MSVCRT ref: 004123C0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentInformationProfileVolume_memsetmallocstrncpy
                                                                                                                                                                            • String ID: :\$C$QuBi$bwA
                                                                                                                                                                            • API String ID: 1802918048-1665024704
                                                                                                                                                                            • Opcode ID: 10eca5ba7591b1c9726683b6efb2efe54b45c38386d2ee730406ab5f7d6ba462
                                                                                                                                                                            • Instruction ID: b9c2e458b62d39f60936fb5c5f3cecbb2f8bdcade59f27643c81c3961379b96e
                                                                                                                                                                            • Opcode Fuzzy Hash: 10eca5ba7591b1c9726683b6efb2efe54b45c38386d2ee730406ab5f7d6ba462
                                                                                                                                                                            • Instruction Fuzzy Hash: 0441AFB1A042289BCB259F359D85ADEBBBDEF09304F0000EAF549E3121D6748FC58F68
                                                                                                                                                                            Function 0041BC66 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,75BF74F0,?,0041CC33,?,0041CCC1,00000000,06400000,00000003,00000000,004175C1,.exe,00436C64), ref: 0041BCB3
                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75BF74F0,?,0041CC33,?,0041CCC1,00000000,06400000,00000003,00000000), ref: 0041BCEB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CreatePointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2024441833-0
                                                                                                                                                                            • Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
                                                                                                                                                                            • Instruction ID: cb5c2f7eaaff30269fafad0aed59c048329575cccc762fe3435784ccc124e2e0
                                                                                                                                                                            • Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
                                                                                                                                                                            • Instruction Fuzzy Hash: 1D3187B0504B45DFDB349F25A8C47A77AE8EB14318F108B2FF59682640D33898C4CBD9
                                                                                                                                                                            Function 00404AB6 Relevance: 6.0, APIs: 4, Instructions: 50networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                                                                                            • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                                                                                            • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                                                                                            • InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CrackInternet
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1381609488-0
                                                                                                                                                                            • Opcode ID: 98310aa1f434478e7fb8539daea0c8874a8af54bde3e2f4e3fe51e91d8b2aa84
                                                                                                                                                                            • Instruction ID: 606110043d28a64a3cf3047e57e5fece759b363c0f9d5b5b09730ac45ad85936
                                                                                                                                                                            • Opcode Fuzzy Hash: 98310aa1f434478e7fb8539daea0c8874a8af54bde3e2f4e3fe51e91d8b2aa84
                                                                                                                                                                            • Instruction Fuzzy Hash: 03015B32D00218ABCF049BA9DC45ADEBFB8AF55330F10821AF925F72E0DB745A018B94
                                                                                                                                                                            Function 00412554 Relevance: 6.0, APIs: 4, Instructions: 37processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_catch_GS.LIBCMT ref: 0041255E
                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417E73,.exe,00436CD4,00436CD0,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC), ref: 0041257D
                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 0041258D
                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 0041259F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process32$CreateFirstH_prolog3_catch_NextSnapshotToolhelp32
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2623756784-0
                                                                                                                                                                            • Opcode ID: df2519ba6d108fdc8b71c082039c9bc3bb26964c19a844e6744d04e068c13488
                                                                                                                                                                            • Instruction ID: dfa50e9b2d92f41fe19a6e116423a8dfd4d95ce18993e0e6c6816f44e1c7b9ae
                                                                                                                                                                            • Opcode Fuzzy Hash: df2519ba6d108fdc8b71c082039c9bc3bb26964c19a844e6744d04e068c13488
                                                                                                                                                                            • Instruction Fuzzy Hash: C8018671500224ABDB249B60DD44FEE7BBD9F04301F8400E6E40DD2291D7788F949B25
                                                                                                                                                                            Function 00411659 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentHwProfileA.ADVAPI32(?), ref: 00411674
                                                                                                                                                                            • _memset.LIBCMT ref: 004116A3
                                                                                                                                                                              • Part of subcall function 004123AA: malloc.MSVCRT ref: 004123AF
                                                                                                                                                                              • Part of subcall function 004123AA: strncpy.MSVCRT ref: 004123C0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentProfile_memsetmallocstrncpy
                                                                                                                                                                            • String ID: Unknown
                                                                                                                                                                            • API String ID: 455225556-1654365787
                                                                                                                                                                            • Opcode ID: f644913eff35c1bea0ebd6b3338a588dfdbe38cf0212d1c473d842671d84e224
                                                                                                                                                                            • Instruction ID: bbe101daec5a89a31c14a1391deaf042981834e050b350a90ece11c042c44c38
                                                                                                                                                                            • Opcode Fuzzy Hash: f644913eff35c1bea0ebd6b3338a588dfdbe38cf0212d1c473d842671d84e224
                                                                                                                                                                            • Instruction Fuzzy Hash: 8E113675A0021CABDB11EB65DC85BDD73B8AB08704F4004AAB645F7191DA78AEC88F5C
                                                                                                                                                                            Function 00410B05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436890,?,?,?,00413ED5,Windows: ,004368A8), ref: 00410B4E
                                                                                                                                                                            • RegQueryValueExA.KERNEL32(00436890,00000000,00000000,00000000,000000FF,?,?,?,00413ED5,Windows: ,004368A8), ref: 00410B6A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: OpenQueryValue
                                                                                                                                                                            • String ID: Windows 11
                                                                                                                                                                            • API String ID: 4153817207-2517555085
                                                                                                                                                                            • Opcode ID: eff4407981480f29a3e8c3abb8119370cc6538536529693400870beae5f7a9d1
                                                                                                                                                                            • Instruction ID: 0bec989384f0a7c66584ec76c5164b6df09d4e667c826edd8b17caab73b46526
                                                                                                                                                                            • Opcode Fuzzy Hash: eff4407981480f29a3e8c3abb8119370cc6538536529693400870beae5f7a9d1
                                                                                                                                                                            • Instruction Fuzzy Hash: 49F04475600304FBEF149BD1DC4EFAE7A6EEB44705F141055B601961E0D7B5AA80D725
                                                                                                                                                                            Function 00410B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436890,?,?,?,00410BF0,00410B2D,?,?,?,00413ED5,Windows: ,004368A8), ref: 00410BB7
                                                                                                                                                                            • RegQueryValueExA.KERNEL32(00436890,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410BF0,00410B2D,?,?,?,00413ED5,Windows: ), ref: 00410BD2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: OpenQueryValue
                                                                                                                                                                            • String ID: CurrentBuildNumber
                                                                                                                                                                            • API String ID: 4153817207-1022791448
                                                                                                                                                                            • Opcode ID: 3182c4627f195be221e76e344ca264d351bdd3646ceab104d6e5169a5afc3c7d
                                                                                                                                                                            • Instruction ID: 16525d27e18a6f6eb50ada141e8e48f6afa079728c5f11f74ebe8399e0be2e3b
                                                                                                                                                                            • Opcode Fuzzy Hash: 3182c4627f195be221e76e344ca264d351bdd3646ceab104d6e5169a5afc3c7d
                                                                                                                                                                            • Instruction Fuzzy Hash: B4F09071640304FBFF149B91DC0FFAE7A7EEB44B06F140059F701A50A0D6B2AB809B14
                                                                                                                                                                            Function 00410C5A Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C66
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C6D
                                                                                                                                                                            • GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410C81
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Heap$AllocComputerNameProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4203777966-0
                                                                                                                                                                            • Opcode ID: 6c13bdc48f24620c1458262451df69a1fa4e50b82ce9a072ad0b58c7c76c57f0
                                                                                                                                                                            • Instruction ID: f6aeb2de1523635185e516c3bea9f441b1e125238e9ebec13057e88de697580f
                                                                                                                                                                            • Opcode Fuzzy Hash: 6c13bdc48f24620c1458262451df69a1fa4e50b82ce9a072ad0b58c7c76c57f0
                                                                                                                                                                            • Instruction Fuzzy Hash: 49E08CB1200204BBD7448B99AC8DF8E7BBCDB84711F000235F605D2250E6B4C9848B68
                                                                                                                                                                            Function 00407FAC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E72B,?,?,?), ref: 00407FC7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID: +@
                                                                                                                                                                            • API String ID: 823142352-396005422
                                                                                                                                                                            • Opcode ID: d2fff167fb3d7733026eac0e62b508efa91648d8dc83ae773f2aa49c1a23bce4
                                                                                                                                                                            • Instruction ID: 807723f2e51248c8f2f98e616b696bb7d0540dc5137f9c813bae56d6ea2df898
                                                                                                                                                                            • Opcode Fuzzy Hash: d2fff167fb3d7733026eac0e62b508efa91648d8dc83ae773f2aa49c1a23bce4
                                                                                                                                                                            • Instruction Fuzzy Hash: 38115B70900204EFDF25DFA4DD88EAF7BB9EB48741F20056AF481B6290DB769A85DB11
                                                                                                                                                                            Function 004110EE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411129
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: GlobalMemoryStatus
                                                                                                                                                                            • String ID: %d MB
                                                                                                                                                                            • API String ID: 1890195054-2651807785
                                                                                                                                                                            • Opcode ID: 72a52e70201ad22aec00983051af57702ef65c70131e266f08feed65ab004bf9
                                                                                                                                                                            • Instruction ID: b03481c602d06677a198dbb5353ea4b7396302b30250a932e355f2735c5afa91
                                                                                                                                                                            • Opcode Fuzzy Hash: 72a52e70201ad22aec00983051af57702ef65c70131e266f08feed65ab004bf9
                                                                                                                                                                            • Instruction Fuzzy Hash: F301AEB1E00318ABEB04DFB4DC45AFEB7B8EF08705F44006AF601D7190DA759D818765
                                                                                                                                                                            Function 0041221F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 0041225C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileModuleName
                                                                                                                                                                            • String ID: *>A
                                                                                                                                                                            • API String ID: 514040917-2324000863
                                                                                                                                                                            • Opcode ID: 682d7451b07059949ef688f4e67d0a59911f18ee68ef595ae0e870f89720a860
                                                                                                                                                                            • Instruction ID: 6633d685373ab45c8211bc738bf5b9d0ac44cdf8922bbde8cb97f055ad548524
                                                                                                                                                                            • Opcode Fuzzy Hash: 682d7451b07059949ef688f4e67d0a59911f18ee68ef595ae0e870f89720a860
                                                                                                                                                                            • Instruction Fuzzy Hash: 8BF0B475600208ABDB14EB68DC45FEE7BBC9B44B04F00006AF641D7290DEB4DAC58B99
                                                                                                                                                                            Function 00416ED9 Relevance: 3.1, APIs: 2, Instructions: 70synchronizationthreadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00416E08,?,00000000,00000000), ref: 00416F78
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F80
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateObjectSingleThreadWait
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1891408510-0
                                                                                                                                                                            • Opcode ID: 1461ab507dc6dfd35255e810fb889321eefe54f3dc9c2a7f5414d00745edce53
                                                                                                                                                                            • Instruction ID: 92bf923f0917d822374c23a0111adfdcc0c83fadde586f70278f9170f8a7b62b
                                                                                                                                                                            • Opcode Fuzzy Hash: 1461ab507dc6dfd35255e810fb889321eefe54f3dc9c2a7f5414d00745edce53
                                                                                                                                                                            • Instruction Fuzzy Hash: 4821483290021CABCF14EF55EC858DE7BB9FF44395F11812AF906A3151C779AA86CB98
                                                                                                                                                                            Function 00410F26 Relevance: 3.0, APIs: 2, Instructions: 35registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436890,?,?,?,00414292,Processor: ,[Hardware],00436958,00000000,TimeZone: ,00436948,00000000,Local Time: ), ref: 00410F5F
                                                                                                                                                                            • RegQueryValueExA.KERNEL32(00436890,00000000,00000000,00000000,000000FF,?,?,?,00414292,Processor: ,[Hardware],00436958,00000000,TimeZone: ,00436948,00000000), ref: 00410F7B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: OpenQueryValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4153817207-0
                                                                                                                                                                            • Opcode ID: 267a369b0f9252e087d037b2a4430d55cc5b2cc9540841a28167b2b4da7fd567
                                                                                                                                                                            • Instruction ID: 9d2ba58619f1d31ec1eed97cb1b3f411898d7f1aad353569fe744808fca98e41
                                                                                                                                                                            • Opcode Fuzzy Hash: 267a369b0f9252e087d037b2a4430d55cc5b2cc9540841a28167b2b4da7fd567
                                                                                                                                                                            • Instruction Fuzzy Hash: 72F03075640304FFEF248B90DC0EFAA7A7EEB44B06F141155F701A51A0D7B29B509B20
                                                                                                                                                                            Function 00411DF4 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00416973,?), ref: 00411E0C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocLocal
                                                                                                                                                                            • String ID: siA
                                                                                                                                                                            • API String ID: 3494564517-470986483
                                                                                                                                                                            • Opcode ID: fb61fe623097888cf65d3814ddf1640f9bdc70486a4c33bd704b3484e22c8f94
                                                                                                                                                                            • Instruction ID: 346925838d3b14811ea8838da46691f13996bcddb0819abdd03295e02f918ba5
                                                                                                                                                                            • Opcode Fuzzy Hash: fb61fe623097888cf65d3814ddf1640f9bdc70486a4c33bd704b3484e22c8f94
                                                                                                                                                                            • Instruction Fuzzy Hash: FBE02B3AA017115B87224BFAD8146A7BB5A9FC5B61B08416BEF48CB325C5B5CC4186E4
                                                                                                                                                                            Function 0041CBFD Relevance: 2.5, APIs: 2, Instructions: 39COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • malloc.MSVCRT ref: 0041CC0E
                                                                                                                                                                              • Part of subcall function 0041BBB1: lstrlenA.KERNEL32(?,0041CC1F,0041CCC1,00000000,06400000,00000003,00000000,004175C1,.exe,00436C64,00436C60,00436C5C,00436C58,00436C54,00436C50,00436C4C), ref: 0041BBE3
                                                                                                                                                                              • Part of subcall function 0041BBB1: malloc.MSVCRT ref: 0041BBEB
                                                                                                                                                                              • Part of subcall function 0041BBB1: lstrcpyA.KERNEL32(00000000,?), ref: 0041BBF6
                                                                                                                                                                            • malloc.MSVCRT ref: 0041CC4B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: malloc$lstrcpylstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2974738957-0
                                                                                                                                                                            • Opcode ID: f9200b95373ff1b7789a744542eff742420212f49676e2a89c92c5c195539ba2
                                                                                                                                                                            • Instruction ID: 8df7538632d2272994aaaaf24c21eca96cdb497c3d92377313da6f1428c14af4
                                                                                                                                                                            • Opcode Fuzzy Hash: f9200b95373ff1b7789a744542eff742420212f49676e2a89c92c5c195539ba2
                                                                                                                                                                            • Instruction Fuzzy Hash: ABF024726442125BC7206F6AEC819DBBB98EB447A0F054127FE0C97340EA34DC4083F8
                                                                                                                                                                            Function 00418685 Relevance: 1.7, APIs: 1, Instructions: 154libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32(?,00418504), ref: 004188BF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LibraryLoad
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1029625771-0
                                                                                                                                                                            • Opcode ID: 2dbbfc929b8f993913bf6cc8f40ee179c9bfe20a2ea7c03f75fbc9e0dd5c09c8
                                                                                                                                                                            • Instruction ID: e15db10cd0fdf5c8d7ae2cec0182c2fa1046cf6aaa80e190bc6e5928fe16da9b
                                                                                                                                                                            • Opcode Fuzzy Hash: 2dbbfc929b8f993913bf6cc8f40ee179c9bfe20a2ea7c03f75fbc9e0dd5c09c8
                                                                                                                                                                            • Instruction Fuzzy Hash: F1710975911322AFDF1ADFA0FD4A8243AABFB08203F11B526E91982274D7774B60DF15
                                                                                                                                                                            Function 00405237 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
                                                                                                                                                                              • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
                                                                                                                                                                              • Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
                                                                                                                                                                              • Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00405285
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateCrackHeapInternet
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1086229106-0
                                                                                                                                                                            • Opcode ID: 47051449f07eae40fed238264bbf433b4517496b6ab93af0b5c71253d9c134c2
                                                                                                                                                                            • Instruction ID: 7bf317583300bf6ad83df286ffbbc128525ff46f9f5d6ae9615f57ce5c13ed7d
                                                                                                                                                                            • Opcode Fuzzy Hash: 47051449f07eae40fed238264bbf433b4517496b6ab93af0b5c71253d9c134c2
                                                                                                                                                                            • Instruction Fuzzy Hash: 76114CB1800A2CAFEF20DFA49C84AAB7BBDEB08746F0040A5B908A7150D6355F919F90
                                                                                                                                                                            Function 00412516 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SHFileOperationA.SHELL32(?), ref: 0041254C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileOperation
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3080627654-0
                                                                                                                                                                            • Opcode ID: 4db8ebf57bc6107b71b5ba4193d59d5f03bca1d24e9a0919771ad3cddd4420d4
                                                                                                                                                                            • Instruction ID: eaea2de8574f2c4140e53920b4a13b58a368e230bb1e65c66a238f6e4d3fc1a7
                                                                                                                                                                            • Opcode Fuzzy Hash: 4db8ebf57bc6107b71b5ba4193d59d5f03bca1d24e9a0919771ad3cddd4420d4
                                                                                                                                                                            • Instruction Fuzzy Hash: ABE075B0D0420E9FCF44EFA596152DDBAF4AB48308F00916AC115F2240E3B482058BA9
                                                                                                                                                                            Function 0041C372 Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: malloc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2803490479-0
                                                                                                                                                                            • Opcode ID: 493a35f909d201759c05811b0783fd6409673068aaaac69e2073ebd1e81572ae
                                                                                                                                                                            • Instruction ID: c2910aac78a4d1c0d0fc858b8a2476ce5a7129681263563ecaa76da9588f87e4
                                                                                                                                                                            • Opcode Fuzzy Hash: 493a35f909d201759c05811b0783fd6409673068aaaac69e2073ebd1e81572ae
                                                                                                                                                                            • Instruction Fuzzy Hash: DB211674200714CFC320DF6ED484996B7F5FF49328B14486EEA8A8B722D776E881CB15

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 0040F51F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 130injectionthreadmemoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 0040F551
                                                                                                                                                                            • GetThreadContext.KERNEL32(?,00000000), ref: 0040F599
                                                                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040F5B7
                                                                                                                                                                            • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040F5CD
                                                                                                                                                                            • WriteProcessMemory.KERNEL32(?,00000000,00412DA1,?,00000000), ref: 0040F5FC
                                                                                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040F632
                                                                                                                                                                            • WriteProcessMemory.KERNEL32(?,?,D6D9E8F4,00000004,00000000), ref: 0040F659
                                                                                                                                                                            • SetThreadContext.KERNEL32(?,00000000), ref: 0040F66B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcess$Write$ContextThread$AllocReadVirtual_memset
                                                                                                                                                                            • String ID: ($C:\Windows\System32\cmd.exe
                                                                                                                                                                            • API String ID: 1852632844-4087486346
                                                                                                                                                                            • Opcode ID: fc6958dfbf358ad115f9979f5327a80d9ab071de5378f2a28a16158bd4d0b81a
                                                                                                                                                                            • Instruction ID: 3ae57a7eb54b080212c2adebd7e2c133790e565b2c83da63b575b4611208c390
                                                                                                                                                                            • Opcode Fuzzy Hash: fc6958dfbf358ad115f9979f5327a80d9ab071de5378f2a28a16158bd4d0b81a
                                                                                                                                                                            • Instruction Fuzzy Hash: FF414872A00208BFDB11DF94DC85FAABBB9FF48705F104075FA01E6161D775AE448B24
                                                                                                                                                                            Function 00415182 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 146COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00415202
                                                                                                                                                                            • _memset.LIBCMT ref: 00415225
                                                                                                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 0041522E
                                                                                                                                                                              • Part of subcall function 00414D08: _memset.LIBCMT ref: 00414D8F
                                                                                                                                                                              • Part of subcall function 00414D08: _memset.LIBCMT ref: 00414DA0
                                                                                                                                                                              • Part of subcall function 00414D08: _memset.LIBCMT ref: 00414E68
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset$Drive$LogicalStringsType
                                                                                                                                                                            • String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
                                                                                                                                                                            • API String ID: 2132072831-147700698
                                                                                                                                                                            • Opcode ID: e5c5d29f18521d925315bfd8a257a194eb4ce0c346b90177c3109ac5f0b7b103
                                                                                                                                                                            • Instruction ID: 053258c5bb1b64546686566c734b2c50377afb1b03b5d253bdbdf7ee91f387e0
                                                                                                                                                                            • Opcode Fuzzy Hash: e5c5d29f18521d925315bfd8a257a194eb4ce0c346b90177c3109ac5f0b7b103
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A513DB190021CAFDF219FA4DC85BEE7BB9FB05304F1041AAEA08A7111E7355E89CF59
                                                                                                                                                                            Function 0040180D Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00401823
                                                                                                                                                                            • SetThreadDesktop.USER32(00000000), ref: 0040182A
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 0040183A
                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040184A
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 00401859
                                                                                                                                                                            • Sleep.KERNEL32(00002710), ref: 0040186B
                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00401870
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 0040187F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CursorSleep$Desktop$InputOpenThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3283940658-0
                                                                                                                                                                            • Opcode ID: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
                                                                                                                                                                            • Instruction ID: 6ce610161f310883e20b46de56f80fe1d7998de54b5bc585690095a2dc5f2f67
                                                                                                                                                                            • Opcode Fuzzy Hash: f5ba76f92f65e2804661e56e76115090119226def0e33c1286c40128a66e7fa7
                                                                                                                                                                            • Instruction Fuzzy Hash: C9112E32E00209EBEB10EBA4CD89AAF77B9AF44301F644877D501B21A0D7789B41CB58
                                                                                                                                                                            Function 0042B11C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0042B785,?,00428536,?,000000BC,?), ref: 0042B15B
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0042B785,?,00428536,?,000000BC,?), ref: 0042B184
                                                                                                                                                                            • GetACP.KERNEL32(?,?,0042B785,?,00428536,?,000000BC,?), ref: 0042B198
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                            • String ID: ACP$OCP
                                                                                                                                                                            • API String ID: 2299586839-711371036
                                                                                                                                                                            • Opcode ID: dabdef429acf28403b0f87105750c87aa7dd444468e3f7da184b66417ca4622f
                                                                                                                                                                            • Instruction ID: bab2fb771c86b1a66c882929dcacf4a7e915e9f6e329ecc6f4a62be70c8f3a49
                                                                                                                                                                            • Opcode Fuzzy Hash: dabdef429acf28403b0f87105750c87aa7dd444468e3f7da184b66417ca4622f
                                                                                                                                                                            • Instruction Fuzzy Hash: 8301FC31701616BAEB219B61BC16F6B33B8EF04398F60406BF501E51D0E768CE9192DC
                                                                                                                                                                            Function 0041D05A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 0041D492
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041D4A7
                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(0043332C), ref: 0041D4B2
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 0041D4CE
                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 0041D4D5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2579439406-0
                                                                                                                                                                            • Opcode ID: 0be4ccc36355f57da2dd84c823a7aa655c5a2e2b1389c81ad29a2517ab6cb058
                                                                                                                                                                            • Instruction ID: e473dba1badf48f1c5e4f0788e14c81c1bc8c7bf2b41c3635b46f961f92df15a
                                                                                                                                                                            • Opcode Fuzzy Hash: 0be4ccc36355f57da2dd84c823a7aa655c5a2e2b1389c81ad29a2517ab6cb058
                                                                                                                                                                            • Instruction Fuzzy Hash: E321A0B5800304DFD760DF65FC84A483BB5FB08B1AF50913AE509972A2E7B4D5868F5D
                                                                                                                                                                            Function 00798F68 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _strrchr
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3213747228-0
                                                                                                                                                                            • Opcode ID: e742114cad1722125c79802c132c505b8aa059e1db89f26ea849efe0e0605f33
                                                                                                                                                                            • Instruction ID: c69d5f22ebc2148a584e54009ae478c4eb38845f80c993d44d8f7e46e0a34171
                                                                                                                                                                            • Opcode Fuzzy Hash: e742114cad1722125c79802c132c505b8aa059e1db89f26ea849efe0e0605f33
                                                                                                                                                                            • Instruction Fuzzy Hash: 81B1553290425AAFEF15CF6CD8857EEBBA5FF59310F14816EEA14AB241D2399D01C7A0
                                                                                                                                                                            Function 00792178 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00792184
                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 00792250
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00792269
                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00792273
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 254469556-0
                                                                                                                                                                            • Opcode ID: 18ce0d8478a3641dabc7516400d562393c335452df318c41e04eb053d314e4e6
                                                                                                                                                                            • Instruction ID: 86d1ec4fda048e4b520296adfb851e52ce1bef1762bab5f73ed3509895f0e547
                                                                                                                                                                            • Opcode Fuzzy Hash: 18ce0d8478a3641dabc7516400d562393c335452df318c41e04eb053d314e4e6
                                                                                                                                                                            • Instruction Fuzzy Hash: 1D311675D01218DBDF20EFA4E9497CDBBB8BF48300F1041EAE50CAB250EBB59A858F45
                                                                                                                                                                            Function 0040DC75 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 399memorystringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0040DB54: lstrlenA.KERNEL32(?,75B65460,?,00000000), ref: 0040DB90
                                                                                                                                                                              • Part of subcall function 0040DB54: strchr.MSVCRT ref: 0040DBA2
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DCFC
                                                                                                                                                                            • strcpy_s.MSVCRT ref: 0040DD18
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DD37
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DD6F
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DD99
                                                                                                                                                                            • strcpy_s.MSVCRT ref: 0040DDAF
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DDC8
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DDED
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DE17
                                                                                                                                                                            • strcpy_s.MSVCRT ref: 0040DE27
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DE40
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DE6F
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DE9F
                                                                                                                                                                            • strcpy_s.MSVCRT ref: 0040DEB2
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DECB
                                                                                                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040DED4
                                                                                                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040DF09
                                                                                                                                                                              • Part of subcall function 0040F0FD: std::_Xinvalid_argument.LIBCPMT ref: 0040F113
                                                                                                                                                                            • strcpy_s.MSVCRT ref: 0040DF4A
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DF7D
                                                                                                                                                                            • lstrlenA.KERNEL32(?), ref: 0040DF82
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DFB3
                                                                                                                                                                            • strcpy_s.MSVCRT ref: 0040DFC1
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040DFD5
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040E011
                                                                                                                                                                            • strcpy_s.MSVCRT ref: 0040E03A
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040E053
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040E0FE
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040E14F
                                                                                                                                                                              • Part of subcall function 0040DB54: strchr.MSVCRT ref: 0040DBC7
                                                                                                                                                                              • Part of subcall function 0040DB54: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCCC), ref: 0040DBE9
                                                                                                                                                                              • Part of subcall function 0040DB54: strcpy_s.MSVCRT ref: 0040DC44
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeHeap$strcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
                                                                                                                                                                            • String ID: _@
                                                                                                                                                                            • API String ID: 219400098-466146849
                                                                                                                                                                            • Opcode ID: 9f0045c30a09c34ff4b6ec70d6048ce7fbddb1753deef394bb0464aa14a9fcd2
                                                                                                                                                                            • Instruction ID: 264ceb0be135a5a7d918390b30d24df8278dbd2fe0c2fac3f8f65e357691b9f1
                                                                                                                                                                            • Opcode Fuzzy Hash: 9f0045c30a09c34ff4b6ec70d6048ce7fbddb1753deef394bb0464aa14a9fcd2
                                                                                                                                                                            • Instruction Fuzzy Hash: 8EE13C72C00219AFEF20AFF5DC88ADEBF79AF48305F14446AF205B3152DA3A59849F54
                                                                                                                                                                            Function 00424B67 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00424B6F
                                                                                                                                                                            • __mtterm.LIBCMT ref: 00424B7B
                                                                                                                                                                              • Part of subcall function 0042483A: DecodePointer.KERNEL32(FFFFFFFF), ref: 0042484B
                                                                                                                                                                              • Part of subcall function 0042483A: TlsFree.KERNEL32(FFFFFFFF), ref: 00424865
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00424B91
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00424B9E
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00424BAB
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00424BB8
                                                                                                                                                                            • TlsAlloc.KERNEL32 ref: 00424C08
                                                                                                                                                                            • TlsSetValue.KERNEL32(00000000), ref: 00424C23
                                                                                                                                                                            • __init_pointers.LIBCMT ref: 00424C2D
                                                                                                                                                                            • EncodePointer.KERNEL32 ref: 00424C3E
                                                                                                                                                                            • EncodePointer.KERNEL32 ref: 00424C4B
                                                                                                                                                                            • EncodePointer.KERNEL32 ref: 00424C58
                                                                                                                                                                            • EncodePointer.KERNEL32 ref: 00424C65
                                                                                                                                                                            • DecodePointer.KERNEL32(Function_000249BE), ref: 00424C86
                                                                                                                                                                            • __calloc_crt.LIBCMT ref: 00424C9B
                                                                                                                                                                            • DecodePointer.KERNEL32(00000000), ref: 00424CB5
                                                                                                                                                                            • __initptd.LIBCMT ref: 00424CC0
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00424CC7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
                                                                                                                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                                            • API String ID: 3732613303-3819984048
                                                                                                                                                                            • Opcode ID: 0a94c54a7945867de6cfe35b03e58e96b0a908eff489fa3a921db52f6821de8f
                                                                                                                                                                            • Instruction ID: 342ea3fdfc67916c9f1319b2c0e4fcf8768d432b58525999a292328997d6bcd9
                                                                                                                                                                            • Opcode Fuzzy Hash: 0a94c54a7945867de6cfe35b03e58e96b0a908eff489fa3a921db52f6821de8f
                                                                                                                                                                            • Instruction Fuzzy Hash: 99314935E093609ADB21AF7ABC086073FA4EF84726B51163BE410D36A1DB78D840CB5C
                                                                                                                                                                            Function 00401927 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00401A13
                                                                                                                                                                            • lstrcmpiA.KERNEL32(0043ABCC,?), ref: 00401A2E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: NameUserlstrcmpi
                                                                                                                                                                            • String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
                                                                                                                                                                            • API String ID: 542268695-1784693376
                                                                                                                                                                            • Opcode ID: 3f0af724c2dcbc4c0c866c45427fa56f2bbf27492d3fc28d0ab31a611d6431bd
                                                                                                                                                                            • Instruction ID: d9236fb4f0ff957f0166239cbbf2c5784357e6586ba14347c128fa04638c492f
                                                                                                                                                                            • Opcode Fuzzy Hash: 3f0af724c2dcbc4c0c866c45427fa56f2bbf27492d3fc28d0ab31a611d6431bd
                                                                                                                                                                            • Instruction Fuzzy Hash: 342103B194526C8BCB20CF159D4C6DDBBB4AB5D308F00B1DAD5886A210C7B85ED9CF4D
                                                                                                                                                                            Function 0041B8B5 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,762283C0,00000000,0041C5A0,?), ref: 0041B8BA
                                                                                                                                                                            • StrCmpCA.SHLWAPI(762283C0,0043613C), ref: 0041B8E8
                                                                                                                                                                            • StrCmpCA.SHLWAPI(762283C0,.zip), ref: 0041B8F8
                                                                                                                                                                            • StrCmpCA.SHLWAPI(762283C0,.zoo), ref: 0041B904
                                                                                                                                                                            • StrCmpCA.SHLWAPI(762283C0,.arc), ref: 0041B910
                                                                                                                                                                            • StrCmpCA.SHLWAPI(762283C0,.lzh), ref: 0041B91C
                                                                                                                                                                            • StrCmpCA.SHLWAPI(762283C0,.arj), ref: 0041B928
                                                                                                                                                                            • StrCmpCA.SHLWAPI(762283C0,.gz), ref: 0041B934
                                                                                                                                                                            • StrCmpCA.SHLWAPI(762283C0,.tgz), ref: 0041B940
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrlen
                                                                                                                                                                            • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                                                                                                                                                                            • API String ID: 1659193697-51310709
                                                                                                                                                                            • Opcode ID: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
                                                                                                                                                                            • Instruction ID: a6acff1ce351d4c2d08f5f7e1dd5765e0b6a09ac0655d91721820eb3858dbec9
                                                                                                                                                                            • Opcode Fuzzy Hash: 54ae333f8b5274885e17379ca82bd682d21753aa1aef1686f1ee84574de7c63d
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A019231B8132BB55A6236219E42EFF1A5C8D97F917155037E800E21C8EB4C988365FE
                                                                                                                                                                            Function 004164FF Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 114COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset
                                                                                                                                                                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                                                                                                                                                            • API String ID: 2102423945-974132213
                                                                                                                                                                            • Opcode ID: bf252c35c8b55aa2f47da0acf7c4516a3fa7683d86b1e94a602c03db96ee7b73
                                                                                                                                                                            • Instruction ID: 3cefbc2560fae273e5afeb2847eac18d6cd6927558b4bb74fdd557bb6d377028
                                                                                                                                                                            • Opcode Fuzzy Hash: bf252c35c8b55aa2f47da0acf7c4516a3fa7683d86b1e94a602c03db96ee7b73
                                                                                                                                                                            • Instruction Fuzzy Hash: B441B971D4022D7ADB24EB61EC4BFDD7778AB08304F1444AAB605F70D1DAB8AB848F59
                                                                                                                                                                            Function 00414D08 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 297stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset$strtok_s$Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                            • String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
                                                                                                                                                                            • API String ID: 2378718607-332874205
                                                                                                                                                                            • Opcode ID: 906c4d521f01e6e342adc7cfc72de3dfdf3114fc934318aaa3c07627eb2d389c
                                                                                                                                                                            • Instruction ID: ac959522ac8161a8c59de6a03dc3e9916ed04c50c613448a2b432023ce8b070b
                                                                                                                                                                            • Opcode Fuzzy Hash: 906c4d521f01e6e342adc7cfc72de3dfdf3114fc934318aaa3c07627eb2d389c
                                                                                                                                                                            • Instruction Fuzzy Hash: D6C13BB1D0021AABCF22EF60DC45AEE777DAB48304F0140A6FA09B3151DB799B858F59
                                                                                                                                                                            Function 00428B64 Relevance: 18.1, APIs: 12, Instructions: 95COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3833677464-0
                                                                                                                                                                            • Opcode ID: 784abcef5afcd593a1ca4234ae08e44cf487d9407e5e4ef41eebf28f0038ada9
                                                                                                                                                                            • Instruction ID: 0bc65d7e22c7fdf9df02714a717bc1bc287677933603e426b8eb902575a055b2
                                                                                                                                                                            • Opcode Fuzzy Hash: 784abcef5afcd593a1ca4234ae08e44cf487d9407e5e4ef41eebf28f0038ada9
                                                                                                                                                                            • Instruction Fuzzy Hash: 962137B1306120EAD7217F27F80294FBBE0DF81B18BA0442FF58496252DF3DAC808A5D
                                                                                                                                                                            Function 004015E6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004015BC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 004015C6
                                                                                                                                                                              • Part of subcall function 004015BC: HeapAlloc.KERNEL32(00000000), ref: 004015CD
                                                                                                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00401606
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0040160C
                                                                                                                                                                            • SetCriticalSectionSpinCount.KERNEL32(00000000,00000000), ref: 00401614
                                                                                                                                                                            • GetWindowContextHelpId.USER32(00000000), ref: 0040161B
                                                                                                                                                                            • GetWindowLongW.USER32(00000000,00000000), ref: 00401623
                                                                                                                                                                            • RegisterClassW.USER32(00000000), ref: 0040162A
                                                                                                                                                                            • IsWindowVisible.USER32(00000000), ref: 00401631
                                                                                                                                                                            • ConvertDefaultLocale.KERNEL32(00000000), ref: 00401638
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401644
                                                                                                                                                                            • IsDialogMessageW.USER32(00000000,00000000), ref: 0040164C
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00401656
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0040165D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Heap$Window$MessageProcess$AllocByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3627164727-0
                                                                                                                                                                            • Opcode ID: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
                                                                                                                                                                            • Instruction ID: 597bc7deab9f95c5419af2560a3a18d661806b2e942c9da5f2f727d66e905f75
                                                                                                                                                                            • Opcode Fuzzy Hash: 90e2bc38f92fcaff424a9cbc551a6a023065eacd9b594e7e38103360e1463183
                                                                                                                                                                            • Instruction Fuzzy Hash: 17014672402824FBC7156BA1BD6DDDF3E7CEE4A3527141265F60A910608B794A01CBFE
                                                                                                                                                                            Function 0042665D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 00426684
                                                                                                                                                                            • _free.LIBCMT ref: 00426692
                                                                                                                                                                            • _free.LIBCMT ref: 0042669D
                                                                                                                                                                            • _free.LIBCMT ref: 00426671
                                                                                                                                                                              • Part of subcall function 0041D98B: HeapFree.KERNEL32(00000000,00000000,?,0041D1D3,00000000,0043B6F4,0041D21A,0040EE93,?,?,0041D304,0043B6F4,?,?,0042EC88,0043B6F4), ref: 0041D9A1
                                                                                                                                                                              • Part of subcall function 0041D98B: GetLastError.KERNEL32(?,?,?,0041D304,0043B6F4,?,?,0042EC88,0043B6F4,?,?,?), ref: 0041D9B3
                                                                                                                                                                            • ___free_lc_time.LIBCMT ref: 004266BB
                                                                                                                                                                            • _free.LIBCMT ref: 004266C6
                                                                                                                                                                            • _free.LIBCMT ref: 004266EB
                                                                                                                                                                            • _free.LIBCMT ref: 00426702
                                                                                                                                                                            • _free.LIBCMT ref: 00426711
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lc_time
                                                                                                                                                                            • String ID: xLC
                                                                                                                                                                            • API String ID: 3704779436-381350105
                                                                                                                                                                            • Opcode ID: 75c8617aa577018b802f999097e256e29a76f75524ffb918136c170e5bfc19f7
                                                                                                                                                                            • Instruction ID: 49b3ec72b6b2c094beee6f0e5666a09e04043e36b45bb43ec530869945208503
                                                                                                                                                                            • Opcode Fuzzy Hash: 75c8617aa577018b802f999097e256e29a76f75524ffb918136c170e5bfc19f7
                                                                                                                                                                            • Instruction Fuzzy Hash: CF11B6F16107159BDF206F66E885A9AB395AB4170DF59093FF10597241CB3C9C90CE28
                                                                                                                                                                            Function 0041B9D6 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 0041BA0A
                                                                                                                                                                            • GetFileSize.KERNEL32(?,00000000), ref: 0041BA83
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0041BA9F
                                                                                                                                                                            • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0041BAB3
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0041BABC
                                                                                                                                                                            • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BACC
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0041BAEA
                                                                                                                                                                            • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BAFA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$PointerRead$HandleInformationSize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2979504256-3916222277
                                                                                                                                                                            • Opcode ID: c0fb2db621269d954561ef5db822be1f18ad4306e372f21deb85d8fd3cc2ab73
                                                                                                                                                                            • Instruction ID: f057a21d600b3b22fe9ce4a4ad899485fc4b8af774a3bef2e9074c408679b76e
                                                                                                                                                                            • Opcode Fuzzy Hash: c0fb2db621269d954561ef5db822be1f18ad4306e372f21deb85d8fd3cc2ab73
                                                                                                                                                                            • Instruction Fuzzy Hash: 2151F5B1D00218AFDB28DFA5D981AEEBBB9EF44304F10442AE515E7660D738AD85CF94
                                                                                                                                                                            Function 0041F992 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • UnDecorator::getArgumentList.LIBCMT ref: 0041F9B7
                                                                                                                                                                              • Part of subcall function 0041F552: Replicator::operator[].LIBCMT ref: 0041F5D5
                                                                                                                                                                              • Part of subcall function 0041F552: DName::operator+=.LIBCMT ref: 0041F5DD
                                                                                                                                                                            • DName::operator+.LIBCMT ref: 0041FA10
                                                                                                                                                                            • DName::DName.LIBCMT ref: 0041FA68
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
                                                                                                                                                                            • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                                                                                                            • API String ID: 834187326-2211150622
                                                                                                                                                                            • Opcode ID: cbd467bd594783157b11b8f65c6b9ca11f902f73757fc4ad6040fd7a65445d3d
                                                                                                                                                                            • Instruction ID: fb54d07a68d6be51e8ce47b648e01284641db43b2701e064647495a662b2e82f
                                                                                                                                                                            • Opcode Fuzzy Hash: cbd467bd594783157b11b8f65c6b9ca11f902f73757fc4ad6040fd7a65445d3d
                                                                                                                                                                            • Instruction Fuzzy Hash: 0F213D307012449FCB15DF5CD4449A97BF4EF4939AB4480A6E849DB367C738EA87CB49
                                                                                                                                                                            Function 0042132B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • UnDecorator::UScore.LIBCMT ref: 00421335
                                                                                                                                                                            • DName::DName.LIBCMT ref: 00421341
                                                                                                                                                                              • Part of subcall function 0041F00C: DName::doPchar.LIBCMT ref: 0041F03D
                                                                                                                                                                            • UnDecorator::getScopedName.LIBCMT ref: 00421380
                                                                                                                                                                            • DName::operator+=.LIBCMT ref: 0042138A
                                                                                                                                                                            • DName::operator+=.LIBCMT ref: 00421399
                                                                                                                                                                            • DName::operator+=.LIBCMT ref: 004213A5
                                                                                                                                                                            • DName::operator+=.LIBCMT ref: 004213B2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
                                                                                                                                                                            • String ID: void
                                                                                                                                                                            • API String ID: 1480779885-3531332078
                                                                                                                                                                            • Opcode ID: 88dbe5eb7ff6c0574109cc730e57ac6624d6c1ec8f8b0c341c280c3a547b1e03
                                                                                                                                                                            • Instruction ID: 4ad8086984012fe6e396dd634d951fd617e344818dca446778c829ad9440c5de
                                                                                                                                                                            • Opcode Fuzzy Hash: 88dbe5eb7ff6c0574109cc730e57ac6624d6c1ec8f8b0c341c280c3a547b1e03
                                                                                                                                                                            • Instruction Fuzzy Hash: 4111C671A00208AFD714EB25D856BED7BA0AF24305F44409BE8029B6E2CB389A86C749
                                                                                                                                                                            Function 0040BF22 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 420COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • StrCmpCA.SHLWAPI(?,Opera,0043683B,0043683A,00436837,00436836,00436833,00436832,0043682F), ref: 0040C060
                                                                                                                                                                            • StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C06E
                                                                                                                                                                            • StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C07C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Opera$Opera Crypto$Opera GX$\*.*
                                                                                                                                                                            • API String ID: 0-1710495004
                                                                                                                                                                            • Opcode ID: ba3c3280e43c410dcd590412856208ecd2083af9cf8d9d35a7cd81e77f195fe9
                                                                                                                                                                            • Instruction ID: 79937c07745840ca59eddc5a5cdfa6df5c628ddd8be8d0246969757881689052
                                                                                                                                                                            • Opcode Fuzzy Hash: ba3c3280e43c410dcd590412856208ecd2083af9cf8d9d35a7cd81e77f195fe9
                                                                                                                                                                            • Instruction Fuzzy Hash: 1A021C71A001299BCB21FB26DD466CD7771AF14308F4151EBB948B3191DBB86FC98F88
                                                                                                                                                                            Function 0040FB02 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB27
                                                                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB53
                                                                                                                                                                            • _memset.LIBCMT ref: 0040FB96
                                                                                                                                                                            • ??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FCEC
                                                                                                                                                                              • Part of subcall function 0040F005: _memmove.LIBCMT ref: 0040F01F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: OpenProcess_memmove_memset
                                                                                                                                                                            • String ID: N0ZWFt
                                                                                                                                                                            • API String ID: 2647191932-431618156
                                                                                                                                                                            • Opcode ID: 898c51137a7cc0ead4e363bda5b9ea1602847eab9fbb75ffd378713a9d89c653
                                                                                                                                                                            • Instruction ID: 20d42e2015e456c1747424349194f0c6a0577cf11073bf2f021c8e6848fe4d5e
                                                                                                                                                                            • Opcode Fuzzy Hash: 898c51137a7cc0ead4e363bda5b9ea1602847eab9fbb75ffd378713a9d89c653
                                                                                                                                                                            • Instruction Fuzzy Hash: B75182B1D0022C9BDB309F14DC85AEDB7B9AB44304F0001FAA609B7592DB796E88CF59
                                                                                                                                                                            Function 0040F8EA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,0040FBB8,?,00000000,00000000,?,?), ref: 0040F909
                                                                                                                                                                            • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,0040FBB8,?,00000000,00000000), ref: 0040F933
                                                                                                                                                                            • ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 0040F980
                                                                                                                                                                            • ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0040F9D9
                                                                                                                                                                            • VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0040FA31
                                                                                                                                                                            • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0040FBB8,?,00000000,00000000,?,?), ref: 0040FA42
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MemoryProcessQueryReadVirtual
                                                                                                                                                                            • String ID: @
                                                                                                                                                                            • API String ID: 3835927879-2766056989
                                                                                                                                                                            • Opcode ID: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
                                                                                                                                                                            • Instruction ID: e19652b96a8f31f04c1644d4b4c156224b0badc17b6e07d08097c67cb35c2b0c
                                                                                                                                                                            • Opcode Fuzzy Hash: a9495d4f72b3d1438dfa2c68789035a7ae4ab924da08034bdec0029a689f928b
                                                                                                                                                                            • Instruction Fuzzy Hash: 9C41BE32A00209BFDF209FA1DC45BDF7B76EF44760F14803AFA04A6690D7788955DB94
                                                                                                                                                                            Function 00792E00 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00792E37
                                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00792E3F
                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00792EC8
                                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00792EF3
                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00792F48
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                            • String ID: :!y$csm
                                                                                                                                                                            • API String ID: 1170836740-206657981
                                                                                                                                                                            • Opcode ID: f3929d1580c5b35bb30d6753870dedd4da4b53140c537cce089d9b4ec98e7d0c
                                                                                                                                                                            • Instruction ID: ac010d7a9795bdb0a809db07407ab0fc13e51544090991ed0156d94a36262be2
                                                                                                                                                                            • Opcode Fuzzy Hash: f3929d1580c5b35bb30d6753870dedd4da4b53140c537cce089d9b4ec98e7d0c
                                                                                                                                                                            • Instruction Fuzzy Hash: FF41B734A00208EBCF10EF68D888AAEBBF5EF45314F148155E8155B3A3D779DE56CB91
                                                                                                                                                                            Function 00793E5D Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 00793F7C
                                                                                                                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 0079408A
                                                                                                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 007941F7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CallMatchTypeUnexpectedtype_info::operator==
                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                            • API String ID: 1206542248-393685449
                                                                                                                                                                            • Opcode ID: 7aa1a579ac44d4ddba5092aee05d689c806eae71af2be5ec04bd42dc4187fb16
                                                                                                                                                                            • Instruction ID: e1b76d12e159546060f332272ad9a7f56492cae227f2564b2f5aa72f4a51a1fb
                                                                                                                                                                            • Opcode Fuzzy Hash: 7aa1a579ac44d4ddba5092aee05d689c806eae71af2be5ec04bd42dc4187fb16
                                                                                                                                                                            • Instruction Fuzzy Hash: BDB14771C00209EFCF29DFA4E885DAEBBB5FF14310B15419AE8156B212D739DA92CF91
                                                                                                                                                                            Function 004125E1 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 224synchronizationCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset$ObjectSingleWait
                                                                                                                                                                            • String ID: .exe$23a142269e47ce1692ccc9fb68473bc2$EMPTY
                                                                                                                                                                            • API String ID: 12478032-2199943196
                                                                                                                                                                            • Opcode ID: b799e55be2d5ac1ccf5fc4e0a91b30e673d6d24515a90444e9f79190fbec8b07
                                                                                                                                                                            • Instruction ID: 7120b0bcb209939396e98daef681599c2d67828aa6ca78812403a899de2e5871
                                                                                                                                                                            • Opcode Fuzzy Hash: b799e55be2d5ac1ccf5fc4e0a91b30e673d6d24515a90444e9f79190fbec8b07
                                                                                                                                                                            • Instruction Fuzzy Hash: 7D9121B1E0012DABCF11EF65DD46BCD7779AB04309F4150AAB608B30A1CA796FC98F58
                                                                                                                                                                            Function 0040DB54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenA.KERNEL32(?,75B65460,?,00000000), ref: 0040DB90
                                                                                                                                                                            • strchr.MSVCRT ref: 0040DBA2
                                                                                                                                                                            • strchr.MSVCRT ref: 0040DBC7
                                                                                                                                                                            • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DCCC), ref: 0040DBE9
                                                                                                                                                                            • strcpy_s.MSVCRT ref: 0040DC44
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrlenstrchr$strcpy_s
                                                                                                                                                                            • String ID: 0123456789ABCDEF
                                                                                                                                                                            • API String ID: 1957064729-2554083253
                                                                                                                                                                            • Opcode ID: 8a80138f6bd7a7f2679b34f9e534e62fa066860175bf704f797071b7d644e1de
                                                                                                                                                                            • Instruction ID: f8fd079a78b2ff1c2deed706dfff43d30c371303101ee63b350453b9db15b758
                                                                                                                                                                            • Opcode Fuzzy Hash: 8a80138f6bd7a7f2679b34f9e534e62fa066860175bf704f797071b7d644e1de
                                                                                                                                                                            • Instruction Fuzzy Hash: 36315E72D002199FDB10DFE8DC89ADEBBB5AF08315F110179E901FB281DB79A909CB54
                                                                                                                                                                            Function 00798127 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,00798234,?,007910E3,?,00000000,?,?,007983AD,00000021,FlsSetValue,007A55B8,007A55C0,?), ref: 007981E8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                            • API String ID: 3664257935-537541572
                                                                                                                                                                            • Opcode ID: 31c6d971be12372c3c8f2b09a38b5b906ee44d9ac08f4154ad2c54c2733de9e4
                                                                                                                                                                            • Instruction ID: cddfeedc32f6ba1034acded78b5c575c4daf3e603eb49e56fb6b9362e04c7993
                                                                                                                                                                            • Opcode Fuzzy Hash: 31c6d971be12372c3c8f2b09a38b5b906ee44d9ac08f4154ad2c54c2733de9e4
                                                                                                                                                                            • Instruction Fuzzy Hash: 5821A871A41218E7CF619B64FC44B5B3759AB83760F250219ED05A7291DF78EE03C6E1
                                                                                                                                                                            Function 0041FA72 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Name::operator+$NameName::
                                                                                                                                                                            • String ID: throw(
                                                                                                                                                                            • API String ID: 168861036-3159766648
                                                                                                                                                                            • Opcode ID: 6bcf798ea22f69823d702c871f8da28da09a6e3f13a520559632ccd68f072322
                                                                                                                                                                            • Instruction ID: ce185b860f32254eac45faa161dbbb74df866feaa3f5b4bc6d1d263faa69c407
                                                                                                                                                                            • Opcode Fuzzy Hash: 6bcf798ea22f69823d702c871f8da28da09a6e3f13a520559632ccd68f072322
                                                                                                                                                                            • Instruction Fuzzy Hash: 5F017E34600209AFCF04EF64D856EED7BB5EF44748F50407AF9059B292DB78E98A874C
                                                                                                                                                                            Function 0079767F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,007A34CC,000000FF,?,0079760F,?,?,007975E3,00000000), ref: 007976B4
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007976C6
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,007A34CC,000000FF,?,0079760F,?,?,007975E3,00000000), ref: 007976E8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                            • String ID: :!y$CorExitProcess$mscoree.dll
                                                                                                                                                                            • API String ID: 4061214504-380778296
                                                                                                                                                                            • Opcode ID: cac3f18e10c0a319ff1f6282eaad7072fa86d7a57a1c567f185efe1163682473
                                                                                                                                                                            • Instruction ID: d2a34771e3ec4a98566971b4d722f15c0ed257fac9223db2358e68dac535f573
                                                                                                                                                                            • Opcode Fuzzy Hash: cac3f18e10c0a319ff1f6282eaad7072fa86d7a57a1c567f185efe1163682473
                                                                                                                                                                            • Instruction Fuzzy Hash: FF01A771518619EBDB018F54DC05BAFB7B8FBC5B10F004625F821A2690DBBD9D00CA54
                                                                                                                                                                            Function 007934B1 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,007934A8,0079317C,00792355), ref: 007934BF
                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007934CD
                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007934E6
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,007934A8,0079317C,00792355), ref: 00793538
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                            • Opcode ID: 434ec5fc7bfe9f8d51bb49c8df4d8ee759e63d417db387d158c24cebfbc93884
                                                                                                                                                                            • Instruction ID: 42ccced08e80a557b941015c66c281664548b97dc82bf47a8eedfc1eae9b488c
                                                                                                                                                                            • Opcode Fuzzy Hash: 434ec5fc7bfe9f8d51bb49c8df4d8ee759e63d417db387d158c24cebfbc93884
                                                                                                                                                                            • Instruction Fuzzy Hash: 610126722083159EEE2527B4BCDAA3B2B84DB8AB747310339F520811F2FF9D4E119244
                                                                                                                                                                            Function 00793C06 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AdjustPointer
                                                                                                                                                                            • String ID: :!y
                                                                                                                                                                            • API String ID: 1740715915-1945855279
                                                                                                                                                                            • Opcode ID: 00475935ba923abceb80427172e49fe16bf747cb67710bbf8d1a72a0bac9147a
                                                                                                                                                                            • Instruction ID: 63ccf33ead27559d736c41752db9dd1da79c6ec1ce487d3c93ed6a1689e945a1
                                                                                                                                                                            • Opcode Fuzzy Hash: 00475935ba923abceb80427172e49fe16bf747cb67710bbf8d1a72a0bac9147a
                                                                                                                                                                            • Instruction Fuzzy Hash: E151EE76601606EFDF289F54E856BBA73A5EF01710F24452DE802972A1E73DEE80CB90
                                                                                                                                                                            Function 0040826D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 130COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset
                                                                                                                                                                            • String ID: ERROR_V128$v10$v20$gC
                                                                                                                                                                            • API String ID: 2102423945-2588172476
                                                                                                                                                                            • Opcode ID: d1fe65eb4172e1b061751ccf6830125739748993e648a78769eb2abe3019f6f4
                                                                                                                                                                            • Instruction ID: 32784a6a2cbcc3eaceeec4e79e4bc4ec165ad58523598210bf75c3a83be39c19
                                                                                                                                                                            • Opcode Fuzzy Hash: d1fe65eb4172e1b061751ccf6830125739748993e648a78769eb2abe3019f6f4
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E41B5B2A00118ABCF20DF65CD45ADE7BA8AF84714F15413FFD40F7280EB7899859699
                                                                                                                                                                            Function 0041C00B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,762283C0,00000000,?,?,?,?,?,?,0041C5D4,?,00416F69,?), ref: 0041C05E
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0041C5D4,?,00416F69), ref: 0041C08E
                                                                                                                                                                            • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,0041C5D4,?,00416F69,?), ref: 0041C0BA
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,0041C5D4,?,00416F69,?), ref: 0041C0C8
                                                                                                                                                                              • Part of subcall function 0041B9D6: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 0041BA0A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Time$Pointer$HandleInformationLocalSystem
                                                                                                                                                                            • String ID: ioA
                                                                                                                                                                            • API String ID: 3986731826-1543057363
                                                                                                                                                                            • Opcode ID: ea0d16ab0233029f2f6670c4ec71d0e05b8e894d5f5014189c3cd8366d21292b
                                                                                                                                                                            • Instruction ID: a3ae9b5ee02e06381242bb1180d8469c0c66a3ab8020e6489cedce7931a59bc5
                                                                                                                                                                            • Opcode Fuzzy Hash: ea0d16ab0233029f2f6670c4ec71d0e05b8e894d5f5014189c3cd8366d21292b
                                                                                                                                                                            • Instruction Fuzzy Hash: C1415B71900249DBCF14DF69C884ADEBBF8FF48314F14426AE855EA266D3349985CFA4
                                                                                                                                                                            Function 0040F286 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 0040F29C
                                                                                                                                                                              • Part of subcall function 0042EC95: std::exception::exception.LIBCMT ref: 0042ECAA
                                                                                                                                                                              • Part of subcall function 0042EC95: __CxxThrowException@8.LIBCMT ref: 0042ECBF
                                                                                                                                                                              • Part of subcall function 0042EC95: std::exception::exception.LIBCMT ref: 0042ECD0
                                                                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 0040F2BB
                                                                                                                                                                            • _memmove.LIBCMT ref: 0040F2F5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                                                                            • API String ID: 3404309857-4289949731
                                                                                                                                                                            • Opcode ID: 8e12207a144c445ab2d6e2887baac1ed13184b9167c9d4f836ba2983239090cc
                                                                                                                                                                            • Instruction ID: 5262f2a1c1bb7fc98e9b32af02b56188c6a606b0020a3752bba0e92898a3303c
                                                                                                                                                                            • Opcode Fuzzy Hash: 8e12207a144c445ab2d6e2887baac1ed13184b9167c9d4f836ba2983239090cc
                                                                                                                                                                            • Instruction Fuzzy Hash: 70110E753002019FCB24DE69D881A1973A8FF05324B50057AF812EBAC2C379E848CB9C
                                                                                                                                                                            Function 007A01A4 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 007A022B
                                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 007A02EC
                                                                                                                                                                            • __freea.LIBCMT ref: 007A0353
                                                                                                                                                                              • Part of subcall function 00798A87: HeapAlloc.KERNEL32(00000000,?,?,?,00792778,?,?,?,?,?,00791051,?,?,?,007910E3,?), ref: 00798AB9
                                                                                                                                                                            • __freea.LIBCMT ref: 007A0368
                                                                                                                                                                            • __freea.LIBCMT ref: 007A0378
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1096550386-0
                                                                                                                                                                            • Opcode ID: ce01f19ebcf6f1ddc3f8d3b42f69e5659209d188bd71f151fe3cc43fa7aaf0f7
                                                                                                                                                                            • Instruction ID: a2e0731688e21daf94dd6b8c13f0cfead7b8fabdafb5f8ce176c815a34133357
                                                                                                                                                                            • Opcode Fuzzy Hash: ce01f19ebcf6f1ddc3f8d3b42f69e5659209d188bd71f151fe3cc43fa7aaf0f7
                                                                                                                                                                            • Instruction Fuzzy Hash: 5451D37260020AEFEF259E64DC89EBF76A9EF86354F150629FD04D6150EB78CC1087E1
                                                                                                                                                                            Function 00425763 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _freemalloc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3576935931-0
                                                                                                                                                                            • Opcode ID: 798a7c87ef51105fd5ff8b2a4ac34650f7d7e6e40ee0a51e7d15eb3ccc968397
                                                                                                                                                                            • Instruction ID: 1fe24d055b231caadb3bac1077d0b41ea54537017262c08fa21935ffde822665
                                                                                                                                                                            • Opcode Fuzzy Hash: 798a7c87ef51105fd5ff8b2a4ac34650f7d7e6e40ee0a51e7d15eb3ccc968397
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A11EB32B40A35EBCF312F35BC05A5A3BA4AF84775FB0412BF948DA251DB3C8840869D
                                                                                                                                                                            Function 00426769 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __getptd.LIBCMT ref: 00426775
                                                                                                                                                                              • Part of subcall function 004249A4: __getptd_noexit.LIBCMT ref: 004249A7
                                                                                                                                                                              • Part of subcall function 004249A4: __amsg_exit.LIBCMT ref: 004249B4
                                                                                                                                                                            • __getptd.LIBCMT ref: 0042678C
                                                                                                                                                                            • __amsg_exit.LIBCMT ref: 0042679A
                                                                                                                                                                            • __lock.LIBCMT ref: 004267AA
                                                                                                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 004267BE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 938513278-0
                                                                                                                                                                            • Opcode ID: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
                                                                                                                                                                            • Instruction ID: 3cb0b0a6c2691d8e3da6a29315b7f2120c55896ae2d56be74b6963c8fc1e9199
                                                                                                                                                                            • Opcode Fuzzy Hash: e5b528c2df55b90b8f95683bbe5c3f4538672bfb3054380b72a1938f3589f922
                                                                                                                                                                            • Instruction Fuzzy Hash: 94F09672F007309ADA21FB79740275E32D0AF8072DF92011FF400972D2CB2C5940CA5E
                                                                                                                                                                            Function 004135E8 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 262stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: strtok_s
                                                                                                                                                                            • String ID: false$true
                                                                                                                                                                            • API String ID: 3330995566-2658103896
                                                                                                                                                                            • Opcode ID: 26323a4b7be200d82d01d47cc2cf62ad8e034699c249e2f89ea46934ec275041
                                                                                                                                                                            • Instruction ID: 4b9006c81de5cbe442b288e1576c32e24171c8e14767bb27393f0de91e811dc5
                                                                                                                                                                            • Opcode Fuzzy Hash: 26323a4b7be200d82d01d47cc2cf62ad8e034699c249e2f89ea46934ec275041
                                                                                                                                                                            • Instruction Fuzzy Hash: B8B138B59002189BCF60EF64DC89ADA77B5BF18305F0001EAE549A72A1DB75AFD4CF44
                                                                                                                                                                            Function 0079177E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_catch.LIBCMT ref: 007917B1
                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0079189D
                                                                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 007918AD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Concurrency::cancel_current_taskH_prolog3_catchXinvalid_argumentstd::_
                                                                                                                                                                            • String ID: vector too long
                                                                                                                                                                            • API String ID: 4133478652-2873823879
                                                                                                                                                                            • Opcode ID: 31c75d20f71711cacb37c20bdfb18ef7f56ab3d50e2ed96d7b803c75e24fab53
                                                                                                                                                                            • Instruction ID: 552c1e367318577d139b55b054ba694586eff6db9332239d5ee01d1c729eda68
                                                                                                                                                                            • Opcode Fuzzy Hash: 31c75d20f71711cacb37c20bdfb18ef7f56ab3d50e2ed96d7b803c75e24fab53
                                                                                                                                                                            • Instruction Fuzzy Hash: 6C419F71A00107DFCF14DFACE8958AEBBA5FF45320B20861DE915D7681DB35AA60CB90
                                                                                                                                                                            Function 0041004C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 0041006F
                                                                                                                                                                              • Part of subcall function 0042EC48: std::exception::exception.LIBCMT ref: 0042EC5D
                                                                                                                                                                              • Part of subcall function 0042EC48: __CxxThrowException@8.LIBCMT ref: 0042EC72
                                                                                                                                                                              • Part of subcall function 0042EC48: std::exception::exception.LIBCMT ref: 0042EC83
                                                                                                                                                                            • __EH_prolog3_catch.LIBCMT ref: 0041010E
                                                                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00410122
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
                                                                                                                                                                            • String ID: vector<T> too long
                                                                                                                                                                            • API String ID: 2448322171-3788999226
                                                                                                                                                                            • Opcode ID: adf4a1d7e1d46ad6525c877d91ff94b5ad02ee86ab9dfb939e1f121fe8ea235d
                                                                                                                                                                            • Instruction ID: 9177247471c649631c17fecc10ba8c632ccc4c075d8dd84785c2030fa8e5253b
                                                                                                                                                                            • Opcode Fuzzy Hash: adf4a1d7e1d46ad6525c877d91ff94b5ad02ee86ab9dfb939e1f121fe8ea235d
                                                                                                                                                                            • Instruction Fuzzy Hash: CD313872B003229BDB08EF69EC456DE77A2A708311F11106FE520E7254D7BE8DC08B48
                                                                                                                                                                            Function 007936D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00793684,00000000,?,0080C104,?,?,?,00793827,00000004,InitializeCriticalSectionEx,007A4C68,InitializeCriticalSectionEx), ref: 007936E0
                                                                                                                                                                            • GetLastError.KERNEL32(?,00793684,00000000,?,0080C104,?,?,?,00793827,00000004,InitializeCriticalSectionEx,007A4C68,InitializeCriticalSectionEx,00000000,?,007935A7), ref: 007936EA
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00793712
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                            • API String ID: 3177248105-2084034818
                                                                                                                                                                            • Opcode ID: 66ac5e5708df7c4b4f78faa023fea48b3c7cd055130c8866bd1496c58284c7ba
                                                                                                                                                                            • Instruction ID: f4c5134d55b8b770ec43bc1522ce0c43fdcefb75282e4ca3953ab257cfec23ac
                                                                                                                                                                            • Opcode Fuzzy Hash: 66ac5e5708df7c4b4f78faa023fea48b3c7cd055130c8866bd1496c58284c7ba
                                                                                                                                                                            • Instruction Fuzzy Hash: F4E04FB1280204F7EF101FF0FC8AB2A3F55BB91B51F108060FA0DA80E1D7ABDA119959
                                                                                                                                                                            Function 0040F252 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 0040F257
                                                                                                                                                                              • Part of subcall function 0042EC48: std::exception::exception.LIBCMT ref: 0042EC5D
                                                                                                                                                                              • Part of subcall function 0042EC48: __CxxThrowException@8.LIBCMT ref: 0042EC72
                                                                                                                                                                              • Part of subcall function 0042EC48: std::exception::exception.LIBCMT ref: 0042EC83
                                                                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 0040F262
                                                                                                                                                                              • Part of subcall function 0042EC95: std::exception::exception.LIBCMT ref: 0042ECAA
                                                                                                                                                                              • Part of subcall function 0042EC95: __CxxThrowException@8.LIBCMT ref: 0042ECBF
                                                                                                                                                                              • Part of subcall function 0042EC95: std::exception::exception.LIBCMT ref: 0042ECD0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                                                                            • API String ID: 1823113695-4289949731
                                                                                                                                                                            • Opcode ID: 41ce4b4c9a099b4f77c2236bcd3da0778ecbb1318769d225bcb20bb342a12378
                                                                                                                                                                            • Instruction ID: cd7342fa11c39e7fd804ac9e9ab6cb37250b783395530856443caf81d1d171bb
                                                                                                                                                                            • Opcode Fuzzy Hash: 41ce4b4c9a099b4f77c2236bcd3da0778ecbb1318769d225bcb20bb342a12378
                                                                                                                                                                            • Instruction Fuzzy Hash: B7D012A5A4020C7BCB04EBDAE806ACDBAE99B58715F20016BB605D3641EAB856004569
                                                                                                                                                                            Function 00411D36 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004122D6,?), ref: 00411D41
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00411D48
                                                                                                                                                                            • wsprintfW.USER32 ref: 00411D59
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Heap$AllocProcesswsprintf
                                                                                                                                                                            • String ID: %hs
                                                                                                                                                                            • API String ID: 659108358-2783943728
                                                                                                                                                                            • Opcode ID: 2d0c07c98a0cbaf1e898a5dc3ff862fa4a54b983e479ff33ffb3668d4474b514
                                                                                                                                                                            • Instruction ID: 62812af7f09d9c33686cfcbb8b381ddf7a09e976e7f1ad92f6c956f3b95a8282
                                                                                                                                                                            • Opcode Fuzzy Hash: 2d0c07c98a0cbaf1e898a5dc3ff862fa4a54b983e479ff33ffb3668d4474b514
                                                                                                                                                                            • Instruction Fuzzy Hash: 6FD0A73134031477C6101BD4BC0DF9A3F2CDB057A2F001130FA0DD5151C96548144BED
                                                                                                                                                                            Function 004013F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00401402
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040140D
                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00401416
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CapsCreateDeviceRelease
                                                                                                                                                                            • String ID: DISPLAY
                                                                                                                                                                            • API String ID: 1843228801-865373369
                                                                                                                                                                            • Opcode ID: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
                                                                                                                                                                            • Instruction ID: 9bbdd1ee4896165f6ac39e3e5efd8c25d27bca58a6bb0b57e2a538c7cae0429d
                                                                                                                                                                            • Opcode Fuzzy Hash: cf640d80628ad4e74f3d38171acba973207c28ae387d92be87cd61cc0b75c439
                                                                                                                                                                            • Instruction Fuzzy Hash: C9D012353C030477E1781B50BC5FF1A2934D7C5F02F201124F312580D046A41402963E
                                                                                                                                                                            Function 004018B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 004018BA
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,EtwEventWrite), ref: 004018CB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                            • String ID: EtwEventWrite$ntdll.dll
                                                                                                                                                                            • API String ID: 1646373207-1851843765
                                                                                                                                                                            • Opcode ID: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
                                                                                                                                                                            • Instruction ID: fa0301676ac4a0b35d6f0bad7f9db5a069fcd374a286a1e4a3065c0da922a8bc
                                                                                                                                                                            • Opcode Fuzzy Hash: e7173cbc659f646d90c6637380379b2e67bafee961351022300d75924a4236c6
                                                                                                                                                                            • Instruction Fuzzy Hash: 84B09B7078020097CD1467756D5DF07766566457027506165A645D0160D77C5514551D
                                                                                                                                                                            Function 0079D02C Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 0079D08F
                                                                                                                                                                              • Part of subcall function 0079B857: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,007A0349,?,00000000,-00000008), ref: 0079B903
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0079D2EA
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0079D332
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0079D3D5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2112829910-0
                                                                                                                                                                            • Opcode ID: 6d63ecfc7bc5dc46a584d39f64c6fb3a453526c0d20ec0f1e290247ed9f1f557
                                                                                                                                                                            • Instruction ID: dad3f00663d26c0893ea8aaa80c9939939f2515ffd477bc85bc071d21699539f
                                                                                                                                                                            • Opcode Fuzzy Hash: 6d63ecfc7bc5dc46a584d39f64c6fb3a453526c0d20ec0f1e290247ed9f1f557
                                                                                                                                                                            • Instruction Fuzzy Hash: 1ED137B5D00258DFCF25CFA8E884AADBBB5FF49300F18816AE956EB351D734A941CB50
                                                                                                                                                                            Function 0041BDC5 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • malloc.MSVCRT ref: 0041BE0A
                                                                                                                                                                            • _memmove.LIBCMT ref: 0041BE1E
                                                                                                                                                                            • _memmove.LIBCMT ref: 0041BE6B
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001,?,?,0041AEB0,?,00000001,?,?,?), ref: 0041BE8A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove$FileWritemalloc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 803809635-0
                                                                                                                                                                            • Opcode ID: 2f32b6d30d6ea6acfcbf4458e2c3a94141a5c390d0cdfed8c56d90b68290345c
                                                                                                                                                                            • Instruction ID: bda922fd8d2430ead1ad56b0b84c20489616fa0042db1156ae38f56ccbdc6197
                                                                                                                                                                            • Opcode Fuzzy Hash: 2f32b6d30d6ea6acfcbf4458e2c3a94141a5c390d0cdfed8c56d90b68290345c
                                                                                                                                                                            • Instruction Fuzzy Hash: B6316B71600704AFDB21DF65D980BE7B7F8FB48310F40892EEA4687A00EB74F9458B94
                                                                                                                                                                            Function 0079A56B Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0079B857: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,007A0349,?,00000000,-00000008), ref: 0079B903
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0079A5CF
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0079A5D6
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0079A610
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0079A617
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1913693674-0
                                                                                                                                                                            • Opcode ID: 5faf71816b8eb0a1f78993b591137b503fa7b36af30c81d81a25f3edafb63c8d
                                                                                                                                                                            • Instruction ID: 56a195e59a300ec6c579c361c747b75165ff4df36a1fa2b55da61b5a4a794d8d
                                                                                                                                                                            • Opcode Fuzzy Hash: 5faf71816b8eb0a1f78993b591137b503fa7b36af30c81d81a25f3edafb63c8d
                                                                                                                                                                            • Instruction Fuzzy Hash: A121CFB1601206FFCF20AF65A88482BB7ADFF45360B118528FD16D7211DB79EC518BE2
                                                                                                                                                                            Function 0079AD55 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f73eb59541dd7fbdc73a9865acd79ddb990945ede0c9254fb5bdcb0e7f831b81
                                                                                                                                                                            • Instruction ID: 4c94ab2f104c0d9c726760c54ba469163133f292b666ce2de4b6f75f3446b779
                                                                                                                                                                            • Opcode Fuzzy Hash: f73eb59541dd7fbdc73a9865acd79ddb990945ede0c9254fb5bdcb0e7f831b81
                                                                                                                                                                            • Instruction Fuzzy Hash: 4A21FD31206215BFCF20EF70FC8692B77ADAF813647208568F91597551DB39EC108BE2
                                                                                                                                                                            Function 0079B945 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0079B94D
                                                                                                                                                                              • Part of subcall function 0079B857: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,007A0349,?,00000000,-00000008), ref: 0079B903
                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0079B985
                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0079B9A5
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 158306478-0
                                                                                                                                                                            • Opcode ID: 6cf7745908fe1abae1c7753e84ea38cdb19b212e7467eec7c831e6f151afc9cd
                                                                                                                                                                            • Instruction ID: 2816697b1f1f367c207334f88a2a64cce30229983955224d2108005da2d6e933
                                                                                                                                                                            • Opcode Fuzzy Hash: 6cf7745908fe1abae1c7753e84ea38cdb19b212e7467eec7c831e6f151afc9cd
                                                                                                                                                                            • Instruction Fuzzy Hash: CA11EDB2915619FFAF2127B6BDCEC6F6A6CCF863A43214124F60192101EF6DAD0081B5
                                                                                                                                                                            Function 007A1578 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,007A0A2D,00000000,00000001,00000000,?,?,0079D429,?,00000000,00000000), ref: 007A158F
                                                                                                                                                                            • GetLastError.KERNEL32(?,007A0A2D,00000000,00000001,00000000,?,?,0079D429,?,00000000,00000000,?,?,?,0079D9B0,?), ref: 007A159B
                                                                                                                                                                              • Part of subcall function 007A1561: CloseHandle.KERNEL32(FFFFFFFE,007A15AB,?,007A0A2D,00000000,00000001,00000000,?,?,0079D429,?,00000000,00000000,?,?), ref: 007A1571
                                                                                                                                                                            • ___initconout.LIBCMT ref: 007A15AB
                                                                                                                                                                              • Part of subcall function 007A1523: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,007A1552,007A0A1A,?,?,0079D429,?,00000000,00000000,?), ref: 007A1536
                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,007A0A2D,00000000,00000001,00000000,?,?,0079D429,?,00000000,00000000,?), ref: 007A15C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2744216297-0
                                                                                                                                                                            • Opcode ID: b081bce9885d9654ae913919ee989db31fe256d556df98cea49efb93a16e9389
                                                                                                                                                                            • Instruction ID: cf2972be63c6a8b79083ec1f3294d7de6e4616233386e0275975172fe4d8e75f
                                                                                                                                                                            • Opcode Fuzzy Hash: b081bce9885d9654ae913919ee989db31fe256d556df98cea49efb93a16e9389
                                                                                                                                                                            • Instruction Fuzzy Hash: 56F01C37800128BBCF222FD5DC0999A3FA6EBCA3A0F458150FA1985121C63A8920EBD5
                                                                                                                                                                            Function 0040A8EB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 211COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,0040B7F9), ref: 0040A9CC
                                                                                                                                                                              • Part of subcall function 0040A7AD: _memset.LIBCMT ref: 0040A7EA
                                                                                                                                                                              • Part of subcall function 0040A7AD: _memmove.LIBCMT ref: 0040A890
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memmove_memset
                                                                                                                                                                            • String ID: passwords.txt$pe
                                                                                                                                                                            • API String ID: 3555123492-1761351166
                                                                                                                                                                            • Opcode ID: 4ba74c0300faaac9d0ac9caf8617aa34d22e2591a994222f18aa993d6959168e
                                                                                                                                                                            • Instruction ID: e27997f465d681115f0956e8b9e535e529e63f10c620eade899f7ec572e64d44
                                                                                                                                                                            • Opcode Fuzzy Hash: 4ba74c0300faaac9d0ac9caf8617aa34d22e2591a994222f18aa993d6959168e
                                                                                                                                                                            • Instruction Fuzzy Hash: B3719D32501205ABCF15EFA1ED49D9E3BBAEF49306F001025FA01A31B1CB7A5A45DB6A
                                                                                                                                                                            Function 0041584D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 00415885
                                                                                                                                                                            • _memset.LIBCMT ref: 00415896
                                                                                                                                                                              • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E72B,?,?,?), ref: 00407FC7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _memset$CreateFile
                                                                                                                                                                            • String ID: \A
                                                                                                                                                                            • API String ID: 3749192340-4091869122
                                                                                                                                                                            • Opcode ID: 92c9d1e8c653f4c91b8bcd950fdf23dbef18e9cc29ec4074dc18328cbb963d67
                                                                                                                                                                            • Instruction ID: fda69334fbf686bf2d72d9e1e21117a25ea659b8b9295d412ef9a82b36a1cbfc
                                                                                                                                                                            • Opcode Fuzzy Hash: 92c9d1e8c653f4c91b8bcd950fdf23dbef18e9cc29ec4074dc18328cbb963d67
                                                                                                                                                                            • Instruction Fuzzy Hash: 9C715EB1C4022D9BDF20DF20DC45BCA77BAAF88314F0405E6E908E3250EA769BA58F55
                                                                                                                                                                            Function 00401AB8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _memset.LIBCMT ref: 00401ADC
                                                                                                                                                                              • Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E72B,?,?,?), ref: 00407FC7
                                                                                                                                                                              • Part of subcall function 00416ED9: CreateThread.KERNEL32(00000000,00000000,00416E08,?,00000000,00000000), ref: 00416F78
                                                                                                                                                                              • Part of subcall function 00416ED9: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416F80
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create$FileObjectSingleThreadWait_memset
                                                                                                                                                                            • String ID: .keys$\Monero\wallet.keys
                                                                                                                                                                            • API String ID: 548113856-3586502688
                                                                                                                                                                            • Opcode ID: af912836c80b8334a84c6b9d02feddd2ff0022e8962dea24ecfdb5788751a9a6
                                                                                                                                                                            • Instruction ID: 6f92dde0959b71e6213efb4dedd1dcdc38b1d1e79667daa33b59108eaaa6e09e
                                                                                                                                                                            • Opcode Fuzzy Hash: af912836c80b8334a84c6b9d02feddd2ff0022e8962dea24ecfdb5788751a9a6
                                                                                                                                                                            • Instruction Fuzzy Hash: B0510AB1E4012D9BCB21EB25DD466DD7779AF04308F4050BAA608B3192DA78AFC98F48
                                                                                                                                                                            Function 00413A02 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: strtok_s
                                                                                                                                                                            • String ID: block
                                                                                                                                                                            • API String ID: 3330995566-2199623458
                                                                                                                                                                            • Opcode ID: 0cd00ea6f70d51830dcd949b582bedc8c9d369e319273a4f00376522836f950e
                                                                                                                                                                            • Instruction ID: d59fb6db9598feace06db38a85abc02bf4668801575a1cba740998495c8bbee7
                                                                                                                                                                            • Opcode Fuzzy Hash: 0cd00ea6f70d51830dcd949b582bedc8c9d369e319273a4f00376522836f950e
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A4162F0E44306BBEF449F75DC49E9A7B6CFB14B07F205066E402D2192E739A6819B5C
                                                                                                                                                                            Function 00412C30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00405237: RtlAllocateHeap.NTDLL(00000000), ref: 00405285
                                                                                                                                                                            • _memset.LIBCMT ref: 00412D1F
                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00436718), ref: 00412D71
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateCreateHeapProcess_memset
                                                                                                                                                                            • String ID: .exe
                                                                                                                                                                            • API String ID: 4288379676-4119554291
                                                                                                                                                                            • Opcode ID: 3f79d96ebe65ce9f60bf98a9ec1060deacb7e9440d6982d4f53f255cd694c0c6
                                                                                                                                                                            • Instruction ID: 1cbdd74ce5e2f54995cc1b0461791f526a41f78417fceba462659711e758d906
                                                                                                                                                                            • Opcode Fuzzy Hash: 3f79d96ebe65ce9f60bf98a9ec1060deacb7e9440d6982d4f53f255cd694c0c6
                                                                                                                                                                            • Instruction Fuzzy Hash: 1C416572A001197BDB11FBA6ED46ACE7774AF44348F110077F600B7191DAB86E8A8B99
                                                                                                                                                                            Function 00794202 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • EncodePointer.KERNEL32(00000000,?), ref: 00794227
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EncodePointer
                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                            • API String ID: 2118026453-2084237596
                                                                                                                                                                            • Opcode ID: 25ef3ef6db8584a69b31dff201e5d79d727998065986241c31299e46a0d23d0b
                                                                                                                                                                            • Instruction ID: 94e9503364b36f0ca013b483a7f3eaeacde0ddf7aa49313762f663cccfb3d961
                                                                                                                                                                            • Opcode Fuzzy Hash: 25ef3ef6db8584a69b31dff201e5d79d727998065986241c31299e46a0d23d0b
                                                                                                                                                                            • Instruction Fuzzy Hash: 74415771900209EFCF16DFA4E981EEEBBB5FF48304F158199F914A7221D3399A51DB90
                                                                                                                                                                            Function 00413299 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: strtok_s
                                                                                                                                                                            • String ID: !xA
                                                                                                                                                                            • API String ID: 3330995566-552826685
                                                                                                                                                                            • Opcode ID: e22b9a80b889634fb84a1a602b9536d33de6bd553385c31e20c0b465d2548ce6
                                                                                                                                                                            • Instruction ID: 3fe8997732ba686d3a560fed94bb41f929e857440078fb9370e0589d3031cea3
                                                                                                                                                                            • Opcode Fuzzy Hash: e22b9a80b889634fb84a1a602b9536d33de6bd553385c31e20c0b465d2548ce6
                                                                                                                                                                            • Instruction Fuzzy Hash: D3319671E00209AFCB15CF64CC85BAAB7A8AB18717F11505BEC16DB191DB38CB859B4C
                                                                                                                                                                            Function 00413518 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: strtok_s
                                                                                                                                                                            • String ID: !yA
                                                                                                                                                                            • API String ID: 3330995566-971523708
                                                                                                                                                                            • Opcode ID: b762d46454894bb02d857de4279976665da993c44a40d47f4e48ba8b97d39194
                                                                                                                                                                            • Instruction ID: 8daaa68a4849a336b57da01ae9ccec3ff93276654c479072e654c29869aa4826
                                                                                                                                                                            • Opcode Fuzzy Hash: b762d46454894bb02d857de4279976665da993c44a40d47f4e48ba8b97d39194
                                                                                                                                                                            • Instruction Fuzzy Hash: 9E21B571900509FBCB14DF54C881ADAB7AEFF08706F10909BE805EB245E774DB958B98
                                                                                                                                                                            Function 004133D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: strtok_s
                                                                                                                                                                            • String ID: dxA
                                                                                                                                                                            • API String ID: 3330995566-1453471766
                                                                                                                                                                            • Opcode ID: b202c6e826b63aed6aafe9f09b9d2ed0cf3ef15fd7c1ef6828ed005ff2ae795d
                                                                                                                                                                            • Instruction ID: 6dbdc327abe0b7bdd62296a97cc44212dd7b8b5fcf646ffcf01bf3631009289d
                                                                                                                                                                            • Opcode Fuzzy Hash: b202c6e826b63aed6aafe9f09b9d2ed0cf3ef15fd7c1ef6828ed005ff2ae795d
                                                                                                                                                                            • Instruction Fuzzy Hash: EE117F71D00205BBDB01DF54C945BDAB7BCAF1430AF118067E805EB192EB78DB888B99
                                                                                                                                                                            Function 0040F068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Xinvalid_argument_memmovestd::_
                                                                                                                                                                            • String ID: string too long
                                                                                                                                                                            • API String ID: 256744135-2556327735
                                                                                                                                                                            • Opcode ID: 9ab7ffb0b2f326456677b1f79b79f2c098f1a111591ca759752f296dba124a34
                                                                                                                                                                            • Instruction ID: 16e103bfe31d37185bf5c7de33bb9638cae5392d9fcef40893c2fcaba1ae33d0
                                                                                                                                                                            • Opcode Fuzzy Hash: 9ab7ffb0b2f326456677b1f79b79f2c098f1a111591ca759752f296dba124a34
                                                                                                                                                                            • Instruction Fuzzy Hash: 4E11E371300201ABDB349F2DD840A26B36AEF85314754013BF811A7FC3D77AEC59C2AA
                                                                                                                                                                            Function 0041347F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: strtok_s
                                                                                                                                                                            • String ID: wA
                                                                                                                                                                            • API String ID: 3330995566-2241071787
                                                                                                                                                                            • Opcode ID: 03c9d05ba65a6471ac5d7dd26cdd6ef2a9fe879898745d5af2ce2928e3329650
                                                                                                                                                                            • Instruction ID: dd06b3abd3b646703b1e960a5a46f236944b89903e4829c3616115ef650a42d7
                                                                                                                                                                            • Opcode Fuzzy Hash: 03c9d05ba65a6471ac5d7dd26cdd6ef2a9fe879898745d5af2ce2928e3329650
                                                                                                                                                                            • Instruction Fuzzy Hash: 24115B32904009BBCB01DF98D981EDAB7BCEB18315F144066ED09A7281E738FF898B94
                                                                                                                                                                            Function 0040F0FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 0040F113
                                                                                                                                                                              • Part of subcall function 0042EC95: std::exception::exception.LIBCMT ref: 0042ECAA
                                                                                                                                                                              • Part of subcall function 0042EC95: __CxxThrowException@8.LIBCMT ref: 0042ECBF
                                                                                                                                                                              • Part of subcall function 0042EC95: std::exception::exception.LIBCMT ref: 0042ECD0
                                                                                                                                                                              • Part of subcall function 0040F20D: std::_Xinvalid_argument.LIBCPMT ref: 0040F217
                                                                                                                                                                            • _memmove.LIBCMT ref: 0040F165
                                                                                                                                                                            Strings
                                                                                                                                                                            • invalid string position, xrefs: 0040F10E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                                                                                                                            • String ID: invalid string position
                                                                                                                                                                            • API String ID: 3404309857-1799206989
                                                                                                                                                                            • Opcode ID: 830cd19bc87ebd4e9a428bdd184161be238bb4b90864cf033e6eb64a8d59b0ac
                                                                                                                                                                            • Instruction ID: 0f2a2e5d1042d6142e24e23fb3187576949ae71e1aabcf4daa3e713127503f5f
                                                                                                                                                                            • Opcode Fuzzy Hash: 830cd19bc87ebd4e9a428bdd184161be238bb4b90864cf033e6eb64a8d59b0ac
                                                                                                                                                                            • Instruction Fuzzy Hash: 1511E531700210DBCB24AE6DEC8095A73A5AF19364744053BF819AFBC2C378EC4887D9
                                                                                                                                                                            Function 0040F322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 0040F331
                                                                                                                                                                              • Part of subcall function 0042EC95: std::exception::exception.LIBCMT ref: 0042ECAA
                                                                                                                                                                              • Part of subcall function 0042EC95: __CxxThrowException@8.LIBCMT ref: 0042ECBF
                                                                                                                                                                              • Part of subcall function 0042EC95: std::exception::exception.LIBCMT ref: 0042ECD0
                                                                                                                                                                            • memmove.MSVCRT(0040EE93,0040EE93,C6C68B00,0040EE93,0040EE93,0040F134,?,?,?,0040F1B4,?,?,?,76230440,?,-00000001), ref: 0040F367
                                                                                                                                                                            Strings
                                                                                                                                                                            • invalid string position, xrefs: 0040F32C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
                                                                                                                                                                            • String ID: invalid string position
                                                                                                                                                                            • API String ID: 1659287814-1799206989
                                                                                                                                                                            • Opcode ID: 389f0c4840b7d1541f829097ee8e6f8f304199d2df2ed63ef39a589171cd9ddd
                                                                                                                                                                            • Instruction ID: cdd25209bcd68f1a3d16c884ec3f7ab82b6f6a003171765248ebeed3a1be3c3e
                                                                                                                                                                            • Opcode Fuzzy Hash: 389f0c4840b7d1541f829097ee8e6f8f304199d2df2ed63ef39a589171cd9ddd
                                                                                                                                                                            • Instruction Fuzzy Hash: 5E01A2313007018BD7349E79898452AB2A2E785B21764093ED882D7B85D77CEC4F8398
                                                                                                                                                                            Function 0042821D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45stringCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • strcpy_s.MSVCRT ref: 0042822E
                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 00428282
                                                                                                                                                                              • Part of subcall function 004280BD: _strcat_s.LIBCMT ref: 004280DC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __invoke_watson_strcat_sstrcpy_s
                                                                                                                                                                            • String ID: ,NC
                                                                                                                                                                            • API String ID: 1132195725-1329140791
                                                                                                                                                                            • Opcode ID: 731b6ac6b642e3e8e5147aea8b100b6241764734f43c48f2503a638a59afb5d8
                                                                                                                                                                            • Instruction ID: 887ac42e1f57a759d752bdf1b5693751cd5b436693fdf8cbc82bc90985ef9ef6
                                                                                                                                                                            • Opcode Fuzzy Hash: 731b6ac6b642e3e8e5147aea8b100b6241764734f43c48f2503a638a59afb5d8
                                                                                                                                                                            • Instruction Fuzzy Hash: 48F046B2641228BBCF112EA1DC02EDB3F6DEF40310F8480ABFA080A012D736ED14C7A4
                                                                                                                                                                            Function 0041247D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_catch_GS.LIBCMT ref: 00412487
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004124F6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseH_prolog3_catch_Handle
                                                                                                                                                                            • String ID: steam.exe
                                                                                                                                                                            • API String ID: 860495366-2826358650
                                                                                                                                                                            • Opcode ID: 1f1d547a7b855ff9034f6da7222f6d51af6dd329fee223ce5cabf189c78c11ae
                                                                                                                                                                            • Instruction ID: cf4753bf5f8f3a473b35f1a87767389bf5426fe253dbbe0f85a1726b48fb5a1b
                                                                                                                                                                            • Opcode Fuzzy Hash: 1f1d547a7b855ff9034f6da7222f6d51af6dd329fee223ce5cabf189c78c11ae
                                                                                                                                                                            • Instruction Fuzzy Hash: 50011E70A002289BDB60DF64DD44BDE77B8AB08301F8401A6A409E22A0DB789F918B55
                                                                                                                                                                            Function 0040EF87 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 0040EF9C
                                                                                                                                                                              • Part of subcall function 0042EC48: std::exception::exception.LIBCMT ref: 0042EC5D
                                                                                                                                                                              • Part of subcall function 0042EC48: __CxxThrowException@8.LIBCMT ref: 0042EC72
                                                                                                                                                                              • Part of subcall function 0042EC48: std::exception::exception.LIBCMT ref: 0042EC83
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                            • String ID: a@$string too long
                                                                                                                                                                            • API String ID: 1823113695-2520057392
                                                                                                                                                                            • Opcode ID: d7edcf562317307c36e651cb406e568009eb5bdc608ba4bb1eee05260a702fdd
                                                                                                                                                                            • Instruction ID: 636e3eac73b0fad8778dd92469e3ad4607b5323e4d3f1a542e8950d6790ab08e
                                                                                                                                                                            • Opcode Fuzzy Hash: d7edcf562317307c36e651cb406e568009eb5bdc608ba4bb1eee05260a702fdd
                                                                                                                                                                            • Instruction Fuzzy Hash: 25F0F031308242ABC704AF2E8841910FBA6BF513207080A7AF452AB7D2C779E870C3DA
                                                                                                                                                                            Function 0041F409 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: NameName::
                                                                                                                                                                            • String ID: {flat}
                                                                                                                                                                            • API String ID: 1333004437-2606204563
                                                                                                                                                                            • Opcode ID: f0e67f0bd425649b1243776bf99fc72a1a75bb9619be83989c24d2c9795622b6
                                                                                                                                                                            • Instruction ID: 860f8910574c7f5b93a329a82e866fcf87d70aea3f1f23aa4500cbc6c74e443d
                                                                                                                                                                            • Opcode Fuzzy Hash: f0e67f0bd425649b1243776bf99fc72a1a75bb9619be83989c24d2c9795622b6
                                                                                                                                                                            • Instruction Fuzzy Hash: 6CF085312402089FCB10AF58D805AE63BA1AF8575AF088096F94C0F296C624D8C3CB9A
                                                                                                                                                                            Function 007983D3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 00798413
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                                                            • String ID: :!y$InitializeCriticalSectionEx
                                                                                                                                                                            • API String ID: 2593887523-1094532196
                                                                                                                                                                            • Opcode ID: a58efc6c67c84928a3d2a3dc6b8002a2f87b318b7f0d656486a1c34be2c5f705
                                                                                                                                                                            • Instruction ID: 9b3992deb32c2bcaf64feaf8547ba1dffca28372ecf0f7499c8caf640c6f5f94
                                                                                                                                                                            • Opcode Fuzzy Hash: a58efc6c67c84928a3d2a3dc6b8002a2f87b318b7f0d656486a1c34be2c5f705
                                                                                                                                                                            • Instruction Fuzzy Hash: AEE06D36581258B7CF111F51EC09E9A3F22EBD2760B108110F91815160CBBA89619AD5
                                                                                                                                                                            Function 007982D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2447332766.0000000000791000.00000020.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.2447316780.0000000000790000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447356615.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447378391.00000000007AB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447419333.000000000080D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.2447437565.0000000000810000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_790000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Alloc
                                                                                                                                                                            • String ID: :!y$FlsAlloc
                                                                                                                                                                            • API String ID: 2773662609-1522199544
                                                                                                                                                                            • Opcode ID: 3b11d54e125d365b1f617d2544feaab8d8b4990e26cadf6cf60a6c942917ef68
                                                                                                                                                                            • Instruction ID: b19d515d601bd7b9cc50be6c4e065945c10684fda98ea1284fee560b9df38869
                                                                                                                                                                            • Opcode Fuzzy Hash: 3b11d54e125d365b1f617d2544feaab8d8b4990e26cadf6cf60a6c942917ef68
                                                                                                                                                                            • Instruction Fuzzy Hash: E3E0C232AC1228B78A1027A0EC0E99EBA56DBD3F62B414121FA1452150DEEE495192EA
                                                                                                                                                                            Function 0040141E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.2446832574.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_400000_Unlock_Tool_2.jbxd
                                                                                                                                                                            Yara matches
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: GlobalMemoryStatus_memset
                                                                                                                                                                            • String ID: @
                                                                                                                                                                            • API String ID: 587104284-2766056989
                                                                                                                                                                            • Opcode ID: 53f8373e70c9b3f2ad4edb26b660f9fb934cc4b7cfd11dbf86275af389dbaa33
                                                                                                                                                                            • Instruction ID: 3f45e969e00d53325eeeeb0d61c2f771aa6840bd7d13b4847dbbb2bfcabd8c63
                                                                                                                                                                            • Opcode Fuzzy Hash: 53f8373e70c9b3f2ad4edb26b660f9fb934cc4b7cfd11dbf86275af389dbaa33
                                                                                                                                                                            • Instruction Fuzzy Hash: 0AE0B8F1D0020C9BDB14DFA5E946B5D77F89B08708F5000299A05F7181D674BA098659